Help Manage AWS costs Connect AWS Account

Integrate Amazon Web Services Account with CloudSpend

This doc provides an overview on:

Connecting an AWS account with CloudSpend
Support for linked accounts
Configuration Errors in Accounts

Connecting an AWS account with CloudSpend

Integrating your Amazon Web Services(AWS) account is a three-stage process:

Stage 1

Provide CloudSpend programmatic read-only access to specific AWS services including—Amazon S3, Cost and Usage report, IAM and Organizations.

Stage 2

Create a new Amazon S3 bucket, assign an access policy that allows Billing and cost management to save the Cost and Usage report to the said bucket. (If you're already depositing billing reports to an S3 bucket skip to stage 3).
Create an AWS Cost and Usage report and deliver the report to the created Amazon S3 bucket.

Stage 3

Enable programmatic access (Stage 1)

You can provide CloudSpend programmatic access to your AWS resources using two ways. You can create a cross-account IAM Role and establish a trust relationship between your AWS account and CloudSpend's AWS account or create CloudSpend as an IAM user in your AWS account.

Between the two, IAM Role is recommended as there is no sharing of security credentials. Also when you delegate permissions using Roles, you can designate the AWS accounts that are allowed to assume the role, thereby safeguarding your account from unauthorized access.

IAM role based access

The following section will walk you through the IAM Role creation process:

Get your External ID

Open the CloudSpend web console from the Site24x7 console (Click on the app shortcut icon ) or go to https://site24x7.com/app/cost and sign in.
When you open the CloudSpend console for the first time, you'll land on an on-boarding carousel highlighting the features of the app. You can read and understand how the app can help you, or you can choose to skip.
Click on Integrate AWS Account.
In the Integrate AWS Account page, provide a Display Name, and choose IAM role as the Access Type. Copy the Account ID and External ID and save the value in a notepad for the AWS IAM Role creation step. Also, keep this browser tab open.

The External ID is an alpha-numeric key unique to your account. The key gets regenerated every time you refresh the Integrate AWS Account page. So, please make sure you use the correct key during IAM Role creation.

Create IAM role

In a new tab, sign in to the AWS management console and open the IAM console.

If you're using the consolidated billing feature in AWS Organizations to bring multiple member accounts under a master account then sign in to the AWS management console of the master account. If you're running multiple standalone accounts (choose to have each account receive a bill) then login to the AWS account you want to integrate with CloudSpend.

In the navigation pane, click on Roles and then click on Create role.
Choose Another AWS account as the type of trusted entity.
For Account ID, paste the CloudSpend's AWS account ID that you copied previously.
Select Require External ID option and paste the unique key that you copied previously from the Integrate AWS Account page (CloudSpend console).
Keep the Require MFA option unchecked and choose Next: Permissions.

Assign permissions

IAM policies determine the permission for the role.

