Enable Access to your accounts using a CloudFormation stack and Control Tower lifecycle events

For comprehensive AWS infrastructure monitoring, Site24x7 needs to automatically discover all instances of various supported services currently running in your account. For this, you need to authenticate and authorize Site24x7 to access your resource. You can achieve this by manually creating IAM user roles or cross-account IAM roles. You can also automatically create an IAM role using a AWS CloudFormation template.

The AWS Control Tower provisions your AWS accounts to meet your organization's security and compliance requirements. Site24x7 uses AWS Control Tower lifecycle events to automatically discover all the accounts in your organization, including new accounts. As a result, you can quickly and easily integrate your AWS accounts with Site24x7.

Use cases

  • Consider that you have multiple AWS accounts, which you wish to integrate with Site24x7. Integrating each AWS account can be cumbersome and time-consuming. The AWS Control Tower helps you to set up and manage multiple AWS accounts. You can integrate your AWS accounts with Site24x7 using Control Tower and effectively monitor and manage them in a secure and compliant manner. Using this approach, you can integrate multiple AWS accounts with Site24x7 at the same time.
  • The Site24x7-AWS Control Tower integration helps to save time and increase efficiency when managing multiple accounts. For instance, if you create a new account in AWS using Control Tower, the same account gets automatically integrated with Site24x7 without any manual intervention.

Prerequisites

Make sure you have the following before you begin:

  1. An AWS Management account.
  2. Accounts Managed using AWS Control Tower.
  3. The following permissions for the CloudFormation stack to create resources that are required for discovery:
    • "iam:AttachRolePolicy"
    • "iam:CreatePolicy"
    • "iam:CreateRole"
    • "iam:PassRole"
    • "iam:GetRole"
    • "lambda:AddPermission"
    • "lambda:CreateFunction"
    • "lambda:GetFunction"
    • "lambda:InvokeFunction"
    • "logs:CreateLogGroup"
    • "logs:DescribeLogGroups"
    • "cloudformation:CreateStackSet"
    • "cloudformation:DescribeStackSet*"
    • "cloudformation:ListStackSet*"
    • "cloudformation:CreateStackInstances"
    • "cloudformation:ListStackInstances"
    • "cloudformation:DeleteStackInstances"
    • "cloudformation:DeleteStackSet"
    • "organizations:ListAccounts"
    • "organizations:ListAccountsForParent"
    • "organizations:ListChildren"
    • "sts:GetCallerIdentity"

Benefits of using AWS Control Tower for integration

You can leverage the following benefits while integrating your AWS account using AWS Control Tower:

  • Automatic Amazon Resource Name (ARN) role creation for multiple accounts.
  • Effortlessly add multiple AWS accounts from an organization to Site24x7.
  • Manage all integrated AWS accounts from a single location.
  • Automatically add or remove accounts.

Integrate your AWS account with Site24x7 using AWS Control Tower

To integrate all your AWS accounts with Site24x7 using a Control Tower, follow the steps below:

  1. Log in to the Site24x7 web console.
  2. Navigate to AWS > Integrate AWS Account.
  3. Select Register with Control Tower.
    Register Control Tower Account
  4. Select the AWS region in which the CloudFormation stack needs to be created.
  5. Select the preferred Permissions to be attached with IAM role. Site24x7 provides two options for IAM role permissions:
    • AWS Managed ReadOnlyAccess Policy: The IAM role will be created with the ReadOnlyAccess policy, which is managed by AWS for all services.
    • Site24x7 Custom Policy: The IAM role will be created with the in-line policy formulated with read-only permissions required for Site24x7-supported services. 
  6. Click Create CloudFormation Template. The CloudFormation stack in your account will automatically create all the necessary components in your account.
    Cloudformation stack
  7. After creating the IAM role, the CloudFormation stack and stack sets send the role ARNs to Site24x7 via the Lambda function.
  8. Enter the Display Name.
  9. Enter the RegEx (Regular Expression) to be filtered in the Accounts Filter field or select the accounts to be integrated from the Select Accounts list.
    If you wish to edit the RegEx after registering with Control Tower, navigate to the Edit Integrated AWS Account page of the Control Tower and update the RegEx. 
    accounts selection
  10. Once the role ARNs details are fetched, you can configure settings (such as the default threshold profiles for each supported AWS service), mute resource termination alerts, and customize the Guidance Report using the Advanced Configuration option.
  11. Choose the services you wish to integrate with Site24x7 from the Services to be discovered list in the Discovery Options section. You can view all the integrated accounts inside the management account integrated with Site24x7.
  12. Click Discover AWS Resources to add the accounts.

Once your AWS account is integrated with Site24x7 using AWS Control Tower, you can view all the Control Tower accounts in the Cloud > AWS > Control Tower Accounts > Control Tower Accounts page. Click Schedule Report to generate the Control Tower Accounts Report, which contains the Control Tower account details in CSV format.

Control Tower accounts

All the accounts linked to the Control Tower parent account will be listed in the Cloud > AWS > Control Tower Accounts > Control Tower Linked Accounts page. Click Schedule Report to generate the Control Tower Linked Accounts Report, which contains the Control Tower linked account details in CSV format.

Control Tower linked accounts

  • If you delete a Control Tower parent account, all the Control Tower linked accounts will also be deleted.
  • If you modify the existing configuration of an AWS Control Tower parent account, then the existing changes in the Control Tower linked accounts will be overwritten as well.
  • If you modify the configuration of any individual Control Tower linked account, then the changes will be reflected only for the linked account and will not affect the Control Tower parent account or any other linked accounts.
  • If the Automatically Remove Closed Account option is enabled in the Integrate AWS Account > Advance Configuration section, all the closed AWS accounts will be permanently removed from Site24x7.

Updating a stack for Control Tower account

To use the latest features implemented for Control Tower accounts, you have to update the existing stacks configured for your Control Tower accounts. 

To update a stack in AWS console:

  1. Login to AWS console.
  2. Navigate to All services > Management & Governance > CloudFormation.
  3. Select the stack that needs to be updated from the Stacks list.
  4. Click Update.
  5. Select Replace current template.
  6. Copy and paste the Template URL from the Site24x7's Edit Integrated AWS Account page in the Amazon S3 URL field.
  7. Click Next.
  8. Copy and paste the Secret Rotation Key from the Site24x7's Edit Integrated AWS Account page in the APIRotateKey field.

    The secret rotation key feature is available only for version 3, which is the latest version. The key rotation feature enables the rotation of keys stored in the AWS Secrets Manager.
  9. Click Next.
  10. Verify the details in the Configure stack options page and click Next.
  11. Review the stack details and select the acknowledgement check box below the Capabilities.
  12. Click Submit.

Once the stack update process is completed, the update status will be displayed for the selected stack in the Events tab. 

Was this document helpful?
Thanks for taking the time to share your feedback. We’ll use your feedback to improve our online help resources.