Skip to main content
Connect to AWS
Updated this week

Connect to AWS

Integrate AWS with Finout to generate comprehensive cost and usage reports tailored to your organization's needs. Configure Finout to create detailed reports using AWS data, specifying specific accounts or encompassing your entire organization. This integration enables in-depth expense analysis and management, providing valuable insights into cost allocation and usage trends across your AWS infrastructure.

AWS Configuration Workflow:

1. Create a CUR in the AWS Console

To begin using Finout to monitor the cost of your cloud bill, Finout needs access to your Amazon Cost and Usage Report (CUR).

Prerequisite: If you have several Amazon accounts, provide access to the parent or EDP account.


To create at CUR in AWS:

  1. Sign in to your AWS console, and create a new CUR.

  2. In Report name, enter a report name.
    Example: yourcompanyname-billing-reports

  3. In Additional content, mark the following:

    1. Include resource IDs - Ensure that this is marked for successful configuration.

    2. Split cost allocation data- Optionally mark to add more detailed cost and usage data. Enabling split cost allocation does not make any changes to the Finout console.

      Note: Pod label enrichment remains a separate Finout feature that is not covered in AWS's split data. Finout will also continue providing Kubernetes rightsizing recommendations.

  4. In Report data processing settings, ensure the Refresh Manually is marked.

  5. Click Next.
    You are brought to the Set delivery options step.

  6. In Configure S3 Bucket, click Configure.
    The Configure S3 Bucket window appears.

  7. Create the destination bucket to store the cost and usage data:

    1. Add a bucket name. Save it for future use in step 5.

    2. Choose a region. Save it for future use in step 5.

    3. Mark The following default policy will be applied to your bucket.

    4. Click Save.
      Your bucket is created, and you are brought back to the Set delivery options step.

  8. In Report delivery options:

    1. Add your S3 path prefix. Save it for future use in step 5.

    2. Ensure the time granularity is marked Hourly.

    3. Ensure that the report versioning is marked Create new report version.

    4. Choose the Parquet compression type.

  9. Click Next and then Review and Complete.
    The report is created within a few hours.

2. Verify Tag Activation

Verify that the tags you want included in your CUR are activated so that Finout can provide visibility for those tags.

To check if tags are activated:

  1. Go to the cost allocation tags screen: https://console.aws.amazon.com/billing/home#/tags

  2. Ensure that all the tags you want Finout to analyze, both now and in the future, are activated.

Important: If a tag is not activated, the data will not be tagged in the CUR and cannot be added retroactively.




3. Obtain External ID from Finout

Get the external ID in order to Grant Finout Access to Your CUR Bucket.

  1. Navigate to Settings > Cost Centers and click Add cost center.
    The Connect Accounts window appears.

  2. In AWS, click Connect Now.
    The Connect to AWS window appears.



  3. Copy the External ID and continue to grant Finout access to your CUR bucket.

Note: Save this ID for later and keep this window open for future use (Step 5).

4.Grant Finout Access to Your CUR Bucket

Once the CUR is created, grant Finout access to your CUR bucket by creating an IAM role. This can be done manually or by using CloudFormation.

Note: It is recommended to grant access through CloudFormation.

Prerequisite: Obtain an External ID from Finout.

To grant access using CloudFromation:

  1. Create a CloudFormation Stack from a template by following the instructions on the AWS website.

  2. Use the following Amazon S3 URL for your Stack template: https://finout-public-assets.s3.amazonaws.com/FinoutBillingAndMetricsReadOnlyRole.json.


  3. Complete the steps by adding the “external-id” (obtained in step 3) and the bucket name created for your CUR (step 1).

  4. Click Next and then Submit.
    You are brought to the Stack details page.

  5. Click Output and copy the ARN IAM role value to add in Finout (step 5).

To grant access manually:

