IAM

Setting up an AWS integration via IAM Role is a five step process:

  1. Create a new AWS integration in CloudWisdom.
    • Optionally, define data filters for AWS elements to be included/excluded in CloudWisdom using tags (key-value pair).
  2. Create a custom in-line policy for Cost Explorer API access.
  3. Create a custom in-line policy for Cost and Usage Reports read access.
  4. Create an IAM role in your AWS Console.
  5. Add your IAM Role’s ARN to your AWS integration in CloudWisdom.

If you already have an existing IAM role for CloudWisdom but it does not include in-line policies for Cost Explorer or Cost and Usage Reports, start with sections 2 and 3.

1: Create a new AWS integration in CloudWisdom

  1. Log in to CloudWisdom and select the Integrations icon. integrations-icon
  2. Select the Amazon Web Services card.
  3. Select Add Integration to create a new integration. (If updating an existing integration, select View Current Integrations). add-integration
  4. Provide a name for the new AWS integration.
  5. Enable Cost Explorer API and Cost And Usage Reports if applicable to this integration.
  6. For Authentication, select IAM Role.
  7. In a separate, new tab, open your AWS console.

2: Create a Custom In-line Policy for Cost Explorer API Access

  1. Log in to your AWS Console.
  2. In Find Services, search for IAM and select the result. select-IAM
  3. Select Policies.
  4. Select Create Policy.
  5. Switch to the JSON tab.
  6. Copy and paste the following code into the Policy Document section: { "Version": "2012-10-17", "Statement": [ { "Action": "ce:Get*", "Resource": "*", "Effect": "Allow" } ] }
  7. Select Review Policy.
  8. Provide a Name, such as CostExplorerAPIReadOnly. You must add this customer managed policy to your IAM role in Part 4.
  9. Review the permissions summary and select Create Policy.

3: Create a Custom In-line Policy for Cost and Usage Report Read Access

  1. Return to IAM > Policies.
  2. Select Create Policy.
  3. Switch to the JSON tab.
  4. Copy and paste the following code into the Policy Document section: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "cur:DescribeReportDefinitions", "Resource": "*" } ] }
  5. Select Review Policy.
  6. Provide a Name, such as ReadCostAndUsageReportDefinitions. You must add this customer managed policy to your IAM role in Part 4.
  7. Review the permissions summary and select Create Policy.

4: Create Read-Only Role

This guide includes instructions for setting up both standard and minimal read permissions.

  1. Log in to your AWS Console.
  2. In Find Services, search for IAM and select the result. select-IAM
  3. Select Roles.
  4. Select Create role.
  5. Select Another AWS Account another-aws-accnt
  6. Provide the Account ID from your CloudWisdom AWS integration. Leave Require MFA unchecked.
  7. Select Next: Permissions.

5. Define Role Permissions

There are four options available for this role: standard permissions, minimal monitoring permissions, minimal cost permissions, and management account permissions. A Minimal permission policy must be created before being assigned to an IAM Role.

We recommend opening a second browser tab to follow this section when creating minimal read-only policies. Once the policy is created, use the original tab to resume setup of the IAM role.

Standard Permissions

Grants blanket read-only access to collect CloudWatch performance metrics and billing files from S3.

View Steps.

Minimal Monitoring Permissions

Grants read-only access to collect CloudWatch performance metrics for the AWS services CloudWisdom provides an integration.

View Steps.

Minimal Cost Permissions

Grants read-only access to collect CloudWatch performance metrics and billing files limited to only the AWS services that CloudWisdom provides cost reports for.

View Steps.

Management Account Billing Permissions

Grants read-only access to collect billing files from a single s3 bucket that can be located in a management account.

View Steps.

6: Update AWS Integration in CloudWisdom with the Role ARN

  1. Return to the open CloudWisdom tab from Section 1.
  2. Add the Role ARN from the IAM role found in your AWS Console. arn-role
  3. Save.