Multi account setup 3

config.toml

@@ -1,9 +1,16 @@
 baseURL = "https://wellarchitectedlabs.com/"
-languageCode = "en-us"
-title = "AWS Well-Architected Labs"
+defaultContentLanguage = "en"
 theme = "learn"
 
-
+[languages]
+  [languages.en]
+    languageName = 'English'
+    title = 'AWS Well-Architected Labs'
+    weight = 1
+  [languages.es]
+    languageName = 'Español'
+    title = 'AWS Well-Architected Labs'
+    weight = 2
 [params]
 themeVariant = "walabs"
 disableShortcutsTitle = true

content/Contributing/04_UpdatingExisting/_index.md

@@ -38,3 +38,18 @@ Please write a descriptive commit message following [this](https://git-scm.com/b
 
   ![Images/gitcommit.png](/Contributing/Images/gitcommit.png?classes=lab_picture_small)
 All your changes will be in the remote repository in GitHub, which can now be merged into the Well-Architected Labs repository
+
+
+### Picture Updates
+When you update a lab picture please ensure it had the following:
+* Black boarder
+* Orange box's to show the item the customer is looking for
+* Role/AccountID hidden using the same colour as the section 
+* Image needs to be 800 wide to avoid wrap
+* The description above the image much match the image e.g. if you say use 2688Mb then the picture must have 2688Mb
+
+An example can be seen below:
+
+**Step example** :
+1. Role name LambdaOrgRole, click Create role:
+![Images/create_role.png](/Cost/300_Organization_Data_CUR_Connection/Images/create_role.png)

content/Contributing/05_CreatingNew/_index.md

@@ -26,6 +26,21 @@ hidden: false
 		- Image width MUST always be `>800px`, which stops images from being placed next to text. Create the image border and then resize with whitespace
 		- Ensure there is a black border around the images by formatting your images using the following structure `![Images/(your image.png)](/(shortpillarname)/(content folder for lab)/Images/(your image.png)?classes=lab_picture_small)`
 
+### Picture Formatting
+When you update a lab picture please ensure it had the following:
+* Black boarder
+* Orange box's to show the item the customer is looking for
+* Role/AccountID hidden using the same colour as the section 
+* Image width MUST always be `>800px`, which stops images from being placed next to text. Create the image border and then resize with whitespace
+* The description above the image much match the image e.g. if you say use 2688Mb then the picture must have 2688Mb
+
+An example can be seen below:
+
+**Step example** :
+1. Role name LambdaOrgRole, click Create role:
+![Images/create_role.png](/Cost/300_Organization_Data_CUR_Connection/Images/create_role.png)
+
+
 ### Verify your edits and/or additions
 After making the changes or additions test and verify locally
  - Navigate back to the aws-well-architected-labs parent folder

content/Cost/100_Labs/100_1_AWS_Account_Setup/10_tear_down.md

@@ -18,7 +18,7 @@ To cancel your QuickSight subscription follow the steps below.
 2. Click on **Account settings**:
 ![Images/AWSQuicksight76.png](/Cost/100_1_AWS_Account_Setup/Images/AWSQuicksight76.png)
 
-3. Cluck on **Unsubscribe**:
+3. Click on **Unsubscribe**:
 ![Images/AWSQuicksight77.png](/Cost/100_1_AWS_Account_Setup/Images/AWSQuicksight77.png)
 
 4. Review the notifications, click **Unsubscribe**:

content/Cost/100_Labs/100_1_AWS_Account_Setup/1_IAM_access.md

@@ -10,7 +10,7 @@ pre: "<b>1. </b>"
 To allow access to your billing information without using the root credentials you need to enable IAM access. This allows other users (non-root) to access billing information in the management account. This approach provides individual sign-in information for each user, and you can grant each user only the permissions they need to work with your account. For example, you can grant your financial teams access to the billing information only, and ensure they dont have access to resources in the account. 
 
