Amazon Web Services
Cloud Cost Optimization uses bill data to provide an accurate view of your costs across accounts and services. This data is consumed by the Flexera One platform and made available for pre-built and ad-hoc analyses. In order to gather the cost information, certain configuration steps must be performed with specific data and credentials being shared with Cloud Cost Optimization.
This topic describes how to configure AWS for cost reporting purposes and what information is needed to connect AWS billing data to Flexera One. The following steps must be completed in order for Flexera One to provide insight on your AWS bill:
| 1. | Enable Cost and Usage Reporting on Your AWS Payer Account |
| 2. | Cost and Usage Report Configuration |
| 3. | Configure Access to AWS for Cloud Cost Optimization |
| 4. | Submit the Information |
For information on Reserved Instance and Savings Plan Reallocation, see Reserved Instance and Savings Plan Reallocation.
For instructions on using Cloud Cost Optimization to add or update billing information, see Adding New Billing Data or Updating Billing Data Configurations. For instructions on connecting your cloud accounts to Policies, see Managing Credentials for Policy Access to External Systems.
Enable Cost and Usage Reporting on Your AWS Payer Account
In order to obtain all of the detail required to accurately display your cost information, we require you to enable the AWS Cost and Usage report. If your account is part of a consolidated billing group, this action must be performed on the master payer account. This process is detailed in AWS documentation on creating cost and usage reports in their Billing and Cost Management console: Creating Cost and Usage Reports.
When Cost and Usage Reporting has been enabled on your AWS payer account, continue with Cost and Usage Report Configuration.
Cost and Usage Report Configuration
Note:Flexera One currently supports legacy Cost and Usage Reports (CUR). For information about legacy cost and usage reports, see the AWS documentation topic, Legacy Cost and Usage Reports.
Follow the instructions to configure a Cost and Usage report, and consider also requesting (optional) backfill of Cost and Usage Report data from AWS.
Configuring the Cost and Usage Report
There are two approaches for using the AWS Cost and Usage report:
| • | Use an Existing Cost and Usage Report: For users who already have an AWS Cost and Usage report configured, simply confirm it is configured with the options Flexera One requires. The required AWS Cost and Usage Report configuration options appear in the following table. |
|
Configuration Option |
Setting |
|
Include resource IDs |
enabled |
|
Data refresh settings |
enabled |
|
Time granularity |
Hourly |
|
Report versioning |
Create new report version |
|
Compression type |
GZIP |
| • | Configure a New Cost and Usage Report: For users who do not have an existing AWS Cost and Usage report or for whom the existing AWS Cost and Usage report does not have the proper configuration, configure a new AWS Cost and Usage report. Configuration options and recommendations appear in the following table. |
|
Configuration Option |
Setting |
|
Include resource IDs |
enabled |
|
Data refresh settings |
enabled |
|
Time granularity |
Hourly |
|
Report versioning |
Create new report version |
|
Compression type |
GZIP |
|
Report Name |
Flexera recommends HourlyCostAndUsageReport. |
|
S3 Bucket Name |
Flexera recommends aws-<AccountID>-cost-and-usage-report. For example, aws-123456789012-cost-and-usage-report. |
|
Report Prefix |
Flexera recommends HourlyCostAndUsageReport. |
Optional: Requesting Backfill Cost and Usage Report Data from AWS
If your organization has Enterprise Support from AWS, you can request a backfill of Cost and Usage Report data from AWS customer support. This data is helpful for backfilling cost/usage data in a newly created Cost and Usage Report.
For backfill data, AWS supports a maximum number of 37 months from the creation date of the Cost and Usage Report.
See the sample AWS support ticket:
| • | Case Type: Account |
| • | Case Category: Billing, Invoices and Reports |
| • | Case Subject: Request to backfill cost data for newly created Cost & Usage Report |
| • | Case Message Body: |
Hello,
We recently created a Cost & Usage Report and would like to put in a request to have the historical data backfilled. Here are the CUR Report details:
Cost and Usage Report Name: <Replace with CUR Report Name>
S3 bucket: <Replace with CUR Report S3 Bucket Name>
S3 path prefix: <Replace with CUR Report Prefix>
Please backfill the cost data from <Replace with Start of Invoicing Data> to the current month.
Thank you
Once you have an AWS Cost and Usage Report created with the proper configuration options, take note of the S3 bucket the reports are being sent to as well as the value for Report Prefix. Then continue with the instructions in Configure Access to AWS for Cloud Cost Optimization.
Configure Access to AWS for Cloud Cost Optimization
In order to digest your bills, we require read access to the S3 bucket that you are exporting the bills to. This can be accomplished most easily by using the Cloud Formation Quickcreate link to create the cross-account information.
Note:Users who do not leverage the Cloud Formation Quickcreate link can work with the reference information and resources provided in this section, instead, to either manually create the IAM policy and IAM role or manually create the IAM policy and an IAM user (legacy).
