Skip to main content
You are viewing the documentation for Interana version 2. For documentation on the most recent version of Interana, go to


Scuba Docs

Configure Consolidated Billing (AWS) for Interana

Consolidated Billing is an AWS feature that allows you to create a separate account that is completely isolated from your main assets while enabling Scuba's operations personnel to manage all aspects of the Scuba application and its AWS dependencies.

Virtual Private Cloud (VPC) isolates the network in a safe way from the outside world and provides additional security controls. It is used by many AWS customers and is the AWS standard for enterprise class security. This allows you to share your S3 bucket without providing any root credentials or keys. This gives you greater transparency and security at the same time because you own all the assets, inventory, and data.

The combination of Consolidated Billing and VPC enables Scuba to provide a turn-key management capability for AWS-based deployments of Scuba software.

Using reserved instances with Consolidated Billing

For billing purposes, Consolidated Billing treats all the accounts on the consolidated bill as a single account. This means that all accounts on a consolidated bill can receive the hourly cost benefit of Amazon EC2 Reserved Instances purchased by any other account. You can reserve the instance types for the region and zone where Scuba is deployed in their Master Payer Account. When the bill is compiled, the reserved instances for the entire account is applied to usage on all sub accounts.  

To avoid any issues, make sure that you reserve instances in the Region and Zone where Scuba is deployed. It can be difficult to transfer reserved instances across Zones. Transferring reserved instances across Regions will require escalation via Amazon Support and the Amazon Account Rep.

Adjusting reserved instances: If you later decide to adjust your reserved instance, you must meet Amazon's reserved instance requirements and include specific information in the request. See Amazon's Requirements for modification for detailed information about this process.

Architecture overview

You will need to set up your Consolidated Billing account and grant that account read-only access to your S3 Bucket. Scuba will take care of the setup, provisioning, and import.

Logical network architecture

The logical network setup has two subnets that decide whether there is an external IP. All nodes on the private network should have complete access to the public subnet. Nodes on the public subnet can be reached based on the security rules applied. The S3 bucket will be shared via a separate AWS account via a bucket policy.

Security architecture

This security architecture describes how machines are accessed from public and private networks. 

Public Subnet

Front End Web Servers

  • Port 443 to the world for access to UI

Admin Node

  • Port 22 open only to Scuba Management Networks
  • RBAC installed to tracking and privileged access

Private Subnet

Data, String, Import, and Config Nodes

  • Port 22 access from Admin Nodes Only
  • Inter-vlan communication open only to Private Subnet

S3 Bucket

  • Accessed via Amazon VPC Endpoint and Read Only bucket policy

Setting up AWS account credentials

Following these steps will allow an existing S3 bucket to be used with a new AWS account for Scuba resources. Once the policy is generated, you will send a new cluster setup file (Scuba_cluster.json) to Scuba support. Scuba will then generate the VPC and Scuba Cluster.

Follow these instructions to configure a new account that will be used to run an Scuba cluster in AWS. Our solution creates a completely firewalled account using VPC and allows you to attach it to your Master AWS account to take advantage of AWS Consolidated Billing.

  1. Create the Amazon account
  2. Set up Consolidated Billing
  3. Allow AWS notifications to go to Scuba
  4. Apply the S3 bucket policy

Only use the credentials with the new account in running scripts. Do not paste in your master account access keys!

Create the Amazon account

  1. Using a new email address, sign up for a new Amazon account at We recommend using an alias like Use a new email address and credit card. Keep your root email and password information available for the initial login to your AWS Scuba account.
  2. Open and note your account ID.
  3. Log into the account and navigate to the Identity & Access Management (or IAM) service. 
  4. Click Users. In the dialog box that opens, click Create New Users.

  1. Enter a new user name, Scuba_admin, and check Generate an access key for each user. Click Create.

  1. In the next screen, click Download Credentials to download the Secret and Access keys to your repository.

  1. Click on the Users section of the IAM Dashboard.
  2. Click on the Scuba_admin user you created. 
  3. Scroll down to the Permissions section and click Attach Policy.

  1. Select the AdministratorAccess role and click Attach Policy

Set up Consolidated Billing

After the Scuba cluster is created, you must set up consolidated billing. 

  1. Go to and log in with your Master Account.
  2. Click Add account.
  3. Click Invite account.
    Screen Shot 2019-12-20 at 1.59.05 PM.png
  4. Enter the email address for your Master Account to sign up, and click Invite. Click Invitations to confirm that the request has been sent.
  5. The Scuba account (on AWS) will receive the request for consolidated billing. Log into that account, click Invitations, and click Accept on the invite you created.
    Screen Shot 2019-12-20 at 2.05.46 PM.png
  6. Verify that the account is now listed on your Master Account > Consolidated Billing page.

Allow AWS notifications to go to Scuba

This will allow Scuba to receive notifications from AWS regarding any environment maintenance related to your cluster.

  1. Go to
  2. Under Alternate Contacts, click Edit.

  1. Under the Operations field, fill out the form as shown below.

  1. Click Update.

Apply the S3 bucket policy

After you create the Amazon account, apply a bucket policy to your s3 bucket. This provides the Scuba application read-only access.


  1. An Amazon account as described above.
  2. A VPC identifier of the form vpce-xxxx, provided by Scuba.

To apply an s3 bucket policy:

  1. In your Amazon account, navigate to Permissions > Bucket Policy to open the bucket policy editor.
  2. Enter the following bucket policy, substituting the VPC identifier you received from Scuba in the place of vpce-xxxx.
"Version": "2012-10-17", 
"Id": "PolicyVPCEndpointS3", 
"Statement": [ 
{ "Sid": "Access-to-vpce-xxxx", 
"Effect": "Allow", 
"Principal": "*", 
"Action": "s3:*", 
"Resource": [ 
"Condition": { 
"StringEquals": { 
"aws:sourceVpce": "vpce-xxxx" 

3. Click Save.

Amazon AWS, EBS, and EC2 service limits

Make sure that the appropriate AWS, EBS (Elastic Block Store), and EC2 service limits are set for your instance, as appropriate. 

See the following AWS documentation for more information about the service limits and how to request a limit increase:

See the following AWS documentation for more information about the default Amazon account limits: