Updating an AWS Account Connection Stack

Sometimes we need to update our AWS Connection Stacks. For example, AWS updated their Billing and Cost Management Permissions in January 2023.

You are in complete control of the permissions you grant CloudZero. Neither the automated nor manual Connections can update themselves.

We maintain the Provision Account Open Source repository so you can review all of our permissions. In addition, we publish useful resources, policies and CloudFormation templates, from that repository to S3 for your use. This document covers a few workflows for updating your CloudZero permissions using those resources.

Automated Connections

If you connected to CloudZero using our Automated Connections. You can use these steps to update the cloudzero-connected-account CloudFormation stack.


  1. Open the AWS CloudFormation Console in the appropriate AWS Account.
  2. Select the cloudzero-connected-account stack.
    1. If you don't see the stack right away in the list, first uncheck the "View Nested" radio button to the right of the search box and then search for 'cloudzero'.
  3. Click Update.
  4. Select Replace current template.
  5. Paste https://cz-provision-account.s3.amazonaws.com/latest/services/connected_account.yaml into the Amazon S3 URL Text Box.
  6. Click Next, Next, and Next (yup, 3 times).
  7. At the bottom of the screen, check the boxes for CAPABILITIES:
    [✅] I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    [✅] I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
  8. Click Submit.



Requirements for this One-Liner

Unfortunately, the AWS CLI update-stack command does not have an option to "keep existing Parameters".
This bash snippet will do that for you. It requires these two commands be present in your shell:

  1. AWS CLI
  2. jq command.
aws cloudformation update-stack \
  --stack-name cloudzero-connected-account \
  --template-url https://cz-provision-account.s3.amazonaws.com/latest/services/connected_account.yaml \
  --parameters "$(aws cloudformation describe-stacks --stack-name cloudzero-connected-account | jq '.Stacks[0].Parameters')"

Manual Connections


  1. Open the IAM Role Console in the appropriate AWS Account.
  2. Find the Cross Account Role with a trust relationship with CloudZero.
    1. You can do this by searching your Roles for 'cloudzero'. Select the one with Trusted entities containing Account: 061190967865.
    2. Click on the role name hyperlink.
  3. Update Inline Policy
    1. On the Permissions tab of the Role page, click on the attached Customer inline policy.
    2. Click on the JSON tab.
    3. Copy the contents of the appropriate policy, payer or resource owner, into the text editor.
    4. Click Review policy.
    5. Click Save changes.
  4. Add AWSBillingReadOnlyAccess managed policy
    1. On the Permissions tab of the Role page, click on the attached Add permissions button/dropdown and click Attach Policies
    2. Search for AWSBillingReadOnlyAccess.
    3. Check the box to the left of the policy name.
    4. Click Add permissions



Requirements for this script

It takes a few commands to find and update roles and their policies.
This bash snippet will do that for you:

  1. AWS CLI
  2. jq command.
# Find roles with Trust Relationships with CloudZero
aws iam list-roles | jq -r -e '.Roles | map(select(.AssumeRolePolicyDocument.Statement[0].Principal.AWS == "arn:aws:iam::061190967865:root")) | map(.RoleName)[] | .'

# For each of the roles from the output of the previous command
aws iam list-role-policies --role-name <role-name> | jq -r -e '.PolicyNames[]'

# Now we have the list of policies to update
# For each role and policy:
aws iam put-role-policy \
  --role-name <role-name> \
  --policy-name <policy-name> \
  --policy-document "$(curl -XGET https://cz-provision-account.s3.amazonaws.com/latest/policies/resource_owner.json)"  # change resource_owner.json to master_payer.json if this is a billing account role and policy

# And we attach the AWSBillingReadOnlyAccess managed policy to your role
aws iam attach-role-policy \
  --role-name <role-name> \
  --policy-arn arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess