Gaining clarity into your monthly spend on AWS is an essential part of good cloud management. Cloudyn provides a comprehensive view into costs for AWS services such as EC2, RDS, EBS, S3, SQS, DynamoDB, Elasticache, Elastic Load Balancing, Data Transfer, and more.
To fully benefit from this feature, use the following instructions to set up your AWS accounts in Cloudyn.
Note: If this is your first time adding an account to your Cloudyn instance, the following Welcome pop-up box appears:
Click AWS to continue.
Step 1 - Setup credentials
1. From Cloudyn Accounts, select Add new. Note: If you are setting up your first account, select Add AWS Account. The New AWS Account page appears.
2. Enter your account name.
3. Select one of the 2 available Access Type options. We recommend working with Role ARN.
Option 1: Adding Your Role ARN to a New Account
To enable role-based access to an AWS account in Cloudyn, the role must be created in your AWS console. You will need to obtain the Role ARN External ID from the AWS console and paste it into the New AWS Account page in Cloudyn.
- Login to your AWS console and select Services.
- From the list of services, select IAM.
- Select Roles and then click Create Role.
- In the following screen, select "Another AWS account"
- Establish Trust - Enter the following values:
- In Account ID, enter 432263259397
- In External ID, enter the External ID from the New Account page in Cloudyn. (For example, “Companyname1234567890123”). Do not change the “Require MFA” box (It should remain unchecked.)
Option 2: Adding Your IAM User ARN for a new account
*We strongly recommend this update on all linked accounts.
- On your AWS Management Console, click IAM (Secure AWS Access Control) or alternatively navigate to this link: https://console.aws.amazon.com/iam/home .
- In the left Navigation pane, select Users.
- Click Create New Users.
- Fill in the name of the user. Make sure that the "Generate an access key" checkbox is selected.
- Click Create.
- In the notification window, click Download Credentials. Save the file in a secure location – it will contain the access and the secret key that you’ll need to complete your registration.
- After saving the file, close the window.
Important! Amazon does not keep user credentials – if the file is lost, you will have to delete the credentials and create a new set.
STEP 2 - Activate detailed billing
This step is required for setting up your consolidated account.
1. Go to your Amazon IAM dashboard. Depending on the access type you chose when adding your AWS account click on Users or Roles.
2. Click on the Cloudyn read-only user/role you setup in Step 1. A summary of details appears.
3. Copy and save your ARN (Amazon Resource Name) from this section and keep it available for you to use in later steps.
4. Go to your S3 Console and click Create Bucket. Enter the desired bucket name and region and then click Create.
5. Select the desired bucket and then click on Permissions. Click on Add bucket policy.
6. Add the recommended bucket policy snippet attached, into your existing Bucket Policy and then click Save.
Note: When copying/pasting the attached snippet, make sure to replace CLOUDYN-READ-ONLY-USER-OR-ROLE-ARN with your ARN (see Step 3).
7. Click Billing & Cost Management.
8. Select Receive Billing Reports. Enter your bucket name. Click Verify.
9. Select all four billing reports as shown in the screenshot below and click Save Preferences.
Why do we recommend using the Role option?
According to AWS it is recommended:
Delegate by Using Roles Instead of by Sharing Credentials
You might need to allow users from another AWS account to access resources in your AWS account. If so, don't share security credentials, such as access keys, between accounts. Instead, use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed. You can also designate which AWS accounts have the IAM users that are allowed to assume the role.
Q: What is the difference between an IAM role and an IAM user?
An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
Please note that it may take up to 24 hours until the detailed billing data starts showing in the Cloudyn console.