Click on Create policy to open a new browser tab.
Choose the JSON tab. Copy and paste the custom cost policy shown below.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"VisualEditor0",
         "Effect":"Allow",
         "Action":[
            "organizations:ListRoots",
            "s3:GetObjectVersionTagging",
            "organizations:DescribeAccount",
            "organizations:ListChildren",
            "s3:GetObjectAcl",
            "organizations:DescribeOrganization",
            "s3:GetObjectVersionAcl",
            "s3:HeadBucket",
            "organizations:DescribeHandshake",
            "s3:GetBucketWebsite",
            "s3:GetBucketNotification",
            "s3:GetReplicationConfiguration",
            "s3:ListMultipartUploadParts",
            "organizations:ListAccountsForParent",
            "organizations:ListHandshakesForAccount",
            "s3:GetObject",
            "iam:GetUserPolicy",
            "s3:GetAnalyticsConfiguration",
            "organizations:ListOrganizationalUnitsForParent",
            "s3:GetObjectVersionForReplication",
            "cur:DescribeReportDefinitions",
            "s3:ListBucketByTags",
            "s3:GetLifecycleConfiguration",
            "s3:GetBucketTagging",
            "s3:GetInventoryConfiguration",
            "s3:ListBucketVersions",
            "s3:GetBucketLogging",
            "s3:ListBucket",
            "s3:GetAccelerateConfiguration",
            "s3:GetBucketPolicy",
            "organizations:DescribePolicy",
            "s3:GetObjectVersionTorrent",
            "s3:GetEncryptionConfiguration",
            "organizations:ListCreateAccountStatus",
            "s3:GetBucketRequestPayment",
            "organizations:DescribeOrganizationalUnit",
            "s3:GetObjectTagging",
            "s3:GetMetricsConfiguration",
            "organizations:DescribeCreateAccountStatus",
            "organizations:ListPoliciesForTarget",
            "s3:ListBucketMultipartUploads",
            "organizations:ListTargetsForPolicy",
            "s3:GetBucketVersioning",
            "organizations:ListAWSServiceAccessForOrganization",
            "s3:GetBucketAcl",
            "organizations:ListPolicies",
            "organizations:ListHandshakesForOrganization",
            "organizations:ListAccounts",
            "s3:GetObjectTorrent",
            "s3:ListAllMyBuckets",
            "s3:GetBucketCORS",
            "organizations:ListParents",
            "iam:GetUser",
            "s3:GetBucketLocation",
            "s3:GetObjectVersion"
         ],
         "Resource":"*"
      }
   ]
}

When you're done, Click on Review policy.
Type a name and description for the policy you're creating.
Review the policy summary and click on Create policy.
Back in the Attach permissions window, select refresh, type the name of the policy you just created in the search box.
Select the check box next to the name of the policy. Click on Next: Review

Review role information

For Role name, type in a meaningful name. For example, aws-cost-management. if you want you can also provide a description.
Review the information, and click on Create Role.
Choose Roles from the left navigation pane. Search for role you just created, click on the role and copy the Role ARN from the summary section and save it a notepad for stage 3.

IAM User based access

The following section will walk you through the AWS IAM user creation process:

Select Access Type

In the navigation pane, click on Users and then click on Add user.
For user name, type a meaningful name.
Select Programmatic access as the type of access.
click on Next: Permissions.

Assign permissions

In the Set permissions window, choose the option Attach existing policies to user directly and click on the Create policy button to open a new browser tab.
Choose the JSON tab. Copy the custom policy shown below and paste it in the editor.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"VisualEditor0",
         "Effect":"Allow",
         "Action":[
            "organizations:ListRoots",
            "s3:GetObjectVersionTagging",
            "organizations:DescribeAccount",
            "organizations:ListChildren",
            "s3:GetObjectAcl",
            "organizations:DescribeOrganization",
            "s3:GetObjectVersionAcl",
            "s3:HeadBucket",
            "organizations:DescribeHandshake",
            "s3:GetBucketWebsite",
            "s3:GetBucketNotification",
            "s3:GetReplicationConfiguration",
            "s3:ListMultipartUploadParts",
            "organizations:ListAccountsForParent",
            "organizations:ListHandshakesForAccount",
            "s3:GetObject",
            "iam:GetUserPolicy",
            "s3:GetAnalyticsConfiguration",
            "organizations:ListOrganizationalUnitsForParent",
            "s3:GetObjectVersionForReplication",
            "cur:DescribeReportDefinitions",
            "s3:ListBucketByTags",
            "s3:GetLifecycleConfiguration",
            "s3:GetBucketTagging",
            "s3:GetInventoryConfiguration",
            "s3:ListBucketVersions",
            "s3:GetBucketLogging",
            "s3:ListBucket",
            "s3:GetAccelerateConfiguration",
            "s3:GetBucketPolicy",
            "organizations:DescribePolicy",
            "s3:GetObjectVersionTorrent",
            "s3:GetEncryptionConfiguration",
            "organizations:ListCreateAccountStatus",
            "s3:GetBucketRequestPayment",
            "organizations:DescribeOrganizationalUnit",
            "s3:GetObjectTagging",
            "s3:GetMetricsConfiguration",
            "organizations:DescribeCreateAccountStatus",
            "organizations:ListPoliciesForTarget",
            "s3:ListBucketMultipartUploads",
            "organizations:ListTargetsForPolicy",
            "s3:GetBucketVersioning",
            "organizations:ListAWSServiceAccessForOrganization",
            "s3:GetBucketAcl",
            "organizations:ListPolicies",
            "organizations:ListHandshakesForOrganization",
            "organizations:ListAccounts",
            "s3:GetObjectTorrent",
            "s3:ListAllMyBuckets",
            "s3:GetBucketCORS",
            "organizations:ListParents",
            "iam:GetUser",
            "s3:GetBucketLocation",
            "s3:GetObjectVersion"
         ],
         "Resource":"*"
      }
   ]
}

