Finout's CostGuard module provides actionable cost optimization insights. CostGuard scans surface idle resources, rightsizing opportunities, and offers commitment purchase recommendations. In order to do this, CostGuard needs read only permissions to certain metrics.
The role created during the standard AWS cost data integration has the necessary permissions to perform CostGuard scans and discover linked accounts within the master payer account. However, to run CostGuard scans for resources within linked accounts, you need to create a CloudFormation StackSet that applies the necessary configurations across all linked accounts. This onboarding procedure assumes that the payer AWS account has been onboarded. If it has not, please go through that procedure first as per the instructions in Connect to AWS.
โ
โ
Create a New CloudFormation StackSet (For AWS Multi account)
Open the AWS CloudFormation console choose StackSet then select Create StackSet
For existing Finout AWS integrations: on the Specify template page choose Template is ready, select Amazon S3 URL, and specify the following URL. Click Next:
https://finout-public-assets.s3.amazonaws.com/FinoutMetricsReadOnlyRole.json
Details about the read-only policy associated with this role can be found below.
Specify a name for the CloudFormation stack (e.g. finout-readonly-role) and in the Parameters section add the External ID provided by Finout
Set Execution configuration to Active the Configure stackSet options page
Specify regions and Deployment options then click Next.
Acknowledge the IAM notice and click Submit on the Review page to launch the new stack.
Once the StackSets is complete choose you can view one of the stacks from the Stack instances and copy the new role ARN from the Outputs tab.
Share the role ARN with the Finout team via your preferred method - we are available in the in-app chat, Slack Connect, and via email at [email protected]
Adding Permissions Manually
Use the following JSON file to add permissions manually to your accounts:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:ListAccounts",
"Resource": "*"
}
]
}
}
The latest IAM policy with details about each statement can be found below.
Note: Finout applies a validation process on IAM policies applied per account, so please make sure to contact us before modifying the policy on your own.
Finout IAM Policy Details
Cloudwatch Metrics
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},This policy allows Finout read-only permission to Cloudwatch metrics - these are crucial for all recommendations provided by CostGuard (Idle and Rightsizing recommendations).
EBS Volumes
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes"
],
"Resource": "*"
},
This section of the policy allows CostGuard to provide recommendations for unattached EBS volumes.
Organization Discovery
{
"Effect": "Allow",
"Action": "organizations:ListAccounts",
"Resource": "*"
}
This section allows CostGuard to provide recommendations on all your accounts in the organization.
Still need help? Please feel free to reach out to our team at [email protected].