Connecting AWS Resource Data Manually from a Member Account

How the Manual AWS Connection Works

CloudZero supports a fully manual or custom provisioning process that can be facilitated using your infrastructure provisioning process of choice (Terraform, Shell Scripts, CLI, etc…).


About CloudZero's Access to your AWS Accounts

CloudZero is a different type of Cloud Cost Management solution and requires permissions beyond the typical cost and usage data. By using metadata on how your AWS environment is operating, the services that you are using, and how they are being used CloudZero can boost tag coverage, identify more complex anomalies and highlight the specific resources and changes that are responsible for cost changes in your environment.

All of CloudZero's permissions are Read-Only
We have no access to data except where explicitly authorized.

Summary of Permissions:

  • Resource (member) Accounts
    • Our access is optional, required for waste and root cause analysis
    • Access to CloudWatch Metrics, and list/read-only metadata service API's

Note: If you have resources (in your AWS cloud) in any regions for which STS is not active by default (e.g. ap-east-1 or eu-south-1), make sure you activate those regions following the Managing AWS STS in an AWS Region guide.

Connect an AWS Account

Open the Connections page

The Connections page can be found by going to the "gear" on the sidebar and selecting "Connections" or alternatively going to

CloudZero Connections


Note: Admin Role Required

You must be a CloudZero Admin to add new Connections to the platform.

Add an AWS Connection

On the Connections page you can see all of the Connections in your system. To connect an AWS Account, click the “Add New Connection” button.

On the next page, click the AWS tile and click the Manual - Resources button from the three options for connecting accounts to manually connect an AWS Member Account.

Grant Cross-Account Role

You will need to create an AWS cross account access role using the details provided in this step.

There is a helpful box where the system has generated all of the necessary policy details you will need to provide in the AWS Console.

Connect Account with CloudZero

Once your policy is generated and applied to the role, you will then need to fill out the input boxes on the second step, utilizing the information you collected from the AWS Console earlier.

  1. Enter a Connection Name. This is the name you will see throughout the CloudZero UI, in addition to the AWS Account ID.


Connection Name requirements

The name must conform to AWS naming conventions (lowercase, dashes, without spaces or periods)

  1. Enter the Cross-Account IAM Role ARN, as found in the AWS Console from Step 2.
  2. Click the Save button.

Confirm on the Connections page

AWS generally takes ~5 minutes to deploy the necessary permissions to allow CloudZero to pull in the information it needs.

Once complete, an AWS Connection will appear on the CloudZero Connections page in the Resource Connections table.

CloudZero Connections

The Health column will be green or red and show the overall connection health. If something changes on your side and CloudZero can no longer use the role that was just granted permissions, the Health will change and provide details on why CloudZero cannot connect.

You can connect any other AWS Accounts you want at this point with the same process.

Connecting Other Cost Sources

Additionally, you may want CloudZero to help with your Snowflake or Azure costs, or the custom costs you can bring in using an AnyCost Adaptor.

Start by learning about CloudZero Connections, or choosing a Cost Source from the What's Next section below: