AWS Account Management

The AWS Accounts page allows you to connect, configure, and manage multiple AWS accounts within TagOps, enabling centralized tagging operations across your entire AWS organization.

Adding an AWS Account

Prerequisites

Before adding an account:

  • [ ] AWS account with administrative access
  • [ ] 12-digit AWS account ID
  • [ ] Permissions to create CloudFormation stacks
  • [ ] Permissions to create IAM roles

Step-by-Step Process

1. Open Add Account Dialog

  1. Navigate to AWS Accounts page
  2. Click Add AWS Account button
  3. Account creation dialog appears

Free Trial Limitation

Free Trial accounts can only add 1 AWS account. Upgrade to add more accounts.

2. Fill Account Information

Account Name (Required) - Friendly name for the account - Examples: "Production", "Dev Environment", "Marketing Account" - 1-50 characters - Letters, numbers, spaces, hyphens, underscores allowed

AWS Account ID (Required) - Your 12-digit AWS account number - Numbers only - Find in AWS Console → Account Settings - Example: 123456789012

IAM Role Name (Required) - Default: tagops-exec-account-role - 1-64 characters - Letters, numbers, and _+=,.@- allowed - No spaces

External ID (Required) - Auto-generated random string - Click Generate to create new ID - Copy to use in CloudFormation - Example: Xy9Pq4Mn2Lk7

3. Create CloudFormation Stack

TagOps provides two options:

Option A: Automated (Recommended)

  1. Click Provision CloudFormation Stack
  2. New tab opens to AWS CloudFormation console
  3. Parameters are pre-filled

  4. Review the configuration:

    Stack name: cf-tagops-onboarding
RoleName: tagops-exec-account-role
ExternalId: [your generated ID]

  5. Check "I acknowledge that AWS CloudFormation might create IAM resources"

  6. Click Create Stack
  7. Wait for stack status: CREATE_COMPLETE (1-2 minutes)

Option B: Manual

  1. Click Copy CF Link
  2. Save the link for later
  3. Open link in AWS CloudFormation console
  4. Follow same steps as Option A

4. Verify Account

After CloudFormation stack completes:

  1. Return to TagOps dialog
  2. Click Verify Account

  3. TagOps performs verification:

    • ✅ IAM role exists
    • ✅ Trust policy configured correctly
    • ✅ Required permissions granted
    • ✅ AssumeRole works
    • ✅ CloudTrail status checked

5. Complete Account Addition

  1. After successful verification, click Add Account
  2. TagOps registers the account
  3. Account appears in the accounts table
  4. Success notification displays: Account Added Successfully! "Production Account" has been added successfully. Configure services to scan.

CloudTrail Warning

If CloudTrail is not enabled, you'll see a warning notification. Event-based tagging features will be limited without CloudTrail.

Permissions Warning

If some permissions are missing, you'll see a warning notification. TagOps features wil be limited.

Account Status Indicators

Active (Green)

  • Account connected and functioning
  • All checks passing

Inactive (Yellow)

  • Account connected but not in use
  • Or temporary access issues

Error (Red)

  • Connection problems
  • Permission issues
  • Role configuration errors

CloudTrail Warning Icon (⚠️)

  • Appears when CloudTrail is not enabled
  • Hover for details
  • Affects event-based tagging capability

Account Role permissions Warning Icon (⚠️)

  • Appears when customer tagops role missing permissions
  • Hover for details
  • Affects event-based and scan tagging capability

Editing an Account

What Can Be Modified

Editable:

  • Account Name
  • IAM Role Name

Non-Editable:

  • AWS Account ID (permanent)
  • External ID (security requirement)

Edit Process

  1. Click Edit button for the account
  2. Edit Account dialog opens
  3. Modify Account Name or IAM Role Name

  4. If changing IAM Role Name:

    • Click Update CloudFormation Stack
    • Update the stack in AWS Console
    • Update role name parameter
    • Click Verify Account to confirm changes
    • Click Update Account

IAM Role Updates

If you change the IAM Role Name, you must update the CloudFormation stack in your AWS account to match.

Removing an Account

Deletion Process

  1. Click Remove button for the account
  2. Confirmation dialog appears

  3. Review what will be deleted:

    • Account connection from TagOps
    • Scan configurations
    • Inventory data
    • Tagging history
    • Scheduled scans

  4. Confirm deletion

  5. Account removed from TagOps

Data Loss

Deleting an account removes all associated data from TagOps. This action cannot be undone.

CloudFormation Cleanup

After deleting an account, clean up AWS resources:

  1. CloudFormation Cleanup Dialog appears
  2. Click Delete CloudFormation Stack
  3. Opens AWS Console to stack
  4. Delete the stack to remove IAM role
  5. Prevents orphaned resources in your AWS account

Alternatively: - Click Copy CF Link to save cleanup link - Click Later to dismiss dialog

Account Limits

Subscription Tiers

Free Trial - Maximum: 1 AWS account - Shows warning when limit reached - Upgrade button to increase limit

Standard Plans - Fixed number of accounts per plan - No per-account limit shown

Tiered Plans - Custom account limits (e.g., 5, 10, 25, 50+) - Shows current usage: 3/10 accounts - Warning when approaching limit

Reaching Account Limits

When at maximum accounts:

⚠️ Free Trial Account Limit Reached
You've reached the maximum of 1 AWS Account for Free Trial users.
Upgrade your subscription to connect multiple AWS accounts.
[Upgrade Button]

Actions: - Click Upgrade to view subscription plans - Remove an existing account to add a different one - Contact support for enterprise limits

Account Configuration

After adding an account, configure:

Allowed Regions

Define which AWS regions TagOps should monitor:

  1. Go to Settings → Account Settings
  2. Select the account
  3. Edit Allowed Regions
  4. Save configuration

Allowed Services

Control which AWS services to scan:

  1. Go to Settings → Account Settings
  2. Select the account
  3. Edit Service Configuration

  4. Choose approach:

    • Allow all services
    • Select specific services
    • Save configuration

See Account Settings workflow for detailed configuration.

CloudFormation Stack Details

Stack Resources Created

The onboarding CloudFormation stack creates:

IAM Role: tagops-exec-account-role (or custom name)

Trust Policy: Allows TagOps to assume the role

Managed Policies: - Resource tagging permissions - Resource read permissions - CloudTrail read permissions

Required Permissions

The IAM role grants permissions for:

Resource Discovery: - List and describe resources - Read resource configurations - Get resource tags

Tagging Operations: - Create tags - Update tags - Delete tags

CloudTrail Access (optional but recommended): - Read trail configurations - Verify trail status

Stack Parameters

Parameters:
  RoleName: tagops-exec-account-role
  ExternalId: [generated random string]

Outputs:
  RoleArn: arn:aws:iam::ACCOUNT_ID:role/tagops-exec-account-role