GuidesAPI ReferenceAcademy
Guides
What's New

Connecting to AWS

Suggest Edits

Connections are how CloudZero manages the various Cost Sources that bring Billing, Resource, and other types of data into the platform.

Tip

The policy templates the CloudZero access role will use for either a payer and resource account connection are in this repository: https://github.com/Cloudzero/provision-account.

How the AWS Connection Works

Connecting to an AWS account will show AWS cost data alongside other Cost Sources in the Explorer, as well as enable anomaly alerts on AWS spend.

CloudZero access to your AWS accounts uses a delegated access role from the CloudZero AWS account (#061190967865) to yours, with read-only permissions designed to limit access to only those parts of the system CloudZero needs for operation.

All CloudZero access to your AWS accounts is read-only and requires the minimum permissions to access cost, usage data, and surrounding metadata to help you understand what drives spend. CloudZero has no access to data except where explicitly authorized, for example, the S3 bucket where your cost and usage report is stored. By using metadata on how your AWS environment is operating, the services that you are using, and how they are being used, CloudZero can boost tag coverage, identify more complex anomalies, and highlight the specific resources and changes that are responsible for cost changes in your environment.

The following summarizes the CloudZero Permissions:

  • Management Account access required:
  • Cost and Usage, Billing, and Organizations API
  • Cost and Usage S3 bucket where reports are stored
  • CloudWatch Metrics and read-only access to the metadata service APIs
  • Resource (member) Accounts
    • CloudZero access is optional, required for waste and root cause analysis
    • CloudWatch Metrics and read-only access to the metadata service APIs

ℹ️

Note

If you have resources in your AWS cloud in any regions for which STS is not active by default (for example, ap-east-1 or eu-south-1), ensure that you activate those regions, following the instructions in the Managing AWS STS in an AWS Region guide.

CloudZero uses CloudFormation to automate the provisioning process, and the CloudZero CloudFormation templates and IAM policies are completely open source and available for review at https://github.com/Cloudzero/provision-account.

Prerequisites

You must configure the following AWS services before connecting to CloudZero:

In addition, CloudZero has requirements for valid Cost and Usage Reports.

Connect an AWS Account

Tip

CloudZero strongly recomments that you connect your AWS Management Account before connection other AWS accounts. This allows CloudZero to retrieve your billing data.

You must be a CloudZero Admin to add new Connections to the platform.

CloudZero fully supports organizations with multiple Management Accounts. Connect them all to get a consolidated view of your spending.

Add AWS Connection

  1. To start, open the Cloud Zero Integrations page by using the the gear icon on the top navigation bar and selecting Cloud Integrations, or by using the link to the page: https://app.cloudzero.com/organization/connections.
Settings Icon

  1. On the Cloud Integrations page, you can see all of the Integrations in your system. To connect an AWS Account, click the Add Connection button.

  2. On the next page, click the AWS tile and choose how you would like to connect your AWS Account. The options are as follows:

  • Automated- Billing: (CloudZero highly recommends this option) - Deploy from the AWS Console using the CloudZero CloudFormation template to connect either a Billing Connection or a Resource Connection.
  • Automated - Resources: Create multiple Resource Connections by connecting to each individual AWS Member Account within the AWS Organization.
  • Manual - Billing: Create a Billing Connection by following the manual instructions to connect an AWS Management/Payer Account.
  • Manual - Resources: Create a Resource Connection by following the manual instructions to connect an individual AWS Member Account.

The Automated method is the easiest, and the steps to use it follow.

Connect using AWS Console

  1. Enter a Connection Name. This is the name you will see throughout the CloudZero UI, in addition to the AWS Account ID.

ℹ️

Note

The name must conform to AWS naming conventions (lowercase, dashes, without spaces or periods).

  1. Click Save & Connect to launch the AWS console. You will be automatically redirected to the AWS Console.

  2. Ensure that you are logged into the correct AWS account. You can open a new tab and log into the AWS console if necessary.

Create Stack

Scroll to the bottom of the page, check the two boxes in the Capabilities section, and then click Create Stack.
AWS Capabilities

Confirm Connection

AWS generally takes ~5 minutes to deploy the necessary permissions to allow CloudZero to pull in the information it needs.

When the process is complete, an AWS Connection will appear on the CloudZero Cloud Integrations page. Any Management and Payer Accounts, where CloudZero retrieves Billing data, will appear at the top of the page in the Billing Connections table. Any Member Accounts, where CloudZero retrieves additional information about your Resources, will appear at the bottom of the page in the AWS Resource Connections table.

Billing Connections

The Health column will be green or red and show the overall connection health. If something changes on your side and CloudZero can no longer use the role that was just granted permissions, the Health will change and provide details on why CloudZero cannot connect.

You can connect any other AWS Accounts you want at this point using the same process.

Connect Other Cost Sources

In addition, you may want CloudZero to help with your Snowflake or Azure costs, or the custom costs you can bring in using an AnyCost Adaptor.

Start by learning about CloudZero Connections, or choosing a Cost Source from the What's Next section that follows.

Updated 18 days ago

What’s Next