 
-1. Log in to your management account as the root user, Click on the account name in the top right, and click on **My Account** from the menu:
+1. Log in to your management account as the root user, Click on the account name in the top right, and click on **Account** from the menu:
 ![Images/AWSAcct4.png](/Cost/100_1_AWS_Account_Setup/Images/AWSAcct4.png)
 
 2. Scroll down to **IAM User and Role Access to Billing Information**, and click **Edit**:

content/Cost/100_Labs/100_1_AWS_Account_Setup/2_account_structure.md

@@ -21,52 +21,47 @@ You will create an AWS Organization with the management account.
 2. Click on **Create organization**:
 ![Images/AWSOrg2.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg2.png)
 
-3. To create a fully featured organization, Click on **Create organization**
+
+3. You will receive a verification email, click on **Verify your email address** to verify your account:
 ![Images/AWSOrg3.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg3.png)
 
-4. You will receive a verification email, click on **Verify your email address** to verify your account:
+4. You will then see a verification message in the console for your organization:
 ![Images/AWSOrg4.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg4.png)
 
-5. You will then see a verification message in the console for your organization:
-![Images/AWSOrg5.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg5.png)
-
 You now have an organization that you can join other accounts to.
 
 ### Join member accounts
 You will now join other accounts to your organization. You need to create and join an account that will be used to perform Cost Optimization work, as well as other member accounts used to run workloads.
 
 1. From the AWS Organizations console click on **Add account**:
+![Images/AWSOrg5.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg5.png)
+
+2. Click on **Invite an existing AWS Account**:
 ![Images/AWSOrg6.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg6.png)
 
-2. Click on **Invite account**:
+3. Enter in the **Email or account ID**, enter in any relevant **Notes** and click **Send invitation**:
 ![Images/AWSOrg7.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg7.png)
 
-3. Enter in the **Email or account ID**, enter in any relevant **Notes** and click **Invite**:
-![Images/AWSOrg8.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg8.png)
-
 4. You will then have an open request:
-![Images/AWSOrg9.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg9.png)
+![Images/AWSOrg8.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg8.png)
 
 5. Log in to your **member account**, and go to **AWS Organizations**:
 ![Images/AWSOrg1.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg1.png)
 
 6. You will see an invitation in the menu, click on **Invitations**:
+![Images/AWSOrg9.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg9.png)
+
+7. Verify the details in the request (they are hidden here), and click on **Accept**:
 ![Images/AWSOrg10.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg10.png)
 
-7. Verify the details in the request (they are blacked out here), and click on **Accept**:
+8. You are shown that the account is now part of your organization:
 ![Images/AWSOrg11.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg11.png)
 
-8. Verify the Organization ID (blacked out here), and click **Confirm**:
-![Images/AWSOrg12.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg12.png)
-
-9. You are shown that the account is now part of your organization:
-![Images/AWSOrg13.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg13.png)
-
 10. The member account will receive an email showing success:
-![Images/AWSOrg14.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg14.png)
+![Images/AWSOrg12.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg12.png)
 
 11. The management account will also receive email notification of success:
-![Images/AWSOrg15.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg15.png)
+![Images/AWSOrg13.png](/Cost/100_1_AWS_Account_Setup/Images/AWSOrg13.png)
 
 Repeat the steps above for each additional member account in your organization.
 

content/Cost/100_Labs/100_1_AWS_Account_Setup/4_configure_sso.md

@@ -27,7 +27,7 @@ You will create an AWS Organization with the management account.
 4. Click **Create group**:
 ![Images/ssogroups_create.png](/Cost/100_1_AWS_Account_Setup/Images/ssogroups_create.png)
 
-5. Enter a Group name of **Cost_Optimization** and a description, click **Create**:
+5. Enter a Group name of **Cost_Optimization** and a description, click **Create group**:
 ![Images/ssogroup_details.png](/Cost/100_1_AWS_Account_Setup/Images/ssogroup_details.png)
 
 6. Click **Users**:
@@ -38,35 +38,42 @@ You will create an AWS Organization with the management account.
 
 8. Enter the following details:
  - **Username**
- - **Password**
+ - **Password** - 
  - **Email address**
  - **First name** 
  - **Last name** 
  - **Display name**
  - Configure the optional fields as required
-click **Next: Groups**: 
+click **Next**: 
 ![Images/ssouser_detail.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_detail.png)
 
-9. Select the **Cost_Optimization** group and click **Add user**:
+9. Select the **Cost_Optimization** group and click **Next**:
 ![Images/ssouser_group.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_group.png)
 
-10. The user will receive an email, with a link to **Accept invitation**, the **Portal URL** and their **Username**:
+10. Review user details and click **Add User**
+![Images/ssouser_addusersubmit.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_addusersubmit.png)
+
+11. The user will receive an email, with a link to **Accept invitation**, the **Portal URL** and their **Username**:
 ![Images/ssouser_email.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_email.png)
 
