Navigation Menu: Customer  


TIP: For best results, use Google Chrome when working in the platform portals and the AWS Management Console.

 

Overview:  

This article provides detailed information on how to add or link an existing AWS account to SES.  You will learn how to add, set a price book, support plan, as well as set-up the read only role required for the platform. Adding or linking an AWS account to an SES customer account can be completed two ways:

 

Option 1. Reseller completes the action in SES management console on behalf of the customer

Option 2. Customer starts the action from the Customer Portal


Linking existing AWS accounts always involves the Root AWS account owner.

You need to obtain the following information from your customer:
  1. 12-digit AWS Account number
  2. AWS account Root email address
  3. AWS Support Type:
  • Business Level Support – BLS
  • Developer
  • Basic/No Support (Free)



Definition of Root User:  When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account.  This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.

 

If the organization doesn't know the root user email address associated with and AWS Account, Tech Data sends linking requests via the 12-digit account number.  The root email address is identified after the linking request is accepted.


This table lists the high-level activities for adding an existing AWS account to the platform:

 

ActivityResponsible Party
Work completed in...
Add AWS AccountReseller or Customer (if Customer Portal is provisioned)SES Setup Role ARN
Setup Role ARN (ReadOnlyAccess)AWS Account OwnerAWS Console
Add ARN role to SESReseller or Customer (if Customer Portal is provisioned)SES
Send Linking Request    Tech Data - SES Cloud Ops TeamAWS Console
Accept Linking Request    AWS Account Owner    AWS Console
Configure Support Settings

*If applicable - Notify SES Cloud Ops Team if Customer does not want or have Business Level Support at the time you send the linking request
AWS Account Owner &
Reseller

AWS Console 

SES Charges and Discounts

Configure PricebookResellerSES



Important: This article assumes you have read the Scoping Questions for Linking an Existing AWS Account to address any possible account link issues prior to adding the account in the platform.

 

Prerequisites:

Before you add or link an account, create a Customer profile in SES. To learn how to add a new customer profile, please refer to this article:  How to Create A Customer


AWS Business Level Support:   Tech Data assumes AWS accounts are enabled with Business Level Support unless notified otherwise.  Business Level support is an aggregation model, providing higher reseller margin. Managing support charges is key to ensuring your billing data is accurate for you and your customers.  See this article for more information:  How to Assign Support Plan Charges to Cloud Accounts.   If the account owner does not want Business Level Support, please notifying the SES Cloud Support Ops team at ses-support@techdata.com or open a ticket.


 

Add existing AWS account (from the Reseller's platform management console)


Part 1 - Add existing AWS account

To add an existing AWS account, follow these steps:


1. Log into the platform and select the [Customers] module

 

 

2. Select the customer that you want to add the AWS account to then click [Edit]

3. Select Cloud Accounts  (from the left column)   

4. Click [Add+]   


Click on the images below to magnify



5. From the Cloud Account window, complete the following fields:   

a. Cloud Provider: select Amazon Web Services (required)

b. Account ID:  select [New Account] then enter the 12 digit AWS account number (required)

c. Email:  enter the Root email address connected to the AWS account. (not required)

d. Type:  leave default, which is Resale

e. Price Book:  Change only if you special pricing for this account only.  The pricebook set under Cloud Providers  controls

f.  Billing Start Date:  Leave blank. Do not enter a billing start date*

g. Click [Save].    


The Create IAM Role window displays.  The steps outlined in this window are completed in the AWS console.  

Note: Root access is not a requirement for a user to create an read-only role, depending on the IAM user's access rights. 

*If you have access to the AWS account, please log into AWS IAM screen to complete the next steps.  *If you do not have access, click [Later]

    

Part 2 - Create IAM Role

The Platform requires read only access to be able to capture usage and RI inventory data to the cloud environment


Use two browsers so you can toggle between the AWS console and the SES platform.
The instructions below are also provided in SES under the Cloud Account window.


From the AWS Console complete the following steps


1.            Login to your Amazon IAM console

2.            Select "Roles" from the menu list

3.            Click "Create Role"

4.            Click "Another AWS Account"

5.            Enter the following:


       Account ID: 328676173091

       External ID: CA****** (This ID number is unique to each AWS account)


Note: Leave the "Require MFA" field blank - MFA for third-party access is not supported at this time and accounts used for access have MFA enabled.


