Connect to AWS

AWS Integration Overview

Integrate AWS with Finout to generate comprehensive cost and usage reports tailored to your organization's needs. Configure Finout to create detailed reports using AWS data, specifying specific accounts or encompassing your entire organization. This integration enables in-depth expense analysis and management, providing valuable insights into cost allocation and usage trends across your AWS infrastructure.

AWS Configuration Workflow:

1. Configure a CUR in AWS

2. Verify that your tags are activated

3. Obtain External ID from Finout

4. Grant Finout Access to Your CUR Bucket

5. Add bucket details to Finout

1. Create a CUR in the AWS Console

To begin using Finout to monitor the cost of your cloud bill, Finout needs access to your Amazon Cost and Usage Report (CUR).

​To create a CUR in AWS:

1. Sign in to your AWS console and create a new CUR.

   
2. Mark Legacy CUR export.

   

   
3. In Export name, enter a report name. Example: yourcompanyname-billing-reports

4. Export content:

   - In Additional export content, mark the following:

   1. Include resource IDs - Ensure that this is marked for successful configuration.

   2. Split cost allocation data - Optionally mark to add more detailed cost and usage data. Enabling split cost allocation does not make any changes to the Finout console.

   Note: Pod label enrichment remains a separate Finout feature that is not covered in AWS's split data. Finout will also continue providing Kubernetes rightsizing recommendations.

   - In Data refresh settings, ensure the Refresh automatically is marked.

5. Data export delivery options:

   

   1. Ensure the time granularity is marked Hourly.

   2. Choose either Create new report version or Overwrite existing report. Both report versioning types are supported.

   3. Choose the Parquet compression type

6. Data export storage settings:

   

   1. In S3 Bucket, click Configure. The Configure S3 Bucket window appears.

      • Create the destination bucket to store the cost and usage data:

        1. Add a bucket name. Save it for future use in step Adding AWS Bucket Details to Finout.

           1. Choose a region. Save it for future use in step Adding AWS Bucket Details to Finout.

           2. Mark The following default policy will be applied to your bucket.

           3. Click Save. Your bucket is created.

   2. Add your S3 path prefix. Save it for future use in step Adding AWS Bucket Details to Finout.

7. Click Next and then Review and Complete. The report is created within a few hours.

2. Verify Tag Activation

Verify that the tags you want included in your CUR are activated so that Finout can provide visibility for those tags.

To check if tags are activated:

1. Go to the cost allocation tags screen: https://console.aws.amazon.com/billing/home#/tags

2. Ensure that all the tags you want Finout to analyze, both now and in the future, are activated.

3. Obtain External ID from Finout

Get the external ID in order to Grant Finout Access to Your CUR Bucket.

1. Navigate to Settings > Cost Centers and click Add cost center. The Connect Accounts window appears.

   
2. In AWS, click Connect Now. The Connect to AWS window appears. ​

   
3. Copy the External ID and continue to grant Finout access to your CUR bucket.

4. Grant Finout Access to Your CUR Bucket

Once the CUR is created, grant Finout access to your CUR bucket by creating an IAM role. This can be done manually or by using CloudFormation.

To grant access using CloudFormation:

1. Create a CloudFormation Stack from a template by following the instructions on the AWS website. ​

2. Use the following Amazon S3 URL for your Stack template. ​

   
3. Complete the steps by adding the “external-id” (obtained in step 3) and the bucket name created for your CUR (step 1).

4. Click Next and then Submit. ​You are brought to the Stack details page.

   
5. Click Output and copy the ARN IAM role value. Save it for future use in step Adding AWS Bucket Details to Finout. ​

To grant access manually:

1. Click on creating a new cross-account role in IAM to create a role for another AWS account.

   
2. In the account ID, enter: 277411487094.

3. Paste the Require external ID and enter the “external-id” (obtained in step 3).

   
4. Click Next. ​The Review step appears.

   
5. Add a Role name: FinoutMetricsReadOnlyRole and then configure the role. A new role is created.

6. Go to your new role in Summary.

   
7. Copy the Role ARN. Save it for future use in step Adding AWS Bucket Details to Finout.

8. Click on Add permissions and choose Create inline policy.

9. Choose JSON format and paste the following JSON: Replace <CUR_BUCKET_NAME> with the name of the bucket you created in step 1 or your existing CUR bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tag:GetTagKeys"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::<CUR_BUCKET_NAME>/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::<CUR_BUCKET_NAME>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeReservedInstances*",
        "ec2:GetReservedInstances*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "savingsplans:DescribeSavingsPlan*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:ListAccounts",
        "organizations:ListTagsForResource"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ce:GetReservationUtilization",
        "ce:GetSavingsPlansUtilization",
        "ce:GetSavingsPlansUtilizationDetails",
        "ce:GetCostAndUsage",
        "ce:GetCostAndUsageWithResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes"
      ],
      "Resource": "*"
    }
  ]
}

1. Click Next until the Review step, and name it finout-access-policy.

2. Click Create policy. Your IAM role is finalized and created.

5. Adding AWS Bucket Details to Finout

After creating your CUR in AWS and granting Finout access to your CUR bucket, you can add your AWS details to Finout.

