All Collections
Finout Features
Optimize
CostGuard
Connect CostGuard for AWS
Connect CostGuard for AWS
Updated over a week ago

The Finout platform also provides you with actionable cost optimization and insights as part of the CostGuard product. CostGuard will automatically provide optimization recommendations for idle resources, and rightsizing, and offer commitment purchase recommendations as well.

Finout requires read-only permissions to specific Cloudwatch metrics in your AWS account.
โ€‹

In case you have a single account in AWS please follow the steps to create a CloudFormation Stack.
โ€‹
In case you have a Multi-account under your AWS organization please follow the steps to create both CloudFormation Stack for your main account and StackSet for all other member accounts.

Create a New CloudFormation Stack

  1. Open the AWS CloudFormation console choose Create Stack and select With new resources (standard)

  2. For existing Finout AWS integrations: on the Specify template page choose Template is ready, select Amazon S3 URL and specify the following URL and click Next:

    https://finout-public-assets.s3.amazonaws.com/FinoutMetricsReadOnlyRole.json

    Details about the read-only policy associated with this role can be found below

  3. Specify a name for the CloudFormation stack (e.g. finout-readonly-role) and in the Parameters section add the External ID provided by Finout

  4. Click Next Step on the Configure stack options page

  5. Acknowledge the IAM notice and click Submit on the Review page to launch the new stack

  6. Once creating the stack is complete choose the Outputs tab and copy the new role ARN

  7. Share the role ARN with the Finout team via your preferred method - we are available in the in-app chat, Slack Connect, and via email at [email protected]

In case you have a multi-account under your AWS organization please continue with the following steps:

Create a New CloudFormation StackSet (For AWS Multi account)

Open the AWS CloudFormation console choose StackSet then select Create StackSet

For existing Finout AWS integrations: on the Specify template page choose Template is ready, select Amazon S3 URL, and specify the following URL. Click Next:

https://finout-public-assets.s3.amazonaws.com/FinoutMetricsReadOnlyRole.json

Details about the read-only policy associated with this role can be found below.

Specify a name for the CloudFormation stack (e.g. finout-readonly-role) and in the Parameters section add the External ID provided by Finout

Set Execution configuration to Active the Configure stackSet options page

Specify regions and Deployment options then click Next.

Acknowledge the IAM notice and click Submit on the Review page to launch the new stack.

Once the StackSets is complete choose you can view one of the stacks from the Stack instances and copy the new role ARN from the Outputs tab.

Share the role ARN with the Finout team via your preferred method - we are available in the in-app chat, Slack Connect, and via email at [email protected]

Adding Permissions Manually

Use the following JSON file to add permissions manually to your accounts:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:ListAccounts",
      "Resource": "*"
    }
  ]
}
}

The latest IAM policy with details about each statement can be found below.

Note: Finout applies a validation process on IAM policies applied per account, so please make sure to contact us before modifying the policy on your own.

Finout IAM Policy Details

Cloudwatch Metrics

{
  "Effect": "Allow",
  "Action": [
    "cloudwatch:ListMetrics",
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:Describe*"
  ],
  "Resource": "*"
},

This policy allows Finout read-only permission to Cloudwatch metrics - these are crucial for all recommendations provided by CostGuard (Idle and Rightsizing recommendations).

EBS Volumes

{
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeVolumes"
  ],
  "Resource": "*"
},

This section of the policy allows CostGuard to provide recommendations for unattached EBS volumes.

Organization Discovery

{
  "Effect": "Allow",
  "Action": "organizations:ListAccounts",
  "Resource": "*"
}

This section allows CostGuard to provide recommendations on all your accounts in the organization.

Still need help? Please feel free to reach out to our team at [email protected].

Related Articles
CostGuard
Commitments Log
Did this answer your question?