Help Manage AWS costs Connect AWS Account
This doc provides an overview on:
Integrating your Amazon Web Services(AWS) account is a three-stage process:
Stage 1
Provide CloudSpend programmatic read-only access to specific AWS services including—Amazon S3, Cost and Usage report, IAM and Organizations.
Stage 2
Stage 3
Sign in to the CloudSpend console and configure the Integrate AWS Account page.
You can provide CloudSpend programmatic access to your AWS resources using two ways. You can create a cross-account IAM Role and establish a trust relationship between your AWS account and CloudSpend's AWS account or create CloudSpend as an IAM user in your AWS account.
Between the two, IAM Role is recommended as there is no sharing of security credentials. Also when you delegate permissions using Roles, you can designate the AWS accounts that are allowed to assume the role, thereby safeguarding your account from unauthorized access.
The following section will walk you through the IAM Role creation process:
IAM policies determine the permission for the role.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"VisualEditor0", "Effect":"Allow", "Action":[ "organizations:ListRoots", "s3:GetObjectVersionTagging", "organizations:DescribeAccount", "organizations:ListChildren", "s3:GetObjectAcl", "organizations:DescribeOrganization", "s3:GetObjectVersionAcl", "s3:HeadBucket", "organizations:DescribeHandshake", "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "organizations:ListAccountsForParent", "organizations:ListHandshakesForAccount", "s3:GetObject", "iam:GetUserPolicy", "s3:GetAnalyticsConfiguration", "organizations:ListOrganizationalUnitsForParent", "s3:GetObjectVersionForReplication", "cur:DescribeReportDefinitions", "s3:ListBucketByTags", "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:GetInventoryConfiguration", "s3:ListBucketVersions", "s3:GetBucketLogging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "organizations:DescribePolicy", "s3:GetObjectVersionTorrent", "s3:GetEncryptionConfiguration", "organizations:ListCreateAccountStatus", "s3:GetBucketRequestPayment", "organizations:DescribeOrganizationalUnit", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "organizations:DescribeCreateAccountStatus", "organizations:ListPoliciesForTarget", "s3:ListBucketMultipartUploads", "organizations:ListTargetsForPolicy", "s3:GetBucketVersioning", "organizations:ListAWSServiceAccessForOrganization", "s3:GetBucketAcl", "organizations:ListPolicies", "organizations:ListHandshakesForOrganization", "organizations:ListAccounts", "s3:GetObjectTorrent", "s3:ListAllMyBuckets", "s3:GetBucketCORS", "organizations:ListParents", "iam:GetUser", "s3:GetBucketLocation", "s3:GetObjectVersion" ], "Resource":"*" } ] }
The following section will walk you through the AWS IAM user creation process:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"VisualEditor0", "Effect":"Allow", "Action":[ "organizations:ListRoots", "s3:GetObjectVersionTagging", "organizations:DescribeAccount", "organizations:ListChildren", "s3:GetObjectAcl", "organizations:DescribeOrganization", "s3:GetObjectVersionAcl", "s3:HeadBucket", "organizations:DescribeHandshake", "s3:GetBucketWebsite", "s3:GetBucketNotification", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "organizations:ListAccountsForParent", "organizations:ListHandshakesForAccount", "s3:GetObject", "iam:GetUserPolicy", "s3:GetAnalyticsConfiguration", "organizations:ListOrganizationalUnitsForParent", "s3:GetObjectVersionForReplication", "cur:DescribeReportDefinitions", "s3:ListBucketByTags", "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:GetInventoryConfiguration", "s3:ListBucketVersions", "s3:GetBucketLogging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "organizations:DescribePolicy", "s3:GetObjectVersionTorrent", "s3:GetEncryptionConfiguration", "organizations:ListCreateAccountStatus", "s3:GetBucketRequestPayment", "organizations:DescribeOrganizationalUnit", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "organizations:DescribeCreateAccountStatus", "organizations:ListPoliciesForTarget", "s3:ListBucketMultipartUploads", "organizations:ListTargetsForPolicy", "s3:GetBucketVersioning", "organizations:ListAWSServiceAccessForOrganization", "s3:GetBucketAcl", "organizations:ListPolicies", "organizations:ListHandshakesForOrganization", "organizations:ListAccounts", "s3:GetObjectTorrent", "s3:ListAllMyBuckets", "s3:GetBucketCORS", "organizations:ListParents", "iam:GetUser", "s3:GetBucketLocation", "s3:GetObjectVersion" ], "Resource":"*" } ] }
The AWS Cost and Usage report tracks your monthly AWS usage (services configured) and provides estimated charges based on various dimensions like amount of time, data transfer, type, region etc. If you're using the consolidated billing feature in AWS Organizations, then this report will only be available to the master account and will include all the activity of the member accounts associated with the organization.
AWS delivers the report CSV files to an Amazon S3 bucket. To deliver billing files to an existing or new S3 bucket follow the below mentioned steps. If you're already publishing the report to a bucket, then please skip to stage 3.
You can now leverage the cloud cost management tool for your linked accounts in AWS by choosing the Account Type as "Linked Account" in the Integrate account page. When you select a linked account, in addition to specifying the report name, specify the S3 bucket name and bucket prefix (if configured) to store the reports.
You can now easily view the errors in configuring your CloudSpend account, like Invalid report name or Expired roles in the Configuration Error Account(s) section. Choose to either edit or delete the configuration error and rectify the errors for all accounts from a single view.
Help Manage AWS costs Connect AWS Account