Knowledge Base
Knowledge Base
Breadcrumbs

Essentials Bootstrap Role - Customer Manual

:note:

Applies only to Essentials via SoftwareOne Marketplace with Billing Transfer

Overview

This document describes how to deploy the Bootstrap role, a mandatory prerequisite for onboarding into Cloud Managed Services Essentials for AWS.

The Bootstrap role enables deployment of additional AWS best practices and governance guardrails for Cloud Essentials for AWS that:

  • Monitor use of management account root credentials with proactive notifications provided to you by the SoftwareOne support team

  • Allow spend anomaly investigation to identified spend irregularities

  • Ensure deployment of AWS CloudTrail in the management account for added logging and governance

  • Enable federated and audited access for support engineers if SoftwareOne Enterprise Support for AWS is selected

Setup

The Bootstrap role is deployed using an AWS CloudFormation Quick link provided by SoftwareOne. Template and parameters are preconfigured, and no customisation is required.

Prerequisites

Ensure the following before proceeding:

  • Administrator permissions in the target AWS account

  • Deployment performed in us-east-1 (N. Virginia)

Sign in to AWS

Sign in to the AWS Console of your AWS Management account with administrative access.


Open the link below:

SoftwareOne CloudFormation Quick Create link

This opens the CloudFormation – Create stack page with pre-filled:

Template URL, Stack name and required parameters


Acknowledge IAM capabilities

At the bottom of the Create stack page, select the checkbox that acknowledges:

CloudFormation may create IAM resources

This checkbox must be selected to proceed.


Create the stack

Select Create stack.


Verify deployment

Confirm the stack status is:

CREATE_COMPLETE

Deployment is complete.

Access scope and operational notes

The Bootstrap role:

  • Manages only SoftwareOne-owned IAM roles and policies

  • Does not access workloads, data, or non-IAM services

  • Does not grant unrestricted administrative access

  • Is required for Cloud Managed Services Essentials for AWS operation

Operational considerations:

  • Modifying or removing the role may prevent service delivery

  • Any changes to the role should be coordinated with the SoftwareOne Support Team

Reference: IAM policy

Policy scope

  • Allows IAM actions only on resources named SWO* or swo*

  • Does not allow access to IAM users or customer-defined resources

Policy document 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": [
        "arn:aws:iam::*:policy/SWO*",
        "arn:aws:iam::*:policy/swo*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": [
        "arn:aws:iam::*:role/SWO*",
        "arn:aws:iam::*:role/swo*"
      ]
    }
  ]
}