To add bucket details in Finout:

1. Navigate back to the Finout console that you used in step 3.

   
2. Fill in the following fields:

   1. Add a personalized Cost Center Name.

   2. Add the Role ARN from step Grant Finout Access to Your CUR Bucket. The Amazon Resource Name (ARN) specifies the role.

   3. Add the Bucket Name from Create a CUR in the AWS Console (substep 6). This is the name under which AWS stores your cost and usage reports.

   4. Add the S3 Path Prefix from Create a CUR in the AWS Console (substep 6). This is the folder in S3 in which the CUR files are located.

   5. Add the Region from Create a CUR in the AWS Console (substep 6).

3. Click Continue. After verifying the information entered, Finout will create a new cost center.

Connect AWS China to Finout Billing

Connect AWS China to Finout billing to securely share your AWS China billing data with Finout. Once the files are copied to a non-China region, continue with the regular AWS integration.

• Connect AWS China to Finout: To connect AWS China to Finout, ensure your AWS China billing data is copied to an S3 bucket outside of China. This is crucial for Finout to access and process the data effectively.

• Billing Data Conversion: ​Finout support can help convert billing data from Chinese Yuan to US Dollars, ensuring your financial data is consistent and manageable. For assistance, contact support at [email protected].

• CostGuard Support Limitations: Finout does not support CostGuard for AWS China accounts because the necessary metrics and permissions required for CostGuard scans are not accessible outside of China. This means that some detailed cost management features for other regions may not be available for AWS China.

AWS China Known Limitations:

When connecting Finout to AWS China, please be aware of the following limitations:

• Account Names:

  • Account names are not included in the Cost and Usage Report (CUR) files provided by AWS China. As a workaround, Virtual Tags can be used to manage and identify accounts.

• Enrichments:

  • Enrichments that require data beyond the CUR files, like Account-Level Tags, are not supported. This limitation exists because Finout only has access to the CUR files and lacks the additional permissions needed to retrieve these enrichments.

• Resource and Metric Access:

  • Finout does not have access to any AWS resources or metrics within the China region. The integration is limited to processing the billing files that are exported to an accessible location outside of China.

FAQs

• What format should the CUR file be in for optimal integration with Finout? ​ We recommend using the CUR file in the Parquet format for optimal integration, although Finout also supports CSV/csv.gz format. The Parquet format is preferred for its efficiency in processing and analytics, especially for large-scale data handling.

• Does the CUR file need to be located in the master payer account? ​ No, the CUR file does not need to be in the master payer account. The important requirement is to be comprehensive of all billing data for the master payer to ensure accurate and complete data analysis.

• Is it acceptable for the CUR file to overwrite itself throughout the month? ​ Yes, it is acceptable for the CUR file to overwrite itself throughout the month. This allows for up-to-date data analysis as new billing information becomes available.

• Can we use a CUR file from CloudHealth or another third-party service? ​ Yes, you can use a CUR file from services like CloudHealth as long as it matches the settings required by Finout and contains all necessary billing data. For integration, the directory structure should be in the format: s3://bucket_name/cur/year=2023/month=12/*.parquet.

• How long does it usually take for data to appear in the Finout platform? ​ Finout usually takes about 24 hours to complete the first fetch of data from AWS. We recommend checking first thing in the morning (10 AM your local time) the next day.

• What Should I Do If My AWS Self-Onboarding Process Fails? If the self-onboarding process fails, check the following:

  • Verify S3 Bucket Content: Ensure that your S3 bucket contains the CUR files and is not empty.

  • Check S3 Path Prefix: An incorrect S3 path prefix is the most common issue. The path prefix should typically follow the format your-organization-name/cur-report-name/. Avoid including the date-range part in the prefix, as it is replaced dynamically with the actual date range. ​Example: Use fedramp-org/finout-cur instead of including the date range in the path.

  • Manifest.json File: Confirm that the Manifest.json file is in your S3 bucket, as it's essential for the CUR integration. If the problem persists, contact Finout support with the credentials for further debugging.

• How can I correct an incorrect S3 path prefix? The S3 path prefix should be static and consistent with the location of the CUR files in your S3 bucket without including date ranges. If you included the date range in your path prefix, remove it and try again. Example: Use your-path/cur-report-name/ instead of your-path/20240101-20240201/.

• What if validations pass locally but fail during onboarding? ​ If validations pass locally but fail during onboarding, double-check the S3 path prefix to ensure that it matches the CUR setup in your S3 bucket. The prefix provided to Finout should match the prefix where the CUR files are stored. If you have made changes and everything is set up correctly, attempt the onboarding process again.

• Can I enable encryption on a S3 bucket created for cost reports? ​ Yes, the S3 encryption is supported.