Amazon Web Services
Learn how you can add your AWS data sources to the FinOps platform. FinOps for Cloud supports both AWS organizations and individual AWS standalone accounts.
Know your account types
FinOps for Cloud supports three account types as described in the following table:
If you want to add a member account in an AWS Organization to FinOps for Cloud, but you do not have access to the management account, follow the instructions for a standalone account.
Management account
A management account is an AWS account you use to create your AWS Organization. The owner of the management account is responsible for paying for all usage, data, and resources used by the accounts in the organization.
A management account is also called a root account, master account, billing account, or payer account.
In FinOps for Cloud, use this account type when adding an AWS Organization management account.
Member account
A member account is an AWS account, other than the management account, that is part of an AWS Organization. The management account is responsible for paying for all member accounts in the organization.
A member account is also referred to as a linked account, child account, usage account, or sub-account.
In FinOps for Cloud, use this account type when adding an AWS Organization member account, and the management account has already been added to FinOps for Cloud.
Standalone account
A standalone account refers to an account that is not part of an AWS Organization. It stands on its own, without being linked to any other accounts for consolidated billing, management, or policy control.
A standalone account is also referred to as an individual account, non-organizational account, or unlinked account.
In FinOps for Cloud, use this account type when:
Adding standalone AWS account that is not part of an AWS Organization
Adding an AWS member account that is part of an AWS Organization, but access to the management account is not available.
Assumed roles vs IAM user access keys
FinOps for Cloud supports adding data sources using two authentication methods:
Assumed role - This is the recommended approach to adding AWS accounts to FinOps for Cloud. An IAM role is an identity that does not have its own permanent credentials (password or access keys). Instead, it defines permissions that a trusted entity (such as an AWS service, another AWS account, or an application running on an EC2 instance) can assume to obtain temporary security credentials.
IAM user with access key - Access keys are a set of permanent credentials consisting of an Access Key ID and a Secret Access Key. They are associated with a specific IAM User (or the root user, which is strongly discouraged) and are used for making programmatic API requests to AWS, typically from the AWS CLI, SDKs, or third-party applications. Read more about the security risks associated with this approach in the AWS documentation.
SoftwareOne strongly recommends using assumed roles to configure your data sources.
Configuring your AWS accounts
AWS Organizations
Depending on the access to your management account and other member accounts, there are different ways to add AWS data sources to FinOps for Cloud.
If you add only a management account without connecting its member accounts, any expenses from those unconnected member accounts are ignored, even if they appear in the data export file.
To ensure expenses are captured for both management and member accounts, you must add all AWS accounts individually. FinOps for Cloud doesn't process data from unconnected member accounts.
With access to the management account
If you have access to create a Cost and Usage Report (CUR) and Identity and Access Management (IAM) roles or users in your management account, follow these steps:
Add your management account
To add your management account:
If you are using an assumed role (recommended):
If you are using an IAM user with an access key:
Add your member accounts to FinOps for Cloud
When adding a member account, and you have already added the management account, there is no need to create a cost and usage report or create the FinOpsForCloudBillingImport policy.
To add your member accounts:
If you are using an assumed role (recommended):
If you are using an IAM user with an access key:
Repeat steps 1 - 4 for each member account you want to add.
When the member accounts are added, FinOps for Cloud automatically identifies the management account and uses the imported cost and usage data from that account.
Without access to the management account
If you don't have access to your management account, you can create individual CURs in each member account and add them to FinOps for Cloud as if they were standalone accounts.
To add your member account to FinOps for Cloud, follow the steps below for AWS standalone accounts.
AWS standalone accounts
To add a standalone AWS account:
If you are using an assumed role (recommended):
If you are using an IAM user with an access key:
Last updated
Was this helpful?