If you elect to use a cross-account role (strongly recommended), the AWS Cloud Formation Template (CFT), linked in the instructions below, automates the creation of the IAM role and IAM policy and also outputs the Role ARN required to submit the billing information to Cloud Cost Optimization.
To create cross-account information for Cloud Cost Optimization
| 1. | In AWS, apply this CFT as a stack in the master payer account by deploying the Cloud Formation Template using either Cloud Formation Quickcreate (preferred) or JSON: |
| • | S3 Template (download link): https://s3.amazonaws.com/optima-cft/FlexeraCloudCostAccessRole.template |
| 2. | Capture the value for RoleARN from the CFT Outputs. |
| 3. | Submit the information to Cloud Cost Optimization. (See Submit the Information, below.) |
The following subsections provide supplementary details about the creation of an IAM policy, IAM role, and IAM user to provide read access to your cloud billing information:
| • | IAM Policy (Cross-Account Role and IAM User) Creation Reference |
| • | Cross-Account IAM Role Creation Guidelines |
| • | IAM User Creation (Legacy) Instructions |
IAM Policy (Cross-Account Role and IAM User) Creation Reference
To allow read-only access to your S3 billing bucket + metadata about the accounts referenced in your bill, create a new AWS IAM policy with the required Flexera One permissions. Using the sample policy below, simply replace the YOUR_BILLING_BUCKET_NAME_HERE with your bucket name. Take care not to delete the trailing /* in the s3:GetObject permission.
Tip:This IAM policy applies to both the cross-account role and IAM user options.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::YOUR_BILLING_BUCKET_NAME_HERE"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR_BILLING_BUCKET_NAME_HERE/*"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ce:GetReservationPurchaseRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetReservationUtilization"
],
"Resource": "*"
}
]
}
Cross-Account IAM Role Creation Guidelines
Users who leverage the Cloud Formation Quickcreate link have the IAM role created automatically. Otherwise, you can use the steps shown in Amazon’s AWS tutorial, “IAM Tutorial: Delegate Access Across AWS Accounts Using IAM Roles,” to create a cross-account role that with read access to the S3 bucket that contains your Cost and Usage Report + metadata about the accounts referenced in your bill. During the role creation process, use the following guidelines:
| • | For Account ID, use 451234325714. |
|
Flexera Zone |
AWS Account ID |
Role ARN |
Flexera Host |
|
North America |
451234325714 |
arn:aws:iam::451234325714:role/production_customer_access |
app.flexera.com |
|
Europe |
451234325714 |
arn:aws:iam::451234325714:role/production_eu_customer_access |
app.flexera.eu |
|
APAC |
451234325714 |
arn:aws:iam::451234325714:role/production_apac_customer_access |
app.flexera.au |
| • | For Require External ID use your Cloud Cost Optimization organization ID. |
| • | Your organization id can be found in the Flexera One URL once you are logged in: https://app.flexera.com/orgs/<ORG_ID>/... |
| • | Select the Cloud Cost Optimization role you created previously or create a new policy by selecting Create policy, selecting JSON, and supplying the IAM policy referenced above. |
| • | Find the newly created role and copy the ARN for the next step. |
When complete, you can submit the information to Cloud Cost Optimization.
IAM User Creation (Legacy) Instructions
Users who choose not to use the IAM role can complete the following steps to create an IAM user with read access to the S3 bucket that contains your Cost and Usage Report + metadata about the accounts referenced in your bill.
Important:Using an IAM user (legacy) for providing read access to the S3 bucket to which you are exporting bills is less secure than using an IAM role (preferred).
To create an IAM user (Legacy)
| 1. | Create a new IAM policy (see example above) which will allow read-only access to your S3 billing bucket and to metadata about the accounts referenced in your bill. |
| 2. | Create a new IAM user which only has the newly created policy attached. Refer to Amazon’s AWS tutorial, “IAM Tutorial: Create and Attach Your First Customer Managed Policy,” for instructions on this process. |
| 3. | Capture the access key id and secret access key for the next step. |
Then submit the information to Cloud Cost Optimization.
Follow the instructions in Using Cloud Cost Optimization API for Bill Connects to submit the bill connect information to Cloud Cost Optimization.
Reserved Instance and Savings Plan Reallocation
Starting September 13, 2023, all new AWS Bill Connects allow Reserved Instances (RI) and Savings Plan (SP) costs to be reallocated to areas where the discounts have been applied. Bill Connects made prior to September 13, 2023, may have been manually updated to support this feature or the reallocation may not have been enabled. If you have an AWS Bill Connect created prior to September 13, 2023, and want the reallocation enabled, contact Flexera Support.
For more information, see Understanding Reserved Instance and Savings Plan Reallocation.