AWS Root Account with Data Export Already Configured

PreviousAmazon Web Services NextAWS Root Account With No Data Export Configured

Last updated 11 days ago

Was this helpful?

AWS Root Account with Data Export Already Configured

FinOps for Cloud supports the AWS Organizations service that allows linking several Data Sources to centrally manage the data of multiple users while receiving all billing exports within a single invoice.

The Root account (payer) is the only one with access to collective data related to cloud spending. When registering this type of profile, the user is given an option for Data Exports to be detected automatically.

If you connect the root account but don't connect linked accounts, all expenses from the unconnected linked accounts are ignored, even if they exist in the data export file. To retrieve expenses from both linked and root accounts, connect all AWS accounts (not just the root). FinOps for Cloud ignores data from unconnected linked accounts.

To track a new AWS Data Source in your account, select AWS Root on the Connect Data Source page:

Automatic billing data import in AWS

Prerequisites

Implementation

Update bucket policy

Navigate to the Permissions tab of your AWS S3 bucket and select Bucket Policy.
Replace <bucket_name> with the name of the bucket.
Replace <AWS account ID> with the AWS account ID (12 digits without “-”):

{
  "Version": "2012-10-17", 
  "Statement": [
      {
          "Sid": "EnableAWSDataExportsToWriteToS3AndCheckPolicy",
          "Effect": "Allow",
          "Principal": {
              "Service": [
                  "billingreports.amazonaws.com",
                  "bcm-data-exports.amazonaws.com"
              ]
          },
          "Action": [
              "s3:PutObject",
              "s3:GetBucketPolicy"
          ],
          "Resource": [
              "arn:aws:s3:::<bucketname>/*",
              "arn:aws:s3:::<bucketname>"
          ],
          "Condition": {
              "StringLike": {
                  "aws:SourceAccount": "<AWS account ID>",
                  "aws:SourceArn": [
                      "arn:aws:cur:us-east-1:<AWS account ID>:definition/*",
                      "arn:aws:bcm-data-exports:us-east-1:<AWS account ID>:export/*"
                  ]
              }
          }
      }
  ]
}

Create a user policy for read-only access

Go to Identity and Access Management (IAM) > Policies.
Create a new user policy for read-only access to the bucket (<bucket_name> must be replaced in the policy):

// Some {
   "Version": "2012-10-17",
   "Statement": [
    {
        "Sid": "ReportDefinition",
        "Effect": "Allow",
        "Action": [
            "cur:DescribeReportDefinitions"
            ],
            "Resource": "*"
    },
    {
        "Sid": "GetObject",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
    },
    {
        "Sid": "BucketOperations",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::<bucket_name>"
    }
   ]
}

Create user and grant policies

Go to Identity and Access Management (IAM) > Users to create a new user.

Attach the created policy to the user:

Confirm the creation of the user.
Create the access key for the user (Identity and Access Management (IAM) > Users > Created user > Create access key):

Download or copy the access key and secret access key. Use these keys when connecting a data source as the AWS Access Key ID and AWS Secret Access Key.

Create Data Source in FinOps for Cloud:

Open FinOps for Cloud and register as a new user.
Sign in as a registered user.
Create a data source.
1. Provide the credentials, like AWS access key ID and AWS secret access key.
2. Select Export type.
3. Select Connect only to data in bucket.
4. Provide the parameters with which the bucket and Data Export will be created:
  - Export Name - AWS Billing and Cost Management > Data Exports table > Export name.
  - Export S3 Bucket Name - AWS Billing and Cost Management > Data Exports table > S3 bucket.
  - Export path - AWS Billing and Cost Management > Data Exports table > Click on Export name > Edit > Data export storage settings > S3 destination > last folder name (without “/”)

After creating a Data Source, wait for the export to be generated by AWS and uploaded to FinOps according to the schedule (performed hourly).

Discovering resources

FinOps for Cloud needs to have permissions configured in AWS for the user Data Source to correctly discover resources and display them under a respective section of the dashboard for the associated employee.

Make sure to include the following policy for FinOps for Cloud to be able to parse EC2 resource data:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "FinOpsforCloudOperations",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketPolicyStatus",
				"s3:GetBucketTagging",
				"iam:GetAccessKeyLastUsed",
				"cloudwatch:GetMetricStatistics",
				"s3:GetBucketAcl",
				"ec2:Describe*",
				"s3:ListAllMyBuckets",
				"iam:ListUsers",
				"s3:GetBucketLocation",
				"iam:GetLoginProfile",
				"cur:DescribeReportDefinitions",
				"iam:ListAccessKeys",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeTags"
			],
			"Resource": "*"
		}
	]
}

PreviousAmazon Web Services NextAWS Root Account With No Data Export Configured

Last updated 11 days ago

Was this helpful?