FinOps for Cloud
Sign In
  • Home
  • Open Source
  • FinOps for Cloud
    • Overview
  • Insights
    • Recommendations
      • Savings Optimization Recommendations
      • Security Recommendations
      • Clean-up Scripts Based on Recommendations
      • Archived Recommendations
    • Resources
      • Constraints
    • Pools
      • Configure Assignment Rules
      • Re-apply Ruleset
      • Delete Pools
      • Pool Constraint Policies
    • Cost Explorer
  • Policies
    • Anomaly Detection
      • Create Anomaly Detection Policies
    • Quotas and Budgets
      • Create Quota or Budget Policies
    • Tagging Policies
      • Create Tagging Policies
  • System
    • User Management
    • Data Sources
      • Amazon Web Services
        • AWS Root Account with Data Export Already Configured
        • AWS Root Account With No Data Export Configured
        • AWS Linked
        • Migrate from CUR to Data Exports CUR 2.0
      • Google Cloud Platform
      • Microsoft Azure
    • Events
    • Settings
  • Help and Support
    • Contact Support
    • FAQs
      • Why does the pricing in FinOps not match the SoftwareOne invoice?
    • Release Notes
    • Terms of Use
Powered by GitBook
LogoLogo

Company

  • About SoftwareOne
  • Careers
  • Media Releases

Policies

  • Codes of Conduct
  • Privacy Statement
  • Terms and Conditions

© 2025 SoftwareOne. All rights reserved.

On this page
  • Automatic billing data import in AWS
  • Prerequisites
  • Implementation
  • Discovering resources

Was this helpful?

Export as PDF
  1. System
  2. Data Sources
  3. Amazon Web Services

AWS Root Account with Data Export Already Configured

PreviousAmazon Web ServicesNextAWS Root Account With No Data Export Configured

Last updated 11 days ago

Was this helpful?

FinOps for Cloud supports the AWS Organizations service that allows linking several Data Sources to centrally manage the data of multiple users while receiving all billing exports within a single invoice.

The Root account (payer) is the only one with access to collective data related to cloud spending. When registering this type of profile, the user is given an option for Data Exports to be detected automatically.

If you connect the root account but don't connect linked accounts, all expenses from the unconnected linked accounts are ignored, even if they exist in the data export file. To retrieve expenses from both linked and root accounts, connect all AWS accounts (not just the root). FinOps for Cloud ignores data from unconnected linked accounts.

To track a new AWS Data Source in your account, select AWS Root on the Connect Data Source page:

Automatic billing data import in AWS

Prerequisites

Implementation

1

Update bucket policy

  1. Navigate to the Permissions tab of your AWS S3 bucket and select Bucket Policy.

  2. Replace <bucket_name> with the name of the bucket.

  3. Replace <AWS account ID> with the AWS account ID (12 digits without “-”):

{
  "Version": "2012-10-17", 
  "Statement": [
      {
          "Sid": "EnableAWSDataExportsToWriteToS3AndCheckPolicy",
          "Effect": "Allow",
          "Principal": {
              "Service": [
                  "billingreports.amazonaws.com",
                  "bcm-data-exports.amazonaws.com"
              ]
          },
          "Action": [
              "s3:PutObject",
              "s3:GetBucketPolicy"
          ],
          "Resource": [
              "arn:aws:s3:::<bucketname>/*",
              "arn:aws:s3:::<bucketname>"
          ],
          "Condition": {
              "StringLike": {
                  "aws:SourceAccount": "<AWS account ID>",
                  "aws:SourceArn": [
                      "arn:aws:cur:us-east-1:<AWS account ID>:definition/*",
                      "arn:aws:bcm-data-exports:us-east-1:<AWS account ID>:export/*"
                  ]
              }
          }
      }
  ]
}
2

Create a user policy for read-only access

  1. Go to Identity and Access Management (IAM) > Policies.

  2. Create a new user policy for read-only access to the bucket (<bucket_name> must be replaced in the policy):

// Some {
   "Version": "2012-10-17",
   "Statement": [
    {
        "Sid": "ReportDefinition",
        "Effect": "Allow",
        "Action": [
            "cur:DescribeReportDefinitions"
            ],
            "Resource": "*"
    },
    {
        "Sid": "GetObject",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
    },
    {
        "Sid": "BucketOperations",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::<bucket_name>"
    }
   ]
}
3

Create user and grant policies

  1. Go to Identity and Access Management (IAM) > Users to create a new user.

  1. Attach the created policy to the user:

  1. Confirm the creation of the user.

  2. Create the access key for the user (Identity and Access Management (IAM) > Users > Created user > Create access key):

  1. Download or copy the access key and secret access key. Use these keys when connecting a data source as the AWS Access Key ID and AWS Secret Access Key.

4

Create Data Source in FinOps for Cloud:

  1. Open FinOps for Cloud and register as a new user.

  2. Sign in as a registered user.

  3. Create a data source.

    1. Provide the credentials, like AWS access key ID and AWS secret access key.

    2. Select Export type.

    3. Select Connect only to data in bucket.

    4. Provide the parameters with which the bucket and Data Export will be created:

      • Export Name - AWS Billing and Cost Management > Data Exports table > Export name.

      • Export S3 Bucket Name - AWS Billing and Cost Management > Data Exports table > S3 bucket.

      • Export path - AWS Billing and Cost Management > Data Exports table > Click on Export name > Edit > Data export storage settings > S3 destination > last folder name (without “/”)

  1. After creating a Data Source, wait for the export to be generated by AWS and uploaded to FinOps according to the schedule (performed hourly).

Discovering resources

FinOps for Cloud needs to have permissions configured in AWS for the user Data Source to correctly discover resources and display them under a respective section of the dashboard for the associated employee.

Make sure to include the following policy for FinOps for Cloud to be able to parse EC2 resource data:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "FinOpsforCloudOperations",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketPolicyStatus",
				"s3:GetBucketTagging",
				"iam:GetAccessKeyLastUsed",
				"cloudwatch:GetMetricStatistics",
				"s3:GetBucketAcl",
				"ec2:Describe*",
				"s3:ListAllMyBuckets",
				"iam:ListUsers",
				"s3:GetBucketLocation",
				"iam:GetLoginProfile",
				"cur:DescribeReportDefinitions",
				"iam:ListAccessKeys",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeTags"
			],
			"Resource": "*"
		}
	]
}

Make sure that data export is configured for your cloud account. If data export hasn't been configured, see .

Your AWS Data Source is ready for integration with FinOps for Cloud. Contact if you have any questions regarding the configuration flow.

AWS Root Account With No Data Export Configured
Marketplace Platform Support
AWS Root option on the Connect Data Source page
Edit bucket policy
Specify permissions
Review and create
Specify user details
Set permissions