Configure AWS Access

Configuring access to your AWS account for FinOps for Cloud requires the creation of two policies for billing imports and resource discovery, and a trusted role (recommended) or IAM user.

AWS IAM Policies

FinOps for Cloud requires two policies, depending on the type of account being onboarded:

Billing import access policy - This policy allows FinOps for Cloud to read cost and usage data from the configured S3 bucket. This policy is only required when you are onboarding an account that contains a cost and usage report.
Resource discovery access policy - This policy allows FinOps for Cloud to discover new and changed resources in your AWS account more often than AWS updates the cost and usage reports. This allows FinOps for Cloud to show information about your spend that is more up-to-date than what is contained in the cost and usage report.

Create a policy for billing imports

The billing import access policy is only required for accounts with cost and usage reports configured for FinOps for Cloud.

A suggested name for the policy is FinOpsForCloudBillingImport.

In the following policy, be sure to replace <bucket_name> with a valid name of your S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FinOpsForCloudGetBillingFiles",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        },
        {
            "Sid": "FinOpsForCloudManageBillingBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:PutBucketPolicy",
                "s3:PutObject"

            ],
            "Resource": "arn:aws:s3:::<bucket_name>"
        }
    ]
}

Create a policy for resource discovery

The resource discovery access policy is required for all accounts.

A suggested name for the policy is FinOpsForCloudResourceDiscovery.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FinOpsforCloudGetResources",
            "Effect": "Allow",
            "Action": [
                "bcm-data-exports:GetExport",
                "bcm-data-exports:ListExports",
                "cloudwatch:GetMetricStatistics",
                "cur:DescribeReportDefinitions",
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "iam:GetAccessKeyLastUsed",
                "iam:GetLoginProfile",
                "iam:ListAccessKeys",
                "iam:ListUsers",
                "s3:GetAnalyticsConfiguration",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetIntelligentTieringConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetMetricsConfiguration",
                "s3:GetObject",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
            ],
            "Resource": "*"
        }
    ]
}

AWS IAM assumed role

Creating a new IAM role

To create a new IAM role for FinOps for Cloud, see Create a role using custom trust policies in the AWS IAM user guide.

When creating the role, use the following settings:

For Trusted entity type, choose Custom trust policy.
Under Custom trust policy, copy and paste the following trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::563690021965:user/ffc-service-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Select Next.
Under Permissions policies, select the following policies:
1. FinOpsForCloudResourceDiscovery (always required)
2. FinOpsForCloudBillingImport (required only for management or standalone accounts with cost and usage reports buckets)
Under Set permissions boundary, select Create role without a permissions boundary. Then, select Next.
Under Role name, enter FinOpsForCloudAccessRole. Then, enter your own optional description and add any tags you require.
Select Create role.

AWS IAM user and access key

Creating a new IAM user

To create a new IAM user for FinOps for Cloud, see Create an IAM user in your AWS account in the AWS IAM User Guide.

When creating the user, use the following settings:

For User name, enter FinOpsForCloudUser.
In Provide user access to the AWS Management Console, select No.
Under Set permissions, select Attach policies directly.
1. FinOpsForCloudResourceDiscovery (always required)
2. FinOpsForCloudBillingImport (required only for accounts with cost and usage reports buckets)

Creating an access key for FinOps for Cloud

To create an access key for FinOps for Cloud, see Create an access key for an IAM user in the AWS IAM User Guide.

When creating the access key, choose Third-party service as your use case.

Be sure to store your access key and secret access key securely. This is your only chance to view or download the newly created access key, as it cannot be recovered later.

PreviousCreate Cost and Usage Reports NextAdd your AWS account to FinOps for Cloud

Last updated 15 days ago

Was this helpful?

hashtagAWS IAM Policies

hashtagCreate a policy for billing imports

hashtagCreate a policy for resource discovery

hashtagAWS IAM assumed role

hashtagCreating a new IAM role

hashtagAWS IAM user and access key

hashtagCreating a new IAM user

hashtagCreating an access key for FinOps for Cloud

AWS IAM Policies

Create a policy for billing imports

Create a policy for resource discovery

AWS IAM assumed role

Creating a new IAM role

AWS IAM user and access key

Creating a new IAM user

Creating an access key for FinOps for Cloud