AWS Root Account With No Data Export Configured

PreviousAWS Root Account with Data Export Already Configured NextAWS Linked

Last updated 11 days ago

Was this helpful?

AWS Root Account With No Data Export Configured

FinOps for Cloud supports the AWS Organizations service that allows linking several Data Sources to centrally manage the data of multiple users while receiving all billing reports within a single invoice.

The root account (payer) will be the only one with access to collective data related to cloud spending. When registering this type of profile in FinOps, you'll have the option for Data Exports to be created automatically.

If you connect the root account but don't connect the linked accounts, all expenses from the unconnected linked accounts will be ignored, even if they exist in the data export file. To retrieve expenses from both linked and root accounts, connect all AWS accounts (not just the root). OptScale ignores data from unconnected linked accounts.

To track a new AWS Data Source in your FinOps for Cloud account, select AWS Root on the Connect Data Source page:

Creating an automated billing bucket and data export

Create a user policy for the bucket and export creation access

Go to Identity and Access Management (IAM) > Policies. Create a new policy for fully automatic configuration (both bucket and export are created) (<bucket_name> must be replaced in the policy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReportDefinition",
            "Effect": "Allow",
            "Action": [
                "cur:DescribeReportDefinitions",
                "cur:PutReportDefinition"
            ],
                "Resource": "*"

        },
        {
            "Sid": "CreateCurExportsInDataExports",
            "Effect": "Allow",
            "Action": [
                "bcm-data-exports:ListExports",
                "bcm-data-exports:GetExport",
                "bcm-data-exports:CreateExport"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateBucket",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "GetObject",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        },
        {
            "Sid": "BucketOperations",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketPolicy",
                "s3:ListBucket",
        "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>"
        }
    ]
}

Create the user and grant policies

Go to Identity and Access Management (IAM) > Users to create a new user.
Attach the created policy to the user.
Confirm the creation of the user.
Create an access key for the user (Identity and Access Management (IAM) > Users > Created user > Create access key).
Download or copy Access key and Secret access key. Use these credentials when connecting a Data Source in FinOps as the AWS Access Key ID and AWS Secret Access Key, respectively (at step 3):

Create a data source in FinOps for Cloud

Go to FinOps for Cloud and register as a new user.
Sign in as a registered user.
Create a Data Source.
- Provide user credentials (see screenshot for more details):
  - AWS Access key ID
  - AWS Secret access key
- Select Export type.
- Select Create new Data Export.
- Provide the parameters with which the bucket and Data Export will be created: Export Name, Export S3 Bucket Name (<new bucket name from user policy from step 1>), and Export path prefix.

Note: Specify the bucket in the Export S3 Bucket Name field if it already exists. FinOps for Cloud will then create the report and store it in the bucket using the specified prefix.

After creating the Data Source, wait for AWS to generate the export and upload it to FinOps according to the schedule (approximately one day).

Discovering resources

FinOps for Cloud must have permissions configured in AWS for the data source to correctly discover resources and display them under the respective section of the dashboard.

Make sure to include the following policy for FinOps to be able to parse EC2 resource data:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "FinOpsforCloudOperations",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketPolicyStatus",
				"s3:GetBucketTagging",
				"iam:GetAccessKeyLastUsed",
				"cloudwatch:GetMetricStatistics",
				"s3:GetBucketAcl",
				"ec2:Describe*",
				"s3:ListAllMyBuckets",
				"iam:ListUsers",
				"s3:GetBucketLocation",
				"iam:GetLoginProfile",
				"cur:DescribeReportDefinitions",
				"iam:ListAccessKeys",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeTags"
			],
			"Resource": "*"
		}
	]
}

Your AWS Data Source is ready for integration with FinOps for Cloud.

Creating a data export manually in AWS

To create a Data Export, navigate to AWS Billing and Cost Management > Data Exports. Choose Create Export.

Standard data export settings

Step 1. Export type

Select Standard data export export type.

Step 2. Export name

Enter the export name.

Step 3. Data table content settings:

Select CUR 2.0.
Select Include resource IDs checkbox.
Choose the time granularity for how you want the line items in the export to be aggregated.

Step 4. Data export delivery options:

Select Overwrite existing data export file.
Select compression type.

Step 5. Data export storage setting:

Create a new or use an existing bucket for the export.
Enter the S3 path prefix that you want prepended to the name of your Data Export.

Step 6. Review

Confirm export creation. AWS will prepare Data Export within 24 hours.

Legacy CUR export settings

Step 1. Export type

Select Legacy CUR export (CUR) export type.

Step 2. Export name

Enter export name.

Step 3. Export content

Select Include resource IDs and Refresh automatically checkboxes.

