How to onboard any number of AWS member accounts with CloudFormation StackSet

loudYali provides a secure and seamless connection to customer AWS accounts, for getting cloud resource and cost information. Our onboarding process utilizes the power of CloudFormation stack, ensuring a streamlined and secure experience for our users. Leveraging multiple AWS accounts is a recommended practice by AWS for several reasons, such as minimizing potential impact (blast radius) and easy cost attribution, etc. Many medium to large companies adopt a per-team or per-product AWS account approach, resulting in numerous accounts. To effectively manage these accounts, AWS Organizations is an excellent solution. It enables companies to establish multiple organizations with a large number of member accounts.

At CloudYali, we prioritize efficiency and understand the need for swift onboarding. Our account onboarding process typically takes no more than 3 minutes, utilizing the CloudFormation-based workflow. Within just 10 minutes, users gain access to crucial resource, security compliance, and cost information, all conveniently available through the CloudYali console. As soon as resource information is accessible, CloudYali initiates various security compliance checks, including AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark v1.5.0 and v2.0.0. Additionally, our platform generates a comprehensive cost savings report, identifying any unused AWS resources.

We recognize that many of our customers manage hundreds of AWS accounts under their organizations. Onboarding each member account individually can be time-consuming and cumbersome. To address this challenge, based on valuable feedback, we have introduced a new CloudFormation StackSet-based onboarding workflow for member accounts. This workflow simplifies the process with a single-click onboarding, mirroring our existing single account onboarding functionality. Moreover, this approach offers the advantage of automatically onboarding any new member account added to the organization, eliminating the need for manual intervention. This ensures seamless connectivity between the new member AWS account and CloudYali.

Utilizing CloudFormation StackSet, CloudYali can efficiently execute the same CloudFormation Stack across all member AWS accounts. The process requires the Organization root ID and access to the organization root AWS account to create stack sets. By leveraging this capability, CloudYali ensures a consistent and streamlined onboarding experience for all member accounts.

After obtaining the AWS Organization root ID, the CloudYali onboarding workflow can be initiated. CloudYali generates two AWS CLI commands that need to be executed in the organization root account. These commands are crucial for creating the CloudFormation StackSet with the necessary parameters, including a unique external ID and StackSet-specific configuration parameters.

One of the essential configuration parameters is auto-deployment Enabled=true, which ensures that any newly added member account is automatically onboarded. Another important parameter is RetainStacksOnAccountRemoval=true, which guarantees that the stack removes any created resources if the account is removed from the Organization.

The first command is responsible for creating the StackSet with the provided parameters and prepares it for execution in member accounts. The second command initiates the execution of the Stacks for the StackSet, targeting the specified deployment-targets. By default, CloudYali employs the organization root ID to deploy the StackSet to all member accounts. However, if necessary, this can be modified to target specific AWS accounts.

Upon executing the second command, an operation ID is generated, enabling users to track the stack creation process. Once an AWS account is successfully onboarded, users gain complete visibility into cloud resource inventory, cost, and security compliance across all member accounts and regions. It is important to note that the organization root account needs to be onboarded separately, as per the design of AWS StackSet.

Overall, the utilization of StackSet allows for automated onboarding of any number of member accounts, while also providing an exceptional user experience. By leveraging this technology, CloudYali ensures efficient and seamless account management for our valued users.