IAM

IAM Role Method

Setting up an AWS integration via IAM Role is a four step process:

  1. Create a new AWS integration in CloudWisdom.
    • Optionally, define data filters for AWS elements to be included/excluded in CloudWisdom using tags (key-value pair).
  2. Create a custom in-line policy for Cost Explorer API access.
  3. Create an IAM role in your AWS Console.
  4. Add your IAM Role’s ARN to your AWS integration in CloudWisdom.

If you already have an existing IAM role for CloudWisdom but it does not include a policy for Cost Explorer, skip to the last section.

1: Create a new AWS integration in CloudWisdom

  1. Login to CloudWisdom and select the Integrations icon. integrations-icon
  2. Select the Amazon Web Services card.
  3. Select Add Integration to create a new integration. (If updating an existing integration, select View Current Integrations). add-integration
  4. Provide a name for the new AWS integration.
  5. Enable Detailed Billing and Explorer API.
  6. For Authentication, select IAM Role.
  7. In a separate, new tab, open your AWS console.

2: Create a Custom In-line Policy for Cost Explorer API Access

  1. Log in to your AWS Console.
  2. In Find Services, search for IAM and select the result. select-IAM
  3. Select Policies.
  4. Select Create Policy.
  5. Switch to the JSON tab.
  6. Copy and paste the following code into the Policy Document section. { "Version": "2012-10-17", "Statement": [ { "Action": "ce:*", "Resource": "*", "Effect": "Allow" } ] }
  7. Select Review Policy.
  8. Provide a Name, such as CostExplorerAPIAccess. You must add this customer managed policy to your IAM role in Part 3.
  9. Review the permissions summary and select Create Policy.

3: Create Read Only Role (with standard permissions)

  1. Log in to your AWS Console.
  2. In Find Services, search for IAM and select the result. select-IAM
  3. Select Roles.
  4. Select Create role.
  5. Select Another AWS Account another-aws-accnt
  6. Provide the Account ID from your CloudWisdom AWS integration. Leave Require MFA unchecked.
  7. Select Next: Permissions.
  8. For Attach permission policies, add all of the following:
    • CostExplorerAPIAccess (Filter policies > Customer Managed)
    • AmazonMQReadOnlyAccess
    • ReadOnlyAccess customer-managed
  9. Select Next Step: Tags and add any needed tags; this is an optional step and you may skip it.
  10. Select Next: Review.
  11. Add Role Name: CloudWisdom.
  12. Select Create Role. You are returned to IAM Roles in your AWS console.
  13. Select the new role you have created.
  14. Copy the Role ARN. role-arn

Alternative: Create a Custom Policy with Minimal Permissions (Read Only Role)

If you want to use a limited read only access policy, you’ll need to create a custom policy before creating an IAM role.

  1. Log in to your AWS Console.
  2. In Find Services, search for IAM and select the result. select-IAM
  3. Select Policies.
  4. Select Create Policy.
  5. Switch to the JSON tab.
  6. Copy and paste the following code into the Policy Document section.
{
"Version": "2012-10-17",
"Statement": [
  {
    "Action": [
      "autoscaling:Describe*",        
      "ce:*",
      "cloudwatch:Describe*",
      "cloudwatch:Get*",
      "cloudwatch:List*",
      "dynamodb:Describe*",
      "dynamodb:Get*",
      "dynamodb:List*",
      "ec2:Describe*",
      "ec2:GetConsoleOutput",
      "ecs:Describe*",
      "ecs:List*",
      "elasticache:Describe*",
      "elasticache:List*",
      "elasticloadbalancing:Describe*",
      "elasticmapreduce:Describe*",
      "elasticmapreduce:List*",
      "iam:Get*",
      "kinesis:DescribeStream",
      "kinesis:Get*",
      "kinesis:List*",
      "lambda:List*",
      "rds:Describe*",
      "rds:ListTagsForResource",
      "redshift:Describe*",
      "mq:List*",
      "mq:Describe*",
      "s3:Describe*",
      "s3:Get*",
      "s3:List*",
      "sqs:Get*",
      "sqs:List*",
      "tag:Get*"
    ],
    "Effect": "Allow",
    "Resource": "*"
  }
]
}
  1. Select Review Policy.
  2. Provide a Name.
  3. Review the permissions summary and select Create Policy.
  4. Follow Part 3 of this guide, replacing step 8 with your custom minimal permissions policy.

4: Update AWS Integration in CloudWisdom with the Role ARN

  1. Return to the open CloudWisdom tab from Step 1.
  2. Add the Role ARN from the IAM role found in your AWS Console. arn-role
  3. Save.