Create IAM User With Required Permissions

To connect AWS China billing exports to Flexera One, you must create or use an existing IAM user (legacy) in AWS China with the following permissions:

AmazonS3ReadOnlyAccess—Allows read-only access to the S3 bucket containing Cost and Usage Report (CUR) data.

Note:The Amazon S3 bucket is accessible from the IAM user credentials.

AWSBillingReadOnlyAccess—Allows read-only access to billing reports.

This topic includes the following sections:

IAM User Creation (Legacy) Instructions 
IAM Policy (IAM User) Creation Reference 

IAM User Creation (Legacy) Instructions

Users who choose not to use the IAM role can instead create an IAM user with read-only access to the S3 bucket containing your Cost and Usage Report, as well as read-only access to metadata about the accounts referenced in your bill.

To create an IAM user (Legacy):

1. Create a new IAM policy that allows read-only access to your S3 billing bucket and to metadata about the accounts referenced in your bill. For more information, see IAM Policy (IAM User) Creation Reference.
2. Create a new IAM user and attach only the newly created policy to this user. For instructions on this process, see the AWS documentation topic, IAM tutorial: Create and attach your first customer managed policy.
3. Capture the access key ID and secret access key for future use.

IAM Policy (IAM User) Creation Reference

To allow read-only access to your S3 billing bucket and metadata about the accounts referenced in your bill, create a new AWS IAM policy with the required Flexera One permissions. Using the following sample policy, simply replace the YOUR_BILLING_BUCKET_NAME_HERE with your bucket name. Take care not to delete the trailing /* in the s3:GetObject permission.

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "s3:ListBucket",

                "s3:GetBucketLocation"

            ],

            "Resource": [

                "arn:aws-cn:s3:::YOUR_BILLING_BUCKET_NAME_HERE"

            ]

        },

        {

            "Effect": "Allow",

            "Action": [

                "s3:GetObject"

            ],

            "Resource": [

                "arn:aws-cn:s3:::YOUR_BILLING_BUCKET_NAME_HERE/*"

            ]

        },

        {

            "Effect": "Allow",

            "Action": [

                "organizations:Describe*",

                "organizations:List*"

            ],

            "Resource": "*"

        },

        {

        "Effect": "Allow",

            "Action": [

                "ce:GetReservationPurchaseRecommendation",

                "ce:GetSavingsPlansPurchaseRecommendation",

                "ce:GetSavingsPlansUtilizationDetails",

                "ce:GetReservationUtilization"

            ],

            "Resource": "*"

        }

    ]

}