Getting started

Creating an Organization

Creating Audit and Log Archive AWS Accounts

Management

Creating an AWS Account

Initial Setup

Billing Alerts

Configuring AWS SSO (IAM Identity Center)

Generating As-Built-Documentation

Environments

Configuring AWS Client VPN

Configuring Private Bastion

Deleting an Environment

Compliance

Configuring a standard

Reference

Choosing Email Addresses for your AWS Accounts

Checklist end-of-deployment

Configuring SSO for Microsoft Azure

Configuring SSO for G-Suite

Deploying Applications

Notification History

Removing Citadel Access from AWS Accounts

What’s deployed in my account

Troubleshooting

Common Issues

Finding the Root Cause of a Failed Job

Creating new environment failed

Fixing Network Access is not connecting to RDS

SSO G-Suite - Deploy Lambda Error

Common issues

Initial Setup

To start using the Citadel app, sign in with your email address to connect an AWS Account to Management. Follow the instructions to do the initial setup.

You need an account to log in to Citadel. If you don’t have an account yet, you need an invite to register. Please request one from your delivery partner, or email: [email protected]

Log in to Citadel

Go to https://app.citadel.run/login
Enter your email account
Enter your password
Select Remember me if you are on a safe workstation and want to save your information for future log ins
Click on Log in

Register to Citadel (currently invite only)

Follow the link from your email invite
Enter your name
Enter a valid email address
Enter password
Confirm your password
Click on Register

Connecting your AWS Management Account

As you log in to Citadel, a message will ask you to set up your Citadel Account, seen below:

Go to Management to start the Initial Setup.

Preparation

You will need:

Account ID for your AWS Management Account
Have an Organization on your AWS Management Account (see
Creating an Organization
to create one)
Log in to your AWS Management Account using an Administrator role
Account ID for your AWS Audit Account (if you don’t have one, see
Creating Audit and Log Archive AWS Accounts
)
Account ID for your AWS Log Archive Account (if you don’t have one, see
Creating Audit and Log Archive AWS Accounts
)
An email address to receive alarms

Connecting the Management Account

The first step to configuring your AWS Management (Master) Account to Citadel is to connect your AWS Account.

Log in to AWS on another browser tab
Click Run Template to open CloudFormation on your AWS Management Account and click Create Stack.
Enter the Account ID for your Management AWS Account
Click Check Connection

Wait a few moments until you see “Connection OK” and the Next button enabled. Click to proceed.

🚨

If you get an error, please check: - Is the Account ID number correct? - Did you deploy the CloudFormation template to the same AWS account as the ID? - Did the CloudFormation template finish deploying, successfully?

Setting up the Management Account

For the second stage of the Initial Setup, we need to collect information to deploy the initial baseline services to your Management, Audit and Log Archive accounts.

Complete the setup by entering the information below.

Enter Default Email For Alerts, this email will be used to send alerts from security services like Cloudtrail and GuardDuty. Can be changed later
Enter AWS Account ID For Audit
Enter AWS Account ID For Log Archive
Choose a primary AWS Region. You can only choose one primary region but multiple secondary regions. Changing the primary region may cause disruption, so choose carefully.
Click Save

After saving, the Organization Status page will show your accounts and deployment statuses:

Regions (primary and secondary ones) will have separate statuses as Citadel deploys a baseline stack on each one. This baseline stack can be redeployed by clicking the ‘Redeploy’ option on the options menu on the right side of the status bar.

You can reconfigure your account by clicking on the option ‘Reconfigure’, next to the Management Account Connected status. Be aware that reconfiguring the account can have unintended consequences because new baseline stacks will be deployed in the new primary region and Audit/Log Archive accounts. Please contact support if this change needs to be done so that we can guide you through it.

← Previous

Creating Audit and Log Archive AWS Accounts

Billing Alerts

On this page