-11. When the user goes to the portal, they will enter in a **Password** and click **Update user**:
+12. When the user goes to the portal, they will enter in a **Password** and click **Set new password**:
 ![Images/ssouser_login.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_login.png)
 
-12. The user will then Click **Continue**:
+13. Enter the new SSO Username and Password click **Sign In**:
 ![Images/ssouser_activate.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_activate.png)
 
 {{% notice note %}}
 Users will not have permissions until you complete the rest of this step.
+A management and member permission set will be created
 {{% /notice %}}
 
-13. Click on **AWS accounts**, select **Permission sets**, and click **Create permission set**:
+14. Create the management permission set. Click on **Permission sets**, and click **Create permission set**:
 ![Images/ssoaccount_createpermission.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_createpermission.png)
 
-14. Select **Create a custom permission set**, enter a name of **management_CostOptimization**, enter a **Description**, set the **Session duration**, select **Create a custom permissions policy**. Use the policy below as a starting point, modify it to your requirements and paste it in the policy field,  click **Create**.
+15. Select **Custom permission set** and click **Next**:
+![Images/ssouser_permission.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_permission.png)
+
+16. Select **Inline Policy**. Use the policy below as a starting point, modify it to your requirements and paste it in the policy field,  click **Next**.
 
 {{% notice warning %}}
 You **MUST** work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.
@@ -97,12 +104,21 @@ You **MUST** work with your security team/specialist to ensure you create the po
         ]
     }
 {{% /expand%}}
+![Images/ssouser_inlinepolicy.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_inlinepolicy.png)
+
+17. Enter a Permission set name of **management_CostOptimization**, enter a **Description**, set the **Session duration**, click **Next**. 
+![Images/ssouser_permissionsetdetails.png](/Cost/100_1_AWS_Account_Setup/Images/permissionsetdetails.png)
 
+18. Review and **Create** the custom permissions policy. 
 ![Images/ssopermissionset_create.png](/Cost/100_1_AWS_Account_Setup/Images/ssopermissionset_create.png)
 
-15. Click **Create permission set**
+19. Create the member permission set. Click on **Permission sets**, and click **Create permission set**:
+![Images/ssoaccount_createpermission.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_createpermission.png)
+
+20. Select **Custom permission set** and click **Next**:
+![Images/ssouser_permission.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_permission.png)
 
-16. Select **Create a custom permission set**, enter a name of **Member_CostOptimization**, enter a **Description**, set the **Session duration**, select **Create a custom permissions policy**. Use the policy below as a starting point, modify it to your requirements, replace **(management CUR bucket)** and **(Cost Optimization Member Account ID)** and paste it in the policy field,  click **Create**.
+21. Select **Inline Policy**. Use the policy below as a starting point, replace **(management CUR bucket)** and **(Cost Optimization Member Account ID)** click **Next**.
 
 {{% notice warning %}}
 You **MUST** work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.
@@ -199,29 +215,43 @@ You **MUST** work with your security team/specialist to ensure you create the po
     ]
     }
 {{% /expand%}}
+![Images/ssouser_inlinepolicy.png](/Cost/100_1_AWS_Account_Setup/Images/ssouser_inlinepolicy.png)
 
+22. Enter a Permission set name of **member_CostOptimization**, enter a **Description**, set the **Session duration**, click **Next**. 
+![Images/ssouser_memberpermissionsetdetails.png](/Cost/100_1_AWS_Account_Setup/Images/memberpermissionsetdetails.png)
+
+23. Review and **Create** the custom permissions policy. 
 ![Images/ssopermissionset_create.png](/Cost/100_1_AWS_Account_Setup/Images/ssopermissionset_create.png)
 
-17. Click **AWS organization**, select the **management account**, click **Assign users**:
+24. Setup the Cost Optimization management account. Click **AWS accounts**, select the **management account**, click **Assign users or groups**:
 ![Images/ssoaccount_organizationusers.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_organizationusers.png)
 
-18. Select **Groups**, select the **Cost_Optimization** group, click **Next: Permission sets**:
+25. Select **Groups**, select the **Cost_Optimization** group, click **Next**:
 ![Images/ssoaccount_groups.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_groups.png)
 
-19. Select the **management_CostOptimization** Permission set, click **Finish**:
+26. Select the **management_CostOptimization** Permission set, click **Next**:
 ![Images/ssoaccount_grouppermission.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_grouppermission.png)
 
-20. Click **Proceed to AWS accounts**:
+27. Review and **Submit**:
+![Images/ssoaccount_permissionsubmit.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_permissionsubmit.png)
+
+28. Verify account was updated with permission set:
 ![Images/ssoaccount_success.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_success.png)
 
