Version: 0.7

AWS Account Automation

To enable Kore's AWS Account Automation feature, you must setup Control Tower in your master AWS account, and create access for Kore to assume a role in the account. This allows Kore to use Control Tower's Account Factory feature to create and manage AWS accounts. This page provides detailed instructions for these steps.

Pre-requisite steps in AWS#

Follow these steps in AWS to prepare your organization for AWS Account Automation:

  1. Set up AWS Control Tower
  2. Choose an SSO User for Kore

Set up AWS Control Tower#

AWS account automation uses AWS Control Tower. Control Tower enables best practice account management of AWS Accounts.

To set up AWS Control Tower:

To complete these steps, refer to the AWS Control Tower User Guide.

  1. Set up AWS Control Tower in your master AWS account. This includes setting up a landing zone.

  2. Using the Control Tower console, create an organizational unit (OU) for Kore to manage, for example, kore-managed.

    • Do not use the Organization console to create this OU; it will not be accessible from Control Tower.

    • Set up one OU per Kore installation.

    Kore will create accounts in this OU so that multiple instances of Kore can share a single Control Tower and master account.

    This step also gives Kore access to Control Tower's Account Factory, which Kore uses this to carry out AWS Account creation.

Choose an AWS SSO user for Kore#

AWS Control Tower's Account Factory associates accounts with an AWS SSO user. If an AWS SSO user does not exist, Account Factory will create the SSO user when the first account is requested.

To complete this step:

  • Choose an AWS SSO user for Kore to use.

    This SSO user must have a group email account for a team in your company that owns the process to Close AWS Accounts created by Kore. Kore will need the following details for this SSO user:

    • Email Address - A secure email address in your company that will be used for:
      • Access to any account created using AWS SSO and STS for the admin role.
      • Root access using the email alias generated, see below.
    • First Name and Last Name - Used for the SSO user (if they don't already exist)
caution

This SSO user will have root access to accounts created, and a secure email address owned by your company is required.

Unique AWS Account Email Addresses#

Kore will generate a unique email address alias from the SSO user email address and the account rule.

Example:

If the group SSO email address provided to Kore is accounts@myorg.com and an account name from the list above is kore-project-a-notprod, then the email address would be the alias:

accounts+kore-project-a-notprod@myorg.com

Any AWS Account emails will be received at the group SSO email address.

Configure AWS Organization in Kore#

Below is the key information you must provide to configure an AWS organization in Kore:

OptionDescription
Master Account IDAWS account ID for your organization's master account
Control Tower RegionAWS region in which Control Tower is set up. AWS only supports a limited set of regions for Control Tower itself, but this does not restrict the regions in which the created accounts can operate.
Organizational Unit (OU)Specifies the OU where Kore will create accounts.
SSO UserThe SSO user specified in Choose an AWS SSO User for Kore above.

Configure AWS organization using the UI#

To configure using the UI:

  1. Enter the Admin view, and navigate to Configure > Cloud > Amazon Web Services > Organization.

  2. Click Add organization (for AWS Account automation).

  3. Fill in the New AWS Organization form, and then click Save organization.

  4. The UI prompts you to run kore setup roles. See kore setup roles.

  5. Complete the setup of your organization as prompted by the UI.

    The OU appears in the drop-down list of available OUs. If you do not see the OU you wish to manage, return to Set up AWS Control Tower above and ensure you create the OU through the Control Tower AWS console.

Configure AWS organization using the CLI#

To configure using the CLI:

  1. Set up cloudidentity or credentials as appropriate:

  2. To add the AWS organization, run kore create cloudaccount. See kore create cloudaccount.

  3. To add cloud account roles, run kore setup roles --feature AccountManagement. See kore setup roles.

note

Once the OU is created, an administrator should test account creation before handing it over to teams.

Close AWS Accounts created by Kore#

If an AWS account is no longer in use, it must be removed manually using the process below.

caution

Do not close an account before it has been removed from both Kore and then Control Tower as Kore will attempt to re-create the account.

Discover unused AWS accounts created by Kore#

Use one of the methods below to to see all cloud accounts that have been provisioned for your teams.

To discover unused accounts using the UI:

  1. Enter the Admin view, and navigate to Configure > Cloud > Amazon Web Services > Managed Accounts.

To discover unused accounts using the CLI:

  1. Run kore get cloudaccounts --all-managed --cloud aws

If you are removing a team from Kore and want to close their cloud account entirely, follow the steps below.

Remove an account from Kore and Control Tower#

Follow these steps only if you intend to remove the team from Kore, or remove their ability to use your AWS organization for account automation.

note

If you wish to retain the team or keep their ability to use AWS account automation, you should not close their account(s).

To remove an account from Kore and Control Tower:

  1. Remove the account from Kore:

    • If using the UI:

      In the Admin view, navigate to Configure > Cloud > Amazon Web Services > Managed Accounts, find the account, and then click Remove from Kore.

    • If using the CLI:

      Run kore delete cloudaccount -t teamname cloud-account-name.

This will attempt to remove the account from AWS Control Tower and then from Kore's management. If the account is in use by any team clusters, you are informed of this and the removal will not succeed. Ensure the clusters are deleted first.

  1. Delete the team from Kore, or de-allocate the AWS organization from the team so they cannot request a new EKS cluster using account automation.

    If you do not prevent the team using AWS, when a new cluster is requested, this closed account will be used. This then fails since the account can no longer be used.

Delete an AWS Account from AWS#

  1. Obtain the AWS Account email address:

    This is the generated alias, for example, accounts+kore-project-a-notprod@myorg.com. See Account Email Addresses above.

    You can check the account email alias address from AWS Console Organization List

  2. Sign in to the AWS Web Console using the root user option and the email identified above (use the forgotten password option to set a password on the account).

    Refer to the AWS documentation for Closing your AWS Account.