Connect Resource Accounts at Scale
CloudZero automatically discovers and connects your AWS resource accounts when you deploy an IAM role with CloudZero's read-only policies across your organization. Instead of connecting each account individually through the CloudZero UI, you define the role once in your provisioning tooling (Terraform, CloudFormation StackSets, or any other method) and deploy it across your accounts. CloudZero handles the rest. You get the same resource visibility and capabilities as individually connected accounts.
Connecting resource accounts individually? See Connecting to AWS for automated setup or Manual Setup for custom provisioning workflows.
What you need
- A Billing (Payer) account already connected to CloudZero
- A provisioning tool that can deploy IAM roles across your AWS accounts (Terraform, CloudFormation StackSets, or similar)
- Your organization's External ID. In the CloudZero UI, go to Settings > Cloud Connections, select your AWS billing connection name, and the External ID is displayed in the slideout panel. Your account manager can also provide it.
- Optional: CloudZero provides a Terraform module or CloudFormation templates in the provision-account repository that handle the role configuration for you.
Set up Auto-Link
- Create an IAM role in every AWS account you want to connect using your existing provisioning tooling (Terraform, CloudFormation StackSets, or similar). Configure each role with:
| Setting | Value |
|---|---|
| Trusted entity | CloudZero's AWS accounts:
|
| External ID | Your organization's External ID |
| Inline policy | resource_owner.json |
| Managed policies | ComputeOptimizerReadOnlyAccess, ViewOnlyAccess, AWSBillingReadOnlyAccess (reference) |
| Role name | A name such as cz-autolink-role. CloudZero uses a single role name for Auto-Link. Every resource account across every payer account must use this exact name with the same casing (for example, cz-autolink-role and CZ-Autolink-Role are treated as different names). |
- Confirm to your account manager that the role is live and provide the full ARN of the role from any single account where it is deployed. Only one ARN is needed. For example:
arn:aws:iam::123456789012:role/cz-autolink-role. - Your account manager enables Auto-Link and contacts you once it is active.
All permissions are read-only. For details on what each permission grants, see AWS Permissions and Security.
What to expect
After your account manager enables Auto-Link, CloudZero discovers and connects your AWS accounts on an hourly cycle. Resource data appears across the platform within 24 hours of a successful connection.
Auto-Link runs on an ongoing basis. As long as you include the IAM role when you provision new AWS accounts, CloudZero connects them without any additional steps. Accounts without the role are skipped and do not cause errors. If any accounts fail to connect, your account manager can retry them or exclude specific accounts from discovery.
Have questions or feedback? Reach out to your account manager.