Click on Review policy.
On the review page, type a name and a description for the policy you're creating. Evaluate the permissions granted, if everything looks satisfying click on Create policy.
Back in the Set permissions page, select Refresh, type the name of the policy you just created in the search box to filter the list.
Select the check box next to the name of the policy. Click on Next: Review

Download credentials

Review user details and permissions. If everything is in order click on Create user.
Choose Download.csv and save the file in a secure location. (This is the only opportunity you will get to view or save the security credentials.)
Open the file, copy the secret access key and access key ID and save it to a notepad for stage 3.

Turn on billing reports (Stage 2)

The AWS Cost and Usage report tracks your monthly AWS usage (services configured) and provides estimated charges based on various dimensions like amount of time, data transfer, type, region etc. If you're using the consolidated billing feature in AWS Organizations, then this report will only be available to the master account and will include all the activity of the member accounts associated with the organization.

AWS delivers the report CSV files to an Amazon S3 bucket. To deliver billing files to an existing or new S3 bucket follow the below mentioned steps. If you're already publishing the report to a bucket, then please skip to stage 3.

Create an AWS Cost and Usage Report

Configure report content

Sign in to the organization's master account
Open the Billing and Cost Management Console
In the left navigation pane, choose Cost and Usage Reports and then choose Create report
Type in a name for the report you're creating
Select the check box next to the Include resource IDs field
keep the Data refresh settings at default, and choose

Configure delivery options

For S3 bucket, choose Configure
In the Configure S3 bucket dialog box, choose an existing bucket from the menu drop down and click on Save.
(Optional) If you want to send the billing reports to a new bucket. Enter a name, select a region and click on Save
In the Verify policy dialog box, select the check box next to the I have confirmed that this policy is correct and choose Save
For Time granularity, choose Hourly
For Report versioning, choose Create new report version
Keep Compression type, at default. Choose Next

Review report settings

Review the settings of the report. If everything is in order, choose Review and Complete

Connect AWS account (stage 3)

Configure the Integrate AWS account page

If you've created an IAM Role, navigate back to the open CloudSpend console browser tab (the same tab where you copied the External ID and Account ID)and paste the RoleARN in the appropriate field.

If you've created an IAM user, Sign in to the CloudSpend web console and click on Integrate AWS Account. Type in a display name, and choose IAM user as the Access type. Copy and paste the Access key ID and Secret access key in the appropriate field.
Type the name of the AWS Cost and Usage report you created in the Report field
The bill processing starting date determines what line items get processed and what items get left out during bill parsing. Choose an appropriate starting date as per your requirement.
Choose Save.

Support for linked accounts

You can now leverage the cloud cost management tool for your linked accounts in AWS by choosing the Account Type as "Linked Account" in the Integrate account page. When you select a linked account, in addition to specifying the report name, specify the S3 bucket name and bucket prefix (if configured) to store the reports.

Configuration Error Accounts

You can now easily view the errors in configuring your CloudSpend account, like Invalid report name or Expired roles in the Configuration Error Account(s) section. Choose to either edit or delete the configuration error and rectify the errors for all accounts from a single view.

View configuration error for all CloudSpend account

Was this document helpful?

Sorry to hear that. Let us know how we can improve this document.

Please describe how we can improve this document.

Thanks for taking the time to share your feedback. We’ll use your feedback to improve our online help resources.

Top

Help Manage AWS costs Connect AWS Account