| description |
|---|
Learn how you can add your AWS data sources to the FinOps platform. FinOps for Cloud supports both AWS organizations and individual AWS standalone accounts. |
FinOps for Cloud supports three account types as described in the following table:
{% hint style="warning" %} If you want to add a member account in an AWS Organization to FinOps for Cloud, but you do not have access to the management account, follow the instructions for a standalone account. {% endhint %}
| Term | Definition and use |
|---|---|
| Management account | A management account is an AWS account you use to create your AWS Organization. The owner of the management account is responsible for paying for all usage, data, and resources used by the accounts in the organization. A management account is also called a root account, master account, billing account, or payer account. In FinOps for Cloud, use this account type when adding an AWS Organization management account. |
| Member account | A member account is an AWS account, other than the management account, that is part of an AWS Organization. The management account is responsible for paying for all member accounts in the organization. A member account is also referred to as a linked account, child account, usage account, or sub-account. In FinOps for Cloud, use this account type when adding an AWS Organization member account, and the management account has already been added to FinOps for Cloud. |
| Standalone account | A standalone account refers to an account that is not part of an AWS Organization. It stands on its own, without being linked to any other accounts for consolidated billing, management, or policy control. A standalone account is also referred to as an individual account, non-organizational account, or unlinked account. In FinOps for Cloud, use this account type when:
|
FinOps for Cloud supports adding data sources using two authentication methods:
- Assumed role - This is the recommended approach to adding AWS accounts to FinOps for Cloud. An IAM role is an identity that does not have its own permanent credentials (password or access keys). Instead, it defines permissions that a trusted entity (such as an AWS service, another AWS account, or an application running on an EC2 instance) can assume to obtain temporary security credentials.
- IAM user with access key - Access keys are a set of permanent credentials consisting of an Access Key ID and a Secret Access Key. They are associated with a specific IAM User (or the root user, which is strongly discouraged) and are used for making programmatic API requests to AWS, typically from the AWS CLI, SDKs, or third-party applications. Read more about the security risks associated with this approach in the AWS documentation.
{% hint style="info" %} SoftwareOne strongly recommends using assumed roles to configure your data sources. {% endhint %}
Depending on the access to your management account and other member accounts, there are different ways to add AWS data sources to FinOps for Cloud.
{% hint style="info" %} If you add only a management account without connecting its member accounts, any expenses from those unconnected member accounts are ignored, even if they appear in the data export file.
To ensure expenses are captured for both management and member accounts, you must add all AWS accounts individually. FinOps for Cloud doesn't process data from unconnected member accounts. {% endhint %}
If you have access to create a Cost and Usage Report (CUR) and Identity and Access Management (IAM) roles or users in your management account, follow these steps:
{% stepper %} {% step %}
To add your management account:
- Create a Cost and Usage Report in AWS.
- Create the
FinOpsForCloudBillingImportIAM role policy. - Create the
FinOpsForCloudResourceDiscoveryIAM role policy. - If you are using an assumed role (recommended):
- If you are using an IAM user with an access key:
- Add the management account data source to FinOps for Cloud. {% endstep %}
{% step %}
{% hint style="info" %}
When adding a member account, and you have already added the management account, there is no need to create a cost and usage report or create the FinOpsForCloudBillingImport policy.
{% endhint %}
To add your member accounts:
- Create the
FinOpsForCloudResourceDiscoveryIAM policy. - If you are using an assumed role (recommended):
- If you are using an IAM user with an access key:
- Add the member account data source to FinOps for Cloud.
- Repeat steps 1 - 4 for each member account you want to add. {% endstep %} {% endstepper %}
{% hint style="success" %} When the member accounts are added, FinOps for Cloud automatically identifies the management account and uses the imported cost and usage data from that account. {% endhint %}
If you don't have access to your management account, you can create individual CURs in each member account and add them to FinOps for Cloud as if they were standalone accounts.
To add your member account to FinOps for Cloud, follow the steps below for AWS standalone accounts.
To add a standalone AWS account:
- Create a Cost and Usage report in AWS.
- Create the
FinOpsForCloudBillingImportIAM policy. - Create the
FinOpsForCloudResourceDiscoveryIAM policy. - If you are using an assumed role (recommended):
- If you are using an IAM user with an access key:
- Add the standalone account data source to FinOps for Cloud.