  1. Click on creating a new cross-account role in IAM to create a role for another AWS account.

  2. In the account ID, enter: 277411487094.

  3. Paste the Require external ID and enter the “external-id” (obtained in step 3).

  4. Click Next.
    The Review step appears.

  5. Add a Role name: FinoutMetricsReadOnlyRole and then configure the role.
    A new role is created.

  6. Go to your new role in Summary.

  7. Copy the Role ARN and save it for use in Finout (step 5).

  8. Click on Add permissions and choose Create inline policy.

  9. Choose JSON format and paste the following JSON:
    Replace <CUR_BUCKET_NAME> with the name of the bucket you created in step 1 or your existing CUR bucket:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "tag:GetTagKeys"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": [
    "s3:Get*",
    "s3:List*"
    ],
    "Resource": "arn:aws:s3:::<CUR_BUCKET_NAME>/*"
    },
    {
    "Effect": "Allow",
    "Action": [
    "s3:Get*",
    "s3:List*"
    ],
    "Resource": "arn:aws:s3:::<CUR_BUCKET_NAME>"
    },
    {
    "Effect": "Allow",
    "Action": [
    "ec2:DescribeReservedInstances*",
    "ec2:GetReservedInstances*"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": [
    "savingsplans:DescribeSavingsPlan*"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action":[
    "organizations:ListAccounts",
    "organizations:ListTagsForResource"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": [
    "ce:GetReservationUtilization",
    "ce:GetSavingsPlansUtilization",
    "ce:GetSavingsPlansUtilizationDetails",
    "ce:GetCostAndUsage",
    "ce:GetCostAndUsageWithResources"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": [
    "cloudwatch:ListMetrics",
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics"
    ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": ["ec2:DescribeVolumes"],
    "Resource": "*"
    }
    ]
    }


  10. Click Next until the Review step, and name it finout-access-policy.

  11. Click Create policy.
    Your IAM role is finalized and created.

5. Adding AWS Bucket Details to Finout

After creating your CUR in AWS and granting Finout access to your CUR bucket, you can add your AWS details to Finout.

To add bucket details in Finout:

  1. Navigate back to the Finout console that you used in step 3.

  2. Fill in the following fields:

    1. Add a personalized Cost Center Name.

    2. Add the Role ARN from step Grant Finout Access to Your CUR Bucket.
      The Amazon Resource Name (ARN) specifies the role.

    3. Add the Bucket Name from Create a CUR in the AWS Console step 7.
      This is the name under which AWS stores your cost and usage reports.

    4. Add the S3 Path Prefix from Create a CUR in the AWS Console step 8.
      This is the folder in S3 in which the CUR files are located.

    5. Add the Region from Create a CUR in the AWS Console step 7.

  3. Click Continue.
    After verifying the information entered, Finout will create a new cost center.

Frequently Asked Questions About CUR Integration

  • What format should the CUR file be in for optimal integration with Finout?

    We recommend using the CUR file in the Parquet format for optimal integration, although Finout also supports CSV/csv.gz afaik format. The Parquet format is preferred for its efficiency in processing and analytics, especially for large-scale data handling.

  • Does the CUR file need to be located in the master payer account?

    No, the CUR file does not need to be in the master payer account. The important requirement is to be comprehensive of all billing data for the master payer to ensure accurate and complete data analysis.

  • Is it acceptable for the CUR file to overwrite itself throughout the month?

    Yes, it is acceptable for the CUR file to overwrite itself throughout the month. This allows for up-to-date data analysis as new billing information becomes available.

  • Can we use a CUR file from CloudHealth or another third-party service?

    Yes, you can use a CUR file from services like CloudHealth as long as it matches the settings required by Finout and contains all necessary billing data. For integration, the directory structure should be in the format: s3://bucket_name/cur/year=2023/month=12/*.parquet.

  • How long does it usually take for data to appear in the Finout platform?

    Finout usually takes about 24 hours to complete the first fetch of data from AWS. We recommend checking first thing in the morning (10 AM your local time) the next day.

  • What Should I Do If My AWS Self-Onboarding Process Fails?
    If the self-onboarding process fails, check the following:

    • Verify S3 Bucket Content: Ensure that your S3 bucket contains the CUR files and is not empty.

    • Check S3 Path Prefix: An incorrect S3 path prefix is the most common issue. The path prefix should typically follow the format your-organization-name/cur-report-name/. Avoid including the date-range part in the prefix, as it is replaced dynamically with the actual date range.
      Example: Use fedramp-org/finout-cur instead of including the date range in the path.

    • Manifest.json File: Confirm that the Manifest.json file is in your S3 bucket, as it's essential for the CUR integration.
      If the problem persists contact us at [email protected] with the credentials for further debugging.

  • How can I correct an incorrect S3 path prefix?
    The S3 path prefix should be static and consistent with the location of the CUR files in your S3 bucket without including date ranges. If you included the date range in your path prefix, remove it and try again.
    Example: Use your-path/cur-report-name/ instead of your-path/20240101-20240201/.

  • What if validations pass locally but fail during onboarding?

    If validations pass locally but fail during onboarding, double-check the S3 path prefix to ensure that it matches the CUR setup in your S3 bucket. The prefix provided to Finout should match the prefix where the CUR files are stored. If you have made changes and everything is set up correctly, attempt the onboarding process again.

  • Can I change the report versioning for cur-445787619317 from ‘’Create new report version’’ to ‘’Overwrite existing report’’?

    When creating a CUR in AWS, the report versioning must be set to "Create new report version." It's not possible to change the report version setting to "Overwrite existing report" because Finout relies on reading data from the specific S3 bucket where this CUR is stored. Changing the report versioning could disrupt our bucket analysis.

  • Can I enable encryption on a S3 bucket created for cost reports?

    Yes, the S3 encryption is supported.

Still need help? Please feel free to reach out to our team at [email protected].

Did this answer your question?