Updating Permissions for an AWS Account

Sometimes AWS requires us to update permissions. For example, AWS updated their Billing and Cost Management Permissions in January 2023.

You are in complete control of the permissions you grant CloudZero. Neither the automated nor manual Connections can update themselves.

We maintain the Provision Account Open Source repository so you can review all of our permissions. In addition, we publish useful resources, policies and CloudFormation templates, from that repository to S3 for your use. This document covers a few workflows for updating your CloudZero permissions using those resources.

Automated Connections

If you connected to CloudZero using our Automated Connections. You can use these steps to update the cloudzero-connected-account CloudFormation stack.

Console

1. Open the AWS CloudFormation Console in the appropriate AWS Account.
2. Select the cloudzero-connected-account stack.
   1. If you don't see the stack right away in the list, first uncheck the "View Nested" radio button to the right of the search box and then search for 'cloudzero'.
3. Click Update.
4. Select Replace current template.
5. Paste https://cz-provision-account.s3.amazonaws.com/v1.0.74/services/connected_account.yaml into the Amazon S3 URL Text Box.
6. Click Next, Next, and Next (yup, 3 times).
7. At the bottom of the screen, check the boxes for CAPABILITIES:

   [✅] I acknowledge that AWS CloudFormation might create IAM resources with custom names.
   [✅] I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
   

8. Click Submit.

CLI

👍

Requirements for this One-Liner

Unfortunately, the AWS CLI update-stack command does not have an option to "keep existing Parameters".
This bash snippet will do that for you. It requires these two commands be present in your shell:

1. AWS CLI
2. jq command.

aws cloudformation update-stack \
  --stack-name cloudzero-connected-account \
  --template-url https://cz-provision-account.s3.amazonaws.com/v1.0.74/services/connected_account.yaml \
  --parameters "$(aws cloudformation describe-stacks --stack-name cloudzero-connected-account | jq .Stacks[0].Parameters)"

Manual Connections

Console

1. Open the IAM Role Console in the appropriate AWS Account.
2. Find the Cross Account Role with a trust relationship with CloudZero.
   1. You can do this by searching your Roles for 'cloudzero'. Select the one with Trusted entities containing Account: 061190967865.
   2. Click on the role name hyperlink.
3. Update Inline Policy
   1. On the Permissions tab of the Role page, click on the attached Customer inline policy.
   2. Click on the JSON tab.
   3. Copy the contents of the appropriate policy, payer or resource owner, into the text editor.
   4. Click Review policy.
   5. Click Save changes.
4. Add AWSBillingReadOnlyAccess managed policy
   1. On the Permissions tab of the Role page, click on the attached Add permissions button/dropdown and click Attach Policies
   2. Search for AWSBillingReadOnlyAccess.
   3. Check the box to the left of the policy name.
   4. Click Add permissions

CLI

👍

Requirements for this script

It takes a few commands to find and update roles and their policies.
This bash snippet will do that for you:

1. AWS CLI
2. jq command.

# Find roles with Trust Relationships with CloudZero
aws iam list-roles | jq -r -e '.Roles | map(select(.AssumeRolePolicyDocument.Statement[0].Principal.AWS == "arn:aws:iam::061190967865:root")) | map(.RoleName)[] | .'

# For each of the roles from the output of the previous command
aws iam list-role-policies --role-name <role-name> | jq -r -e '.PolicyNames[]'

# Now we have the list of policies to update
# For each role and policy:
aws iam put-role-policy \
  --role-name <role-name> \
  --policy-name <policy-name> \
  --policy-document "$(curl -XGET https://cz-provision-account.s3.amazonaws.com/latest/policies/resource_owner.json)"  # change resource_owner.json to master_payer.json if this is a billing account role and policy

# And we attach the AWSBillingReadOnlyAccess managed policy to your role
aws iam attach-role-policy \
  --role-name <role-name> \
  --policy-arn arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess

Non us-east-1 Snowflake Connections

If you have configured a non us-east-1 Snowflake billing connection with CloudZero, you may need to reapply the Trust Relationship between the CloudZero cross account role and your Snowflake instance. This relationship allows your Snowflake instance to drop files into the appropriate S3 bucket for CloudZero to ingest.

1. Run the following in your Snowflake instance:

DESC INTEGRATION CLOUDZERO_BILLING_DATA_S3_ACCESS; 

2. From the output, copy the values for STORAGE_AWS_EXTERNAL_ID and STORAGE_AWS_IAM_USER_ARN. You will need these for your Trust Policy.
3. Open the IAM Role Console in the appropriate AWS Account.
4. Find the Cross Account Role with a trust relationship with CloudZero.
   1. You can do this by searching your Roles for 'cloudzero'. Select the one with Trusted entities containing Account: 061190967865.
   2. Click on the role name hyperlink.
5. Click the Trust Relationships tab, and then the Edit trust relationship button.
6. Switch the view to JSON. You will see a single statement that includes any cross-account permissions already applied (if any).
7. Add an additional statement to the policy to allow Snowflake cross-account access by copying this JSON object under the key Statements. Remember to replace the <STORAGE_AWS_IAM_USER_ARN> and <STORAGE_AWS_EXTERNAL_ID> place holders with the values you copied in step 1!