5b. Check mark "Options" to enter the "Require external ID (Best practice when a third party will assume this role)"



6. Click "Next: Permissions"


7. In the policy list, search for "ReadOnlyAccess" policy and check the box on the left.


***Optional To add the policy for the Security and Compliance Report, in the policy list, search for  AWSSupportAccess and check the box on the left.  (Again, this is optional, but highly recommended.  For more information, please read the knowledge Base article: AWS Security and Compliance Report)


8. Add tags are optional – Skip Tags and click “Next: Review”


9. Enter a Role Name 

(Example: SES) Please note: The Role Name cannot contain spaces. Use alphanumeric and '+=,.@-_' characters. Maximum 64 characters.


10. Enter a Role Description

(Example: Read Only Access for billing) Please note: Maximum 1000 characters. Use alphanumeric and '+=,.@-_' characters.


11. Click "Create Role"




12.  On the next page, click on the Role name itself to access Summary Screen


13. Click on the Role Name to access Summary Screen


14. Click the “Copy to Clipboard” icon located on the right of the Role ARN value, to copy the value.


15. Back to SES, at the bottom of the Create IAM Role dialog box, paste the value in the AWS Role ARN field.   


16. Click the “Not Checked/Check Now” action function button to confirm the role validates in the platform. Once you see the green Verified status appears, click “Save”. If a red “No Access” message appears, please recheck the Role ARN value.  Make sure the role is correct and there are no spaces in front or behind the value when pasted. If the ARN Value is still not validating once corrected, please contact the account Owner to confirm the ReadOnlyAccess policy added.  The Role ARN might need to be recreated.


17. Enter the Role description (optional)


18. Save



**Information Regarding accuracy in platform billing data related to creating the Read-only Role.**

The Role ARN is used by the platform to populate the RI inventory, RI utilization and RI optimization/recommendation reports.  


In addition, the Role ARM plays an important part to support how SES  keeps track of volume and RI purchases and reports billing data accurately to individual linked accounts. Basically keeping the benefits to the accounts that made the investment in the RI purchases. If the ARN role is created and added to the platform, and the AWS account has purchases an RI, then the benefits may not be properly applied to the customer's billing data.


Setup of the read-only access role is typically performed when you link an existing AWS account. Read-only access role is already setup under 'Request" new AWS accounts within the platform.



Part 3 - Joining the Organization-Linking Request Acceptance

The SES Support team receives the link request.  The request is approved and an email invitation is sent from AWS to the Root account owner.  The AWS account must join the Tech Data-owned Organization before the billing responsibility is changed from direct to reseller.  The Link invitation expires two weeks after sending if no action is taken. Please contact SES Support if a new invitation to link is required.


From the Invitation email, the Root owner can click the link to be directed to the AWS login screen. Go to My Account, Consolidated Billing or My Organization to view the Invitation.  


Please Note:  The actual email is not needed as the actual invitation is stored within the AWS account itself for 2 weeks.

 

Example of the AWS invitation is below:





Updating AWS Business Support


**Once you can confirmed the account has "joined the organization", advise the Root account owner to change the support level to Business.  See screenshots below:




***Note:  Disregard the Prorated upfront charge, as upfront support charges are not applicable in the reseller program***


The Support status will be updated within minutes.


Updating AWS Business Support in SES


*Important*  In SES, the default support plan is the AWS Premium Business Support. If business level support is not required for the customer's AWS account, please notify the SES support operations team at ses-support@techdata.com 


For information on setting support plan fees, see this Knowledge Base article: How to Assign Support Plan Charges to Cloud Accounts





Customer Initiated Link Request - Adding existing AWS account

(From the Customer Portal)

This section explains the same process as above with the exception that the linking request is initiated via the end customer portal (vs. the reseller creating the process from the SES management console).


 In the Settings screen, click Add and enter the following data fields:


1.  Select Amazon Web Services

2.  Enter the 12 digit AWS account number

3.  Add the Root email address

4.  Click [Save]



The platform generates a work approval notification to the reseller, via email.


Tip: you should have 2 browser windows open: one window to see read these instructions, second window that has the Amazon Management Console open.

From the AWS Console:

1.  Login to your Amazon IAM console
2. Select "Roles" from the menu list
3. Click "Create Role"
4. Click "Another AWS Account"
5. Enter the following:
Account ID: 328676173091
External ID: CA****** (This ID number is unique to each AWS account)


    Check mark "Options" to enter the "Require external ID (Best practice when a third party 
    will assume this role)"    
    Note: Leave the "Require MFA" field BLANK - MFA for third-party access is not supported 
    at this time.



6. Click "Next: Permissions"
7. In the policy list, search for "ReadOnlyAccess" policy and check the box on the left.


Optional:  To add the policy for the Security and Compliance Report, in the policy list, search for AWSSupportAccess and check the box on the left.  (Again, this is optional, but highly recommended.  For more information, please read the Knowledge Base article: AWS Security and Compliance Report)


8.  Click Next: Review

9.  Enter a name and description for the new Role.  (Role Example: SES. -  Description      Example: Read-only access for billing, Security and Compliance report)
10. Click "Create Role"



11.  On the next page, click on the Role name itself to access Summary Screen


 


12.  At the top of the Summary page, click on the Copy button icon to copy the value next to Role ARN 


 ***Back to SES, at the bottom of the Create IAM Role dialog box***


13.  Paste the Role ARN name in the Create IAM Role screen

14.  Hovering over the "Not Checked", will change to "Check Now".  Click "Check Now" 

until you see the green Verified.  If you see anything other than a green Verified indicator,

please contact SES Support.

15.  Click [Save]


**Information Regarding accuracy in platform billing data related to creating the Read-only Role.**

The Role ARN is used by the platform to populate the RI inventory, RI utilization and RI optimization/recommendation reports.  


In addition, the Role ARM plays an important part to support how SES  keeps track of volume and RI purchases and reports billing data accurately to individual linked accounts. Basically keeping the benefits to the accounts that made the investment in the RI purchases. If the ARN role is created and added to the platform, and the AWS account has purchases an RI, then the benefits may not be properly applied to the customer's billing data.


Setup of the read-only access role is typically performed when you link an existing AWS account. Read-only access role is already setup under 'Request" new AWS accounts within the platform.


Reseller Action - Update AWS Business Support in SES


*Important*  In SES, confirm AWS Premium Business Support charges are being passed down to all AWS accounts. Please see the Knowledge Base article: How to Assign Support Plan Charges to Cloud Accounts




Part 3 - Joining the Organization-Linking Request Acceptance

The SES Support team receives the link request.  The request is approved and an email invitation is sent from AWS to the Root account owner.  The AWS account must join the Tech Data-owned Organization before the billing responsibility is changed from direct to reseller.  The Link invitation expires two weeks after sending if no action is taken. Please contact SES Support if a new invitation to link is required.


From the Invitation email, the Root owner can click the link to be directed to the AWS login screen. Go to My Account, Consolidated Billing or My Organization to view the Invitation.  


Please Note:  The actual email is not needed as the actual invitation is stored within the AWS account itself for 2 weeks.


Example of a Link invitation below:

 

From the Invitation email, the Root owner can click the link to be directed to the AWS login screen. Go to My Account, Consolidated Billing or My Organization to view the Invitation.






Confirmation screen


**This account is now part of the Org**

 


Updating AWS Business Support


Once you can confirmed the account has "joined the organization", advise the customer to log into AWS and change the support level to Business.  See screenshots below: 

*Path [Support/Support Center/Change Support Plan/Business/Save or Submit]


 


  

Reseller Action Updating AWS Business Support in SES


*Important*  In SES, confirm AWS Premium Business Support charges are being passed down to all AWS accounts. Please see the Knowledge Base article: How to Assign Support Plan Charges to Cloud Accounts




Reseller Account Approval Process


Account approval is required when your customer is submitting the request through the customer Portal.  


You receive a workflow email when your customer submits a AWS linking request from the customer portal (widget) or the Cloud Marketplace URL. The notification is typically sent to the contact name and email listed at the bottom of the Email Templates page.


When you receive the email notification, you have the following options: 

(1) Click on the embedded link in the approval workflow email, to be taken to the Approval section inside SES (if you are currently logged in)


OR


(2) Log into SES, then select Settings > Approval requests

 

Select the request that you want to approve then click [View].


 

Click [Approve and Provision] or [Decline]