-21. setup the Cost Optimization member account, select the **Member account**, click **Assign users**
+29. Setup the Cost Optimization member account. Click **AWS accounts**, select the **member account**, click **Assign users or groups**:
+![Images/ssoaccount_memberorganizationusers.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_memberorganizationusers.png)
 
-22. Select **Groups**, select the **Cost_Optimization** group, click **Next: Permission sets**:
+30. Select **Groups**, select the **Cost_Optimization** group, click **Next**:
 ![Images/ssoaccount_groups.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_groups.png)
 
-23. Select the **Member_CostOptimization** Permission set, click **Finish**
+31. Select the **member_CostOptimization** Permission set, click **Next**:
+![Images/ssoaccount_membergroups.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_membergroups.png)
 
-24. Click **Proceed to AWS accounts**
+32. Review and **Submit**:
+![Images/ssoaccount_memberpermissionsubmit.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_memberpermissionsubmit.png)
+
+33. Verify account was updated with permission set:
+![Images/ssoaccount_success.png](/Cost/100_1_AWS_Account_Setup/Images/ssoaccount_success.png)
 
 
 {{% notice tip %}}

content/Cost/100_Labs/100_1_AWS_Account_Setup/6_QuickSight.md

@@ -32,20 +32,51 @@ This will setup Amazon QuickSight, so that users in the Cost Optimization Accoun
 
 1. Go to the **IAM Dashboard**
 
-2. Click **Policies** and search for the **AWSQuickSightS3Policy**, click on the **AWSQuickSightS3Policy** policy:
+2. Click **Policies** and select **Create Policy**:
 ![Images/IAMPolicy_editQS.png](/Cost/100_1_AWS_Account_Setup/Images/IAMPolicy_editQS.png)
 
-3. Click **Edit policy**, 
+3. Go to **JSON Editor**. We will add the s3 resource **arn:aws:s3:::cost\*** below the existing s3 bucket. This will allow QuickSight to access any S3 bucket starting with **cost**, so Cost Optimization users can easily create new datasets without requiring additional QuickSight privileges. Copy the policy given below into JSON editor and Click **Next**: 
+
+{{%expand "Click here for Custom permissions policy" %}}
+    {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:GetObjectVersion"
+            ],
+            "Resource": "arn:aws:s3:::cost*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "s3:ListAllMyBuckets",
+            "Resource": "*"
+        }
+    ]
+}
+{{% /expand%}}
 ![Images/IAMPolicy_editpolicy.png](/Cost/100_1_AWS_Account_Setup/Images/IAMPolicy_editpolicy.png)
 
-4. We will add the s3 resource **arn:aws:s3:::cost\*** below the existing s3 bucket. This will allow QuickSight to access any S3 bucket starting with **cost**, so Cost Optimization users can easily create new datasets without requiring additional QuickSight privileges. Click **Review policy**:
+4. Name your policy to **AWSQuickSightS3Policy**, add **Description** and click **Create Policy**:
 ![Images/IAMPolicy_editreview.png](/Cost/100_1_AWS_Account_Setup/Images/IAMPolicy_editreview.png)
 
-5. Click **Save changes**:
-![Images/IAMPolicy_save.png](/Cost/100_1_AWS_Account_Setup/Images/IAMPolicy_save.png)
+5. Click **AWSQuickSightS3Policy** policy to attach it to QuickSight role:
+![Images/awsQSIAM1.png](/Cost/100_1_AWS_Account_Setup/Images/awsQSIAM1.png)
+
+6. Go to **Policy Usage** tab and click **Attach**:
+![Images/AWSQSIAM2.png](/Cost/100_1_AWS_Account_Setup/Images/AWSQSIAM2.png)
+
+7. Select AWS QuickSight Service role and click **Attach Policy**:
+![Images/AWSQSIAM3.png](/Cost/100_1_AWS_Account_Setup/Images/AWSQSIAM3.png)
+
 
 {{% notice tip %}}
 Congratulations - QuickSight is now setup for your users. The Cost Optimization team can self manage QuickSight, and access to data sets in S3 with the correct bucket name.
 {{% /notice %}}
 
-{{< prev_next_button link_prev_url="../5_account_settings/" link_next_url="../7_cost_explorer/" />}}
+{{< prev_next_button link_prev_url="../5_account_settings/" link_next_url="../7_cost_explorer/" />}}