Configure AWS Access

AWS IAM Policies

FinOps for Cloud requires two policies depending on the type of account being onboarded:

  • Billing import access policy - This policy allows FinOps for Cloud to read cost and usage data from the configured S3 bucket. This policy is only required when you are onboarding an account that contains a cost and usage report.

  • Resource discovery access policy - This policy allows FinOps for Cloud to discover new and changed resources in your AWS account more often than AWS updates the cost and usage reports. This allows FinOps for Cloud to show information about your spend that is more up-to-date than what is contained in the cost and usage report.

Creating a policy for billing imports

The billing import access policy is only required for accounts with cost and usage reports configured for FinOps for Cloud.

A suggested name for the policy is FinOpsForCloudBillingImport.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FinOpsForCloudGetBillingFiles",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        },
        {
            "Sid": "FinOpsForCloudManageBillingBucket",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketPolicy",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>"
        }
    ]
}

Creating a policy for resource discovery

The resource discovery access policy is required for all accounts.

A suggested name for the policy is FinOpsForCloudResourceDiscovery.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FinOpsforCloudGetResources",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketTagging",
                "iam:GetAccessKeyLastUsed",
                "cloudwatch:GetMetricStatistics",
                "s3:GetBucketAcl",
                "ec2:Describe*",
                "s3:ListAllMyBuckets",
                "iam:ListUsers",
                "s3:GetBucketLocation",
                "iam:GetLoginProfile",
                "cur:DescribeReportDefinitions",
                "iam:ListAccessKeys",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTags"
            ],
            "Resource": "*"
        }
    ]
}

AWS IAM User

Creating a new IAM user

To create a new IAM user for FinOps for Cloud, see Create an IAM user in your AWS account in the AWS IAM User Guide.

When creating the user, use the following settings:

  1. For User name, enter FinOpsForCloudUser.

  2. For Provide user access to the AWS Management Console, select No.

  3. Under Set permissions, select Attach policies directly.

    1. FinOpsForCloudResourceDiscovery (always required)

    2. FinOpsForCloudBillingImport (required only for accounts with cost and usage reports buckets)

Creating an access key for FinOps for Cloud

To create an access key for FinOps for Cloud, see Create an access key for an IAM user in the AWS IAM User Guide.

When creating the access key, choose Third-party service as your use case.

Last updated

Was this helpful?