Skip to content

configure-aws-access.md

Latest commit

 

History

History
161 lines (131 loc) · 5.83 KB

configure-aws-access.md

File metadata and controls

161 lines (131 loc) · 5.83 KB
description
Configuring access to your AWS account for FinOps for Cloud requires the creation of two policies for billing imports and resource discovery, and a trusted role (recommended) or IAM user.

Configure AWS Access

AWS IAM Policies

FinOps for Cloud requires two policies, depending on the type of account being onboarded:

  • Billing import access policy - This policy allows FinOps for Cloud to read cost and usage data from the configured S3 bucket. This policy is only required when you are onboarding an account that contains a cost and usage report.
  • Resource discovery access policy - This policy allows FinOps for Cloud to discover new and changed resources in your AWS account more often than AWS updates the cost and usage reports. This allows FinOps for Cloud to show information about your spend that is more up-to-date than what is contained in the cost and usage report.

Create a policy for billing imports

The billing import access policy is only required for accounts with cost and usage reports configured for FinOps for Cloud.

A suggested name for the policy is FinOpsForCloudBillingImport.

{% hint style="warning" %} In the following policy, be sure to replace <bucket_name> with a valid name of your S3 bucket. {% endhint %}

{% code lineNumbers="true" %}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FinOpsForCloudGetBillingFiles",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        },
        {
            "Sid": "FinOpsForCloudManageBillingBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:PutBucketPolicy",
                "s3:PutObject"

            ],
            "Resource": "arn:aws:s3:::<bucket_name>"
        }
    ]
}

{% endcode %}

Create a policy for resource discovery

The resource discovery access policy is required for all accounts.

A suggested name for the policy is FinOpsForCloudResourceDiscovery.

{% code lineNumbers="true" %}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FinOpsforCloudGetResources",
            "Effect": "Allow",
            "Action": [
                "bcm-data-exports:GetExport",
                "bcm-data-exports:ListExports",
                "cloudwatch:GetMetricStatistics",
                "cur:DescribeReportDefinitions",
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "iam:GetAccessKeyLastUsed",
                "iam:GetLoginProfile",
                "iam:ListAccessKeys",
                "iam:ListUsers",
                "s3:GetAnalyticsConfiguration",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetIntelligentTieringConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetMetricsConfiguration",
                "s3:GetObject",
                "s3:ListAllMyBuckets",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

{% endcode %}

AWS IAM assumed role

Creating a new IAM role

To create a new IAM role for FinOps for Cloud, see Create a role using custom trust policies in the AWS IAM user guide.

When creating the role, use the following settings:

  1. For Trusted entity type, choose Custom trust policy.
  2. Under Custom trust policy, copy and paste the following trust policy:

{% code lineNumbers="true" %}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::654035049067:user/ffc-service-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

{% endcode %}

  1. Select Next.
  2. Under Permissions policies, select the following policies:
    1. FinOpsForCloudResourceDiscovery (always required)
    2. FinOpsForCloudBillingImport (required only for management or standalone accounts with cost and usage reports buckets)
  3. Under Set permissions boundary, select Create role without a permissions boundary. Then, select Next.
  4. Under Role name, enter FinOpsForCloudAccessRole. Then, enter your own optional description and add any tags you require.
  5. Select Create role.

AWS IAM user and access key

Creating a new IAM user

To create a new IAM user for FinOps for Cloud, see Create an IAM user in your AWS account in the AWS IAM User Guide.

When creating the user, use the following settings:

  1. For User name, enter FinOpsForCloudUser.
  2. In Provide user access to the AWS Management Console, select No.
  3. Under Set permissions, select Attach policies directly.
    1. FinOpsForCloudResourceDiscovery (always required)
    2. FinOpsForCloudBillingImport (required only for accounts with cost and usage reports buckets)

Creating an access key for FinOps for Cloud

To create an access key for FinOps for Cloud, see Create an access key for an IAM user in the AWS IAM User Guide.

When creating the access key, choose Third-party service as your use case.

{% hint style="warning" %} Be sure to store your access key and secret access key securely. This is your only chance to view or download the newly created access key, as it cannot be recovered later. {% endhint %}