Manual Setup

CloudZero supports manual AWS configuration for organizations that need more control over the setup process. You get the same cost data and capabilities as the automated method.

ℹ️
For most organizations, the automated setup is the fastest way to connect. Use manual setup when your organization requires custom provisioning workflows (Terraform, shell scripts, CLI, or the AWS Console).

Prerequisites

AWS Organizations with consolidated billing enabled
For Billing connections: a Cost and Usage Report in the required format in your AWS Payer account
CloudZero user with data configuration permissions
If you have resources in AWS regions where STS is not active by default (for example, ap-east-1 or eu-south-1), activate STS for those regions

ℹ️
All CloudZero access to your AWS accounts is read-only. For details on permissions, IAM policies, and CloudFormation templates, see AWS Permissions and Security.

Which account type do you need?

CloudZero uses two types of AWS connections:

Account type	What it provides	Required?
Billing (Payer)	Cost and usage data from your AWS bill	Yes, connect this first
Resources (Member)	Resource metadata that powers detailed cost breakdowns and savings recommendations	Optional, but recommended

Step 1: Start the connection in CloudZero

In CloudZero, go to Settings > Cloud Connections.
Select Create Connection +.
Select the AWS tile, then choose Manual Setup under the account type you are connecting.

CloudZero displays the permissions policy, account ID, and External ID you need to configure in AWS. Keep the CloudZero connection screen open while you work in the AWS Console.

Step 2: Set up AWS permissions and enter connection details

Create an IAM role in AWS and attach the policy that CloudZero generates for you.

✅
Make sure you are signed into the correct AWS account before creating the role. For a Billing (Payer) connection, sign into your Management or Payer account. For a Resources (Member) connection, sign into the member account you want to connect.

For a Billing (Payer) Account

In the CloudZero connection screen:

Enter the S3 Bucket Name where your Cost and Usage Report is stored, then select Generate IAM Policy. CloudZero generates the complete policy scoped to your bucket.

In the AWS IAM Console:

Create a new role for cross-account access.
- For Trusted entity type, select Another AWS account.
- Enter the CloudZero Account ID shown in the CloudZero connection screen.
- Check Require external ID and enter the External ID shown in the CloudZero connection screen.
Attach the generated policy to the role as an inline policy by pasting the JSON from the CloudZero connection screen.

Back in the CloudZero connection screen:

Enter a Connection Name for this connection in the CloudZero UI. Use lowercase letters and dashes only (for example, my-aws-billing).
Enter the Cost and Usage Report Name, which is the name of your CUR configuration in AWS (not the S3 bucket name). You can find this in the AWS Cost and Usage Reports console.
Select the Cost and Usage Report Format that matches your CUR in AWS:
- CSV (default): for CURs exported as CSV with GZIP compression.
- Parquet: for CURs exported in Parquet format.
If the selected format does not match your CUR's export format, no data flows in. Check your AWS Cost and Usage Reports settings if you are unsure.

ℹ️
When AWS writes a Parquet CUR, it converts tag keys to lowercase and replaces non-alphanumeric characters with underscores. If any of your tag keys differ only by capitalization or punctuation (for example, Environment and environment), choose CSV. See Tag handling in Parquet CUR for details.
Enter the Cross-Account IAM Role ARN of the role you created. You can find this on the role's summary page in the AWS IAM Console.
Select Save & Continue.

For a Resources (Member) Account

✅
Connect a Billing (Payer) Account before adding Resources (Member) accounts.

In the AWS IAM Console:

Create a new role for cross-account access.
- For Trusted entity type, select Another AWS account.
- Enter the CloudZero Account ID shown in the CloudZero connection screen.
- Check Require external ID and enter the External ID shown in the CloudZero connection screen.
Attach the generated policy from the CloudZero connection screen to the role as an inline policy.

In the CloudZero connection screen:

Enter a Connection Name for this connection in the CloudZero UI. Use lowercase letters and dashes only (for example, my-aws-resources).
Enter the Cross-Account IAM Role ARN of the role you created. You can find this on the role's summary page in the AWS IAM Console.
Select Save.

Step 3: Verify the connection

Check the connection status on the Cloud Connections page. Billing connections appear in the Billing Connections table and resource connections appear in the AWS Resources tab. The Status column shows a green healthy indicator when the connection is active.

What to expect

AWS takes about 5 minutes to deploy the permissions. Your cost data appears in the Explorer within 24 hours.

You can connect additional AWS accounts at any time by repeating this process. CloudZero supports organizations with multiple Management Accounts.

If your organization uses AWS resource tags, you can bring them into CloudZero for additional filtering and grouping options. See Use AWS Tags in CloudZero.

ℹ️
Have questions or feedback? Reach out to your account manager.