How the Manual AWS Connection Works

Connecting to an AWS account will show AWS cost data alongside other Cost Sources in the Explorer, as well as enable anomaly alerts on AWS spend.

CloudZero supports a fully manual or custom provisioning process that can be facilitated using your infrastructure provisioning process of choice (Terraform, Shell Scripts, CLI, etc…).

📘

About CloudZero's Access to your AWS Accounts

CloudZero is a different type of Cloud Cost Management solution and requires permissions beyond the typical cost and usage data. By using metadata on how your AWS environment is operating, the services that you are using, and how they are being used CloudZero can boost tag coverage, identify more complex anomalies and highlight the specific resources and changes that are responsible for cost changes in your environment.

All of CloudZero's permissions are Read-Only
We have no access to data except where explicitly authorized (for example the S3 bucket where your cost and usage report is stored).

Summary of Permissions:

• Management Account
  • Our access is required to function
    • Access to the Cost and Usage, Billing and Organizations API
    • Access to the Cost and Usage S3 bucket where reports are stored
    • Access to CloudWatch Metrics, and list/read-only metadata service API's

Note: If you have resources (in your AWS cloud) in any regions for which STS is not active by default (e.g. ap-east-1 or eu-south-1), make sure you activate those regions following the Managing AWS STS in an AWS Region guide.

Prerequisites

We also require the following AWS services to be configured before connecting to CloudZero:

• Required: AWS Organizations with consolidated billing enabled
• Required: AWS Cost and Usage Report enabled within your AWS Payer account (sometimes also called your AWS Management account
• Highly recommended: Cost Allocation Tagging Configuration

Additionally, CloudZero has requirements for valid Cost & Usage Reports.

Connect an AWS Account

🚧

What Account To Connect First

For most features to work you'll need to connect your AWS account that holds your Management Account so that we can get access to your billing data. It is strongly suggested that you connect your Management Account first.

📘

Multiple Management Accounts

CloudZero fully supports organizations with multiple Management Accounts, just connect them all to get a consolidated view of your spending.

Open the Connections page

The Connections page can be found by going to the "gear" on the sidebar and selecting "Connections" or alternatively going to https://app.cloudzero.com/organization/connections

📘

Note: Admin Role Required

You must be a CloudZero Admin to add new Connections to the platform.

Add an AWS Connection

On the Connections page you can see all of the Connections in your system. To connect an AWS Account, click the “Add New Connection” button.

On the next page, click the AWS tile and click the Manual - Billing button from the three options for connecting accounts to manually connect an AWS Management/Payer Account.

Enable Cost and Usage Reports via the AWS Console

Follow the steps on the screen. As you follow these steps, make sure to note the following unique pieces of information you will need to gather while in the AWS console:

• Cost & Usage Report Name
• Cross-Account IAM Role ARN
• Cost & Usage S3 Bucket Name

Be sure to make note of the external ID which is listed under Create a cross-account AIM role in the manual connection steps. You will need this while configuring your policy in the AWS Console.

Grant Cross-Account Role

You will need to create an AWS cross account access role using the details provided in this step.

There is a helpful box where you can enter the S3 Bucket Name where your Cost & Usage Report will be saved, as defined in Step 1. Click the "Generate IAM Policy" button to let the screen help generate all of the necessary policy details you will need to provide in the AWS Console.

Provide Cost & Usage Report Details

Once your policy is generated and applied to your S3 bucket, you will then need to fill out the input boxes on the third step, utilizing the information you collected from the AWS Console earlier.

1. Enter a Connection Name. This is the name you will see throughout the CloudZero UI, in addition to the AWS Account ID.

📘

Connection Name requirements

The name must conform to AWS naming conventions (lowercase, dashes, without spaces or periods)

2. Enter the Cost & Usage Report Name. This is not the name of your cost and usage S3 bucket, but the name of your cost and usage report configuration in AWS. Click here to find your CUR Name.
3. Enter the Cross-Account IAM Role ARN, as found in the AWS Console from Step 2.
4. Click the Save button.

Confirm on the Connections page

AWS generally takes ~5 minutes to deploy the necessary permissions to allow CloudZero to pull in the information it needs.

Once complete, an AWS Connection will appear on the CloudZero Connections page in the Billing Connections table.

The Health column will be green or red and show the overall connection health. If something changes on your side and CloudZero can no longer use the role that was just granted permissions, the Health will change and provide details on why CloudZero cannot connect.

You can connect any other AWS Accounts you want at this point with the same process.

Connecting Other Cost Sources

Additionally, you may want CloudZero to help with your Snowflake or Azure costs, or the custom costs you can bring in using an AnyCost Adaptor.

Start by learning about CloudZero Connections, or choosing a Cost Source from the What's Next section below: