Merge pull request #184653 from bandersmsft/setup-config-aws-integration-01102022

CMB - Updated aws-integration-setup-configure

Author: PRMerger5

articles/cost-management-billing/costs/aws-integration-set-up-configure.md

@@ -3,7 +3,7 @@ title: Set up AWS integration with Azure Cost Management
 description: This article walks you through setting up and configuring AWS Cost and Usage report integration with Cost Management.
 author: bandersmsft
 ms.author: banders
-ms.date: 10/07/2021
+ms.date: 01/10/2022
 ms.topic: how-to
 ms.service: cost-management-billing
 ms.subservice: cost-management
@@ -16,10 +16,6 @@ With Amazon Web Services (AWS) Cost and Usage report (CUR) integration, you moni
 
 Cost Management processes the AWS Cost and Usage report stored in an S3 bucket by using your AWS access credentials to get report definitions and download report GZIP CSV files.
 
-Watch the video [How to set up Connectors for AWS in Cost Management](https://www.youtube.com/watch?v=Jg5KC1cx5cA) to learn more about how to set up AWS report integration. To watch other videos, visit the [Cost Management YouTube channel](https://www.youtube.com/c/AzureCostManagement).
-
->[!VIDEO https://www.youtube.com/embed/Jg5KC1cx5cA]
-
 ## Create a Cost and Usage report in AWS
 
 Using a Cost and Usage report is the AWS-recommended way to collect and process AWS costs. The Cost Management cross cloud connector supports cost and usage reports configured at the management (consolidated) account level. For more information, see the [AWS Cost and Usage Report](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-reports-costusage.html) documentation.
@@ -104,26 +100,40 @@ Add permission for AWS Organizations:
 
 1. Enter **Organizations**.
 2. Select **Access level** > **List** > **ListAccounts**. This action gets the names of the accounts.
-3. In **Review Policy**, enter a name for the new policy. Check that you entered the correct information, and then select **Create Policy**.
-4. Go back to the previous tab and refresh your browser's webpage. On the search bar, search for your new policy.
-5. Select **Next: Review**.
-6. Enter a name for the new role. Check that you entered the correct information, and then select **Create Role**.
+3. Select **Add Additional permissions**.
+
+Configure permissions for Policies
+
+1.	Enter **IAM**.
+1.	Select Access level > List > **ListAttachedRolePolicies** and **ListPolicyVersions** and **ListRoles**.
+1.	Select Access level > Read > **GetPolicyVersion**.
+1.	Select **Resources** > policy, and then select **Any**. These actions allow verification that only the minimal required set of permissions were granted to the connector.
+1.	Select role - **Add ARN**. The account number should be automatically populated.
+1.	In **Role name with path** enter a role name and note it. You need to use it in the final role creation step.
+1.	Select **Add**.
+1.	Select **Next: Tags**. You may enter tags you wish to use or skip this step. This step isn't required to create a connector in Cost Management.
+1.	Select **Next: Review Policy**.
+1.	In Review Policy, enter a name for the new policy. Verify that you entered the correct information, and then select **Create Policy**.
+1.	Go back to the previous tab and refresh the policies list. On the search bar, search for your new policy.
+1.	Select **Next: Review**.
+1.	Enter the same role name you defined and noted while configuring the IAM permissions. Verify that you entered the correct information, and then select **Create Role**.
 
-    Note the role ARN and the external ID used in the preceding steps when you created the role. You'll use them later when you set up the Cost Management connector.
+Note the role ARN and the external ID used in the preceding steps when you created the role. You'll use them later when you set up the Cost Management connector.
 
-The policy JSON should resemble the following example. Replace _bucketname_ with the name of your S3 bucket.
+The policy JSON should resemble the following example. Replace `bucketname` with the name of your S3 bucket, `accountname` with your account number and `rolename` with the role name you created.
 
-```JSON
+```json
 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
-"organizations:ListAccounts",
-             "ce:*",
-             "cur:DescribeReportDefinitions"
+   	    "organizations:ListAccounts",
+            "iam:ListRoles",
+            "ce:*",
+            "cur:DescribeReportDefinitions"
             ],
             "Resource": "*"
         },
@@ -133,10 +143,15 @@ The policy JSON should resemble the following example. Replace _bucketname_ with
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket"
+                "iam:GetPolicyVersion",
+                "iam:ListPolicyVersions",
+                "iam:ListAttachedRolePolicies",
             ],
             "Resource": [
                 "arn:aws:s3:::bucketname",
                 "arn:aws:s3:::bucketname/*"
+                "arn:aws:iam::accountnumber:policy/*",
+                "arn:aws:iam::accountnumber:role/rolename"
             ]
         }
     ]