Connecting AWS Resource Data Manually from a Member Account
How the Manual AWS Connection Works
CloudZero supports a fully manual or custom provisioning process that can be facilitated using your infrastructure provisioning process of choice (Terraform, Shell Scripts, CLI, etc…).
About CloudZero's Access to your AWS Accounts
CloudZero is a different type of Cloud Cost Management solution and requires permissions beyond the typical cost and usage data. By using metadata on how your AWS environment is operating, the services that you are using, and how they are being used CloudZero can boost tag coverage, identify more complex anomalies and highlight the specific resources and changes that are responsible for cost changes in your environment.
All of CloudZero's permissions are Read-Only
We have no access to data except where explicitly authorized.
Summary of Permissions:
- Resource (member) Accounts
- Our access is optional, required for waste and root cause analysis
- Access to CloudWatch Metrics, and list/read-only metadata service API's
Note: If you have resources (in your AWS cloud) in any regions for which STS is not active by default (e.g.
eu-south-1), make sure you activate those regions following the Managing AWS STS in an AWS Region guide.
Connect an AWS Account
Open the Connections page
The Connections page can be found by going to the "gear" on the sidebar and selecting "Connections" or alternatively going to https://app.cloudzero.com/organization/connections
Note: Organizer Role Required
You must be a CloudZero Organizer to add new Connections to the platform.
Add an AWS Connection
On the Connections page you can see all of the Connections in your system. To connect an AWS Account, click the “Add New Connection” button.
On the next page, click the AWS tile and click the Manual - Resources button from the three options for connecting accounts to manually connect an AWS Member Account.
Grant Cross-Account Role
You will need to create an AWS cross account access role using the details provided in this step.
There is a helpful box where the system has generated all of the necessary policy details you will need to provide in the AWS Console.
Connect Account with CloudZero
Once your policy is generated and applied to the role, you will then need to fill out the input boxes on the second step, utilizing the information you collected from the AWS Console earlier.
- Enter a Connection Name. This is the name you will see throughout the CloudZero UI, in addition to the AWS Account ID.
Connection Name requirements
The name must conform to AWS naming conventions (lowercase, dashes, without spaces or periods)
- Enter the Cross-Account IAM Role ARN, as found in the AWS Console from Step 2.
- Click the Save button.
Confirm on the Connections page
AWS generally takes ~5 minutes to deploy the necessary permissions to allow CloudZero to pull in the information it needs.
Once complete, an AWS Connection will appear on the CloudZero Connections page in the Resource Connections table.
The Health column will be green or red and show the overall connection health. If something changes on your side and CloudZero can no longer use the role that was just granted permissions, the Health will change and provide details on why CloudZero cannot connect.
You can connect any other AWS Accounts you want at this point with the same process.
Connecting Other Cost Sources
Additionally, you may want CloudZero to help with your Snowflake or Azure costs, or the custom costs you can bring in using an AnyCost Adaptor.
Start by learning about CloudZero Connections, or choosing a Cost Source from the What's Next section below:
Updated over 1 year ago