Manual Setup (CUR 2.0)
Connect your AWS billing data to CloudZero using Cost and Usage Report 2.0 (CUR 2.0), AWS's newer billing data format delivered through Data Exports. If you already have a legacy CUR connection, you can add CUR 2.0 alongside it; CloudZero retains your existing historical data and uses CUR 2.0 for billing data starting from the current billing month.
CUR 2.0 connections are available as a preview. Contact your account manager to enable this feature for your organization.
For legacy CUR connections, see Manual Setup. For automated setup, see Connecting to AWS. To update permissions on an existing connection, see Update Your AWS Connection.
Which account type do you need?
CloudZero uses two types of AWS connections:
| Account type | What it provides | Required? |
|---|---|---|
| Billing (Payer) | Cost and usage data from your AWS bill | Yes, connect this first |
| Resources (Member) | Resource metadata that powers detailed cost breakdowns and savings recommendations | Optional, but recommended |
Prerequisites
- For Billing connections: a CUR 2.0 Data Export in the required format in your AWS Payer account. If you do not have one, see Creating a standard data export in the AWS documentation.
- AWS Organizations with consolidated billing enabled
- CloudZero user with data configuration permissions
- If you have resources in AWS regions where STS is not active by default (for example,
ap-east-1oreu-south-1), activate STS for those regions
All CloudZero access to your AWS accounts is read-only. For details on permissions, IAM policies, and CloudFormation templates, see AWS Permissions and Security.
Step 1: Start the connection in CloudZero
- In CloudZero, go to Settings > Cloud Connections.
- Select Create Connection +.
- Select the AWS tile, then choose Manual Setup under the account type you are connecting.
- For Billing (Payer) connections, select Cost and Usage Report 2.0.
Keep this screen open. You need the External ID and generated policy in Step 2. Billing connections also use the IAM Policy Generator on this screen.
Step 2: Set up AWS permissions
Create an IAM role in AWS that grants CloudZero read-only access to your data, and attach the policy that CloudZero generates for you. Follow the section that matches the account type you selected in Step 1.
Make sure you are signed into the correct AWS account before creating the role. For a Billing (Payer) connection, sign into your Management or Payer account. For a Resources (Member) connection, sign into the member account you want to connect.
For a Billing (Payer) Account
- In the AWS IAM Console, select Create role.
- For Trusted entity type, select Another AWS account (this lets CloudZero access your data across accounts).
- Enter the CloudZero account ID:
061190967865. - Check Require external ID.
- Enter the External ID from the CloudZero connection screen.
- Attach the following AWS managed policies: ComputeOptimizerReadOnlyAccess, ViewOnlyAccess, and AWSBillingReadOnlyAccess.
- Complete the role creation wizard.
- In the CloudZero connection screen, enter your S3 Bucket Name in the IAM Policy Generator and select Generate IAM Policy.
- Open the role you just created in the AWS IAM Console.
- Add the generated policy to the role by pasting the JSON.
For a Resources (Member) Account
Connect a Billing (Payer) Account before adding Resources (Member) accounts.
- In the AWS IAM Console, select Create role.
- For Trusted entity type, select Another AWS account (this lets CloudZero access your data across accounts).
- Enter the CloudZero account ID:
061190967865. - Check Require external ID.
- Enter the External ID from the CloudZero connection screen.
- Attach the following AWS managed policies: ComputeOptimizerReadOnlyAccess, ViewOnlyAccess, and AWSBillingReadOnlyAccess.
- Complete the role creation wizard.
- Open the role you just created in the AWS IAM Console.
- Add the generated policy from the CloudZero connection screen to the role by pasting the JSON.
Step 3: Enter connection details in CloudZero
Complete the section that matches your account type.
For a Billing (Payer) Account
- Enter a Connection Name (for example,
my-aws-billing-cur2). No spaces, periods, or special characters (max 50 characters). - Enter the AWS Account ID, the 12-digit account ID that owns the Data Export.
- Enter the S3 Bucket Name where Data Exports writes your CUR 2.0 Parquet files.
- Enter the S3 Path Prefix you set in the Data Export.
- Enter the Data Export Name, the name of the export you created in AWS (not the bucket name).
- Select Save & Continue.
For a Resources (Member) Account
- Enter a Connection Name (for example,
my-aws-resources). No spaces, periods, or special characters (max 50 characters). - Enter the Cross-Account IAM Role ARN of the role you created. You can find this on the role's summary page in the AWS IAM Console.
- Select Save & Continue.
Step 4: Verify the connection
Check the connection status on the Cloud Connections page. Billing connections appear in the Billing Connections table and resource connections appear in the AWS Resources tab. The Status column shows a green healthy indicator when the connection is active.
What to expect
Your cost data appears across the platform within 24 hours.
You can connect additional AWS accounts at any time by repeating this process. To connect many resource accounts at once, see Connect Resource Accounts at Scale. CloudZero supports organizations with multiple Management Accounts.
If your organization uses AWS resource tags, you can bring them into CloudZero for additional filtering and grouping options. See Use AWS Tags in CloudZero.
Have questions or feedback? Reach out to your account manager.