Connecting to AWS

Connections are how CloudZero manages the various Cost Sources that bring Billing, Resource, and other types of data into the platform. But every CloudZero customer must first connect an AWS Management/Payer Account to get started.


Cut to the chase, just show me the policy!

Don't have time to read the docs? No problem! Here are the policy templates our role will use for either a payer and resource account connection:

How the AWS Connection Works

Connecting to an AWS account will show AWS cost data alongside other Cost Sources in the Explorer, as well as enable anomaly alerts on AWS spend.

CloudZero accesses your AWS accounts using a delegated access role from our AWS account (#061190967865) to yours with permissions designed to limit our read-only access to only those parts of the system we require for operation.


About CloudZero's Access to your AWS Accounts

CloudZero is read-only and requires the minimum permissions to access cost, usage data, and surrounding metadata to help you understand what drives spend. By using metadata on how your AWS environment is operating, the services that you are using, and how they are being used CloudZero can boost tag coverage, identify more complex anomalies and highlight the specific resources and changes that are responsible for cost changes in your environment.

All of CloudZero's permissions are Read-Only
We have no access to data except where explicitly authorized (for example the S3 bucket where your cost and usage report is stored).

Summary of Permissions:

  • Management Account

    • Our access is required to function
      • Access to the Cost and Usage, Billing and Organizations API
      • Access to the Cost and Usage S3 bucket where reports are stored
      • Access to CloudWatch Metrics, and list/read-only metadata service API's
  • Resource (member) Accounts

    • Our access is optional, required for waste and root cause analysis
    • Access to CloudWatch Metrics, and list/read-only metadata service API's

Note: If you have resources (in your AWS cloud) in any regions for which STS is not active by default (e.g. ap-east-1 or eu-south-1), make sure you activate those regions following the Managing AWS STS in an AWS Region guide.

We use CloudFormation to automate the provisioning process and our CloudFormation templates and IAM policies are completely open source and available for review at


We also require the following AWS services to be configured before connecting to CloudZero:

Additionally, CloudZero has requirements for valid Cost & Usage Reports.

Connect an AWS Account


What Account To Connect First

For most features to work you'll need to connect your AWS account that holds your Management Account so that we can get access to your billing data. It is strongly suggested that you connect your Management Account first.


Multiple Management Accounts

CloudZero fully supports organizations with multiple Management Accounts, just connect them all to get a consolidated view of your spending.

Open the Connections page

The Connections page can be found by going to the "gear" on the sidebar and selecting "Connections" or alternatively going to

CloudZero Connections


Note: Admin Role Required

You must be a CloudZero Admin to add new Connections to the platform.

Add an AWS Connection

On the Connections page you can see all of the Connections in your system. To connect an AWS Account, click the β€œAdd New Connection” button.

On the next page, click the "AWS" tile and choose how you would like to connect your AWS Account. You have three options for connecting accounts:

  1. Automated (CloudZero highly recommends this option): Deploy from the AWS Console via the CloudZero CloudFormation template to connect either a Billing Connection or a Resource Connection
  2. Manual - Billing: Create a Billing Connection by following manual instructions to connect an AWS Mangagement/Payer Account.
  3. Manual - Resources: Create a Resource Connection by following manual instructions to connect an AWS Member Account.

The Automated method is the easiest, and is outlined below:

Connecting via the AWS Console

  1. Enter a Connection Name. This is the name you will see throughout the CloudZero UI, in addition to the AWS Account ID.


Connection Name requirements

The name must conform to AWS naming conventions (lowercase, dashes, without spaces or periods)

  1. Click Save & Connect to launch the AWS console. You will be automatically redirected to the AWS Console.


Please ensure that you are logged into the correct AWS account

You can open a new tab and log into the AWS console if necessary.

Create stack

Scroll to the bottom of the page, check the two boxes in the "Capabilities" section, and then hit "Create Stack"
AWS Capabilities

Confirm on the Connections page

AWS generally takes ~5 minutes to deploy the necessary permissions to allow CloudZero to pull in the information it needs.

Once complete, an AWS Connection will appear on the CloudZero Connections page. Any Management/Payer Accounts, where CloudZero retrieves Billing data, will appear at the top of the page in the Billing Connections table. Any Member Accounts, where CloudZero retrieves additional information about your Resources, will appear at the bottom of the page in the AWS Resource Connections table.

CloudZero Connections

The Health column will be green or red and show the overall connection health. If something changes on your side and CloudZero can no longer use the role that was just granted permissions, the Health will change and provide details on why CloudZero cannot connect.

You can connect any other AWS Accounts you want at this point with the same process.

Connecting Other Cost Sources

Additionally, you may want CloudZero to help with your Snowflake or Azure costs, or the custom costs you can bring in using an AnyCost Adaptor.

Start by learning about CloudZero Connections, or choosing a Cost Source from the What's Next section below: