SpendEffix supports the AWS Organizations service that allows linking several Data Sources in order to centrally manage data of multiple users while receiving all billing exports within a single invoice. The Root account (payer) will be the only one having access to collective data related to cloud spendings. When registering this type of profile in SpendEffix, the user is given an option for Data Exports to be detected automatically.
Warning
When you connect the root account but do not connect the linked accounts, all expenses from the unconnected linked accounts will be ignored, even if they exist in the data export file. To retrieve expenses from both linked and root accounts, connect all AWS accounts (not just the root). SpendEffix ignores data from unconnected linked accounts.
To track a new AWS Data Source in your SpendEffix account, please select the AWS Root Account tab at the Data Source Connection step during the initial configuration.
Automatic Billing Data Import in AWS
Step 1. Having Data Exports configured for your cloud account is the main prerequisite in order to proceed with the remaining actions. If Data Export hasn’t been configured, refer to the following section:
Connecting an AWS Root account that doesn’t have Data Export configured yet
Step 2. Update bucket policy
Navigate to the Permissions tab of your AWS S3 bucket and select Bucket Policy. Replace <bucket_name> with the name of the bucket. Replace <AWS account ID> with the AWS Account ID (12 digits without “-“):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAWSDataExportsToWriteToS3AndCheckPolicy",
"Effect": "Allow",
"Principal": {
"Service": [
"billingreports.amazonaws.com",
"bcm-data-exports.amazonaws.com"
]
},
"Action": [
"s3:PutObject",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::<bucketname>"
],
"Condition": {
"StringLike": {
"aws:SourceAccount": "<AWS account ID>",
"aws:SourceArn": [
"arn:aws:cur:us-east-1:<AWS account ID>:definition/*",
"arn:aws:bcm-data-exports:us-east-1:<AWS account ID>:export/*"
]
}
}
}
]
}
Step 3. Create user policy for read only access
Go to Identity and Access Management (IAM) → Policies. Create a new user policy for read only access to the bucket (<bucket_name> must be replaced in policy):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReportDefinition",
"Effect": "Allow",
"Action": [
"cur:DescribeReportDefinitions"
],
"Resource": "*"
},
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
},
{
"Sid": "BucketOperations",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<bucket_name>"
}
]
}
Step 4. Create user and grant policies
Go to Identity and Access Management (IAM) → Users to create a new user.
Attach the created policy to the user:
Confirm creation of the user. Create access key for user (Identity and Access Management (IAM) → Users → Created user → Create access key):
Download or copy Acess key and Secret access key. Use these keys when connecting a Data Source in SpendEffix as the AWS Access Key ID and AWS Secret Access Key, respectively (at step 5).
Step 5. Create Data Source in SpendEffix
Go to SpendEffix. Register as a new user. Log in as a registered user. Create a Data Source.
Provide user credentials (see screenshot for more details). – AWS Access key ID – AWS Secret access key – Select Export type: AWS Billing and Cost Management → Data Exports → Find the report configured earlier → Export type. – Select “Connect only to data in bucket”. – Provide Data Export parameters: – Export Name: AWS Billing and Cost Management → Data Exports table → Export name. – Export S3 Bucket Name: AWS Billing and Cost Management → Data Exports table → S3 bucket.
- Export path: AWS Billing and Cost Management → Data Exports table → Click on Export name → Edit → Data export storage settings → S3 destination → last folder name(without “/”)
After creating a Data Source, you will need to wait for the export to be generated by AWS and uploaded to SpendEffix according to the schedule (performed on an hourly basis).
Discover Resources
SpendEffix needs to have permissions configured in AWS for the user Data Source in order to correctly discover resources and display them under a respective section of the dashboard for the associated employee.
Make sure to include the following policy in order for SpendEffix to be able to parse EC2 resources data:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SpendEffixOperations",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:GetBucketTagging",
"iam:GetAccessKeyLastUsed",
"cloudwatch:GetMetricStatistics",
"s3:GetBucketAcl",
"ec2:Describe*",
"s3:ListAllMyBuckets",
"iam:ListUsers",
"s3:GetBucketLocation",
"iam:GetLoginProfile",
"cur:DescribeReportDefinitions",
"iam:ListAccessKeys"
],
"Resource": "*"
}
]
}
Your AWS Data Source should now be ready for integration with SpendEffix! Please contact our Support Team at support@cloudlytics.com if you have any questions regarding the described configuration flow.