Step 4. Data export delivery options:

Choose the time granularity for how you want the line items in the export to be aggregated.
Select Overwrite existing report.
Select compression type.

Step 5: Data export storage setting:

Create a new or use an existing bucket for the export.
Enter the S3 path prefix that you want prepended to the name of your Data Export.

Step 6. Review

Confirm export creation. Data Export will be prepared by AWS within 24 hours.

PreviousAWS Root Account with Data Export Already Configured NextAWS Linked

Last updated 11 days ago

Was this helpful?

To track a new AWS Data Source in your FinOps for Cloud account, select AWS Root on the Connect Data Source page:

Creating an automated billing bucket and data export

Create a user policy for the bucket and export creation access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReportDefinition",
            "Effect": "Allow",
            "Action": [
                "cur:DescribeReportDefinitions",
                "cur:PutReportDefinition"
            ],
                "Resource": "*"

        },
        {
            "Sid": "CreateCurExportsInDataExports",
            "Effect": "Allow",
            "Action": [
                "bcm-data-exports:ListExports",
                "bcm-data-exports:GetExport",
                "bcm-data-exports:CreateExport"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateBucket",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "GetObject",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        },
        {
            "Sid": "BucketOperations",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketPolicy",
                "s3:ListBucket",
        "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>"
        }
    ]
}

Create the user and grant policies

Go to Identity and Access Management (IAM) > Users to create a new user.
Attach the created policy to the user.
Confirm the creation of the user.
Create an access key for the user (Identity and Access Management (IAM) > Users > Created user > Create access key).
Download or copy Access key and Secret access key. Use these credentials when connecting a Data Source in FinOps as the AWS Access Key ID and AWS Secret Access Key, respectively (at step 3):

Create a data source in FinOps for Cloud

Go to FinOps for Cloud and register as a new user.
Sign in as a registered user.
Create a Data Source.
- Provide user credentials (see screenshot for more details):
  - AWS Access key ID
  - AWS Secret access key
- Select Export type.
- Select Create new Data Export.
- Provide the parameters with which the bucket and Data Export will be created: Export Name, Export S3 Bucket Name (<new bucket name from user policy from step 1>), and Export path prefix.

Note: Specify the bucket in the Export S3 Bucket Name field if it already exists. FinOps for Cloud will then create the report and store it in the bucket using the specified prefix.

After creating the Data Source, wait for AWS to generate the export and upload it to FinOps according to the schedule (approximately one day).

Discovering resources

FinOps for Cloud must have permissions configured in AWS for the data source to correctly discover resources and display them under the respective section of the dashboard.

Make sure to include the following policy for FinOps to be able to parse EC2 resource data:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "FinOpsforCloudOperations",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketPolicyStatus",
				"s3:GetBucketTagging",
				"iam:GetAccessKeyLastUsed",
				"cloudwatch:GetMetricStatistics",
				"s3:GetBucketAcl",
				"ec2:Describe*",
				"s3:ListAllMyBuckets",
				"iam:ListUsers",
				"s3:GetBucketLocation",
				"iam:GetLoginProfile",
				"cur:DescribeReportDefinitions",
				"iam:ListAccessKeys",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeTags"
			],
			"Resource": "*"
		}
	]
}

Your AWS Data Source is ready for integration with FinOps for Cloud.

Creating a data export manually in AWS

To utilize automatic or manual billing data import in FinOps, you must create a Data Export in AWS. To learn about Data Exports, see

To create a Data Export, navigate to AWS Billing and Cost Management > Data Exports. Choose Create Export.

Standard data export settings

Step 1. Export type

Select Standard data export export type.

Step 2. Export name

Enter the export name.

Step 3. Data table content settings:

Select CUR 2.0.
Select Include resource IDs checkbox.
Choose the time granularity for how you want the line items in the export to be aggregated.

Step 4. Data export delivery options:

Select Overwrite existing data export file.
Select compression type.

Step 5. Data export storage setting:

Create a new or use an existing bucket for the export.
Enter the S3 path prefix that you want prepended to the name of your Data Export.

Step 6. Review

Confirm export creation. AWS will prepare Data Export within 24 hours.

Legacy CUR export settings

Step 1. Export type

Select Legacy CUR export (CUR) export type.

Step 2. Export name

Enter export name.

Step 3. Export content

Select Include resource IDs and Refresh automatically checkboxes.

Step 4. Data export delivery options:

Choose the time granularity for how you want the line items in the export to be aggregated.
Select Overwrite existing report.
Select compression type.

Step 5: Data export storage setting:

Create a new or use an existing bucket for the export.
Enter the S3 path prefix that you want prepended to the name of your Data Export.

Step 6. Review

Confirm export creation. Data Export will be prepared by AWS within 24 hours.

After the data export is created, follow the instructions in