Connect Resource Accounts at Scale

CloudZero can automatically discover and connect your AWS resource accounts when you deploy an IAM role with CloudZero's read-only policies across your organization. Instead of connecting each account individually through the CloudZero UI, you define the role once in your provisioning tooling (Terraform, CloudFormation StackSets, or any other method) and deploy it across your accounts. CloudZero handles the rest. You get the same resource visibility and capabilities as individually connected accounts.

ℹ️
Connecting resource accounts individually? See Connecting to AWS for automated setup or Manual Setup for custom provisioning workflows.

What you need

A Billing (Payer) account already connected to CloudZero
A provisioning tool that can deploy IAM roles across your AWS accounts (Terraform, CloudFormation StackSets, or similar)
Your organization's External ID. In the CloudZero UI, go to Settings > Cloud Connections, select your AWS billing connection name, and the External ID is displayed in the slideout panel. Your account manager can also provide it.
Optional: CloudZero provides a Terraform module or CloudFormation templates in the provision-account repository that handle the role configuration for you

Set up Auto-Link

Create an IAM role in every AWS account you want to connect using your existing provisioning tooling (Terraform, CloudFormation StackSets, or similar). Configure each role with:

Setting	Value
Trusted entity	AWS account `061190967865` (CloudZero)
External ID	Your organization's External ID
Inline policy	resource_owner.json
Managed policies	`ComputeOptimizerReadOnlyAccess`, `ViewOnlyAccess`, `AWSBillingReadOnlyAccess` (reference)
Role name	A name such as `cz-autolink-role`. Use the same name in every account.

Confirm to your account manager that the role is live and provide the role name from step 1. This is the short name, not the full ARN. For example, if the full ARN is arn:aws:iam::123456789012:role/cz-autolink-role, the role name is cz-autolink-role.
Your account manager enables Auto-Link and contacts you once it is active.

ℹ️
All permissions are read-only. For details on what each permission grants, see AWS Permissions and Security.

What to expect

After your account manager enables Auto-Link, CloudZero automatically discovers and connects your AWS accounts, typically within a few hours. Resource data appears across the platform within 24 hours of a successful connection.

Auto-Link runs on an ongoing basis. As long as you include the IAM role when you provision new AWS accounts, CloudZero connects them without any additional steps. Accounts without the role are skipped and do not cause errors.

ℹ️
Have questions or feedback? Reach out to your account manager.