# Connect CostGuard for AWS Finout's CostGuard module provides actionable cost optimization insights. CostGuard scans surface idle resources, rightsizing opportunities, and offers commitment purchase recommendations. In order to do this, CostGuard needs read only permissions to certain metrics.\ The role created during the standard AWS cost data integration has the necessary permissions to perform CostGuard scans and discover linked accounts within the master payer account. However, to run CostGuard scans for resources within linked accounts, you need to create a CloudFormation StackSet that applies the necessary configurations across all linked accounts. {% hint style="warning" %} **Important**: This onboarding procedure assumes that the AWS account has already been onboarded. If it has not, please follow the procedure outlined in [Connect to AWS](https://docs.finout.io/billing-integrations/cloud-providers/connect-to-aws), as per the instructions. {% endhint %} There are two options to Connect CostGuard for AWS: * [Create a New CloudFormation StackSet](#h_b69c0313e2) * [Add Permissions Manually](#h_a55a679675) ## Create a New CloudFormation StackSet {% hint style="info" %} This procedure applies to AWS Multi-Accounts. {% endhint %} 1. Open the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation).

2. Choose **StackSet** from the navigation on the left-hand side of the screen**.**\ ![](https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2FwoyBawaQG1sxj9juir5M%2Fimage.png?alt=media\&token=d9c42255-5b6d-45fc-b0e3-7eb78fce274a)\ The **Specify StackSet details** step appears.

3. Click **Create StackSet.**\ ![](https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2F05jVgDYpZLcztEIcWh02%2Fimage.png?alt=media\&token=8ecb74a4-a0f3-4ca1-af00-712509991a26)\ The **Choose a template** step appears.

4. **Choose a template** - Fill in the following information:
1. **Permissions**: Since we are using the self-managed permissions, AWS manages the roles and you can skip this section.

2. **Prepare template** - Choose **Template is ready.**

3. **Specify template** - Under the template source, choose Amazon S3 URL, and specify the following URL:\

4. Click **Next**.\ You are brought to the **Specify stack set details** step.

5. **Specify stack set details** - Fill in the following information: 1. **Stack set name** - Specify a name for the CloudFormation stack (e.g. finout-readonly-role).

2. **Parameters** - Add the External ID from the Finout-provided section.

3. Click **Next**.\ You are brought to the **Configure stack set options** step. 6. **Configure stack set options**: 1. **Execution configuration**: Set Manage execution to **Active**.

2. Capabilities - Mark **I acknowledge the IAM** notice.

3. Click **Next**.\ You are brought to the **Set deployment options** step.

7. **Set deployment options**: 1. **Add stacks to stack set** - Mark **Deploy new stacks**.

2. **Accounts** - You have two options:

* Mark **Deploy new stacks** in accounts for specifying which accounts to deploy the stack set. * Mark **Deploy stacks in organizational units** to deploy all accounts. 3. **Specify Regions** - Choose **us-east-1**

4. **(Optional) Deployment options** - Configure the concurrency. 5. Click **Next**. 8. Review all the information, then click **Next** to launch the new stack set. 9. Once the StackSets is complete, share your organization ID with Finout Support. ## Add Permissions Manually Use the following JSON file to add permissions manually to your accounts: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes" ], "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:ListAccounts", "Resource": "*" } ] } } ``` The latest IAM policy with details about each statement can be found below. {% hint style="info" %} **Note**: Finout applies a validation process on IAM policies applied per account, so please make sure to contact us before modifying the policy on your own. {% endhint %} ### Finout IAM Policy Details #### Cloudwatch Metrics ```json { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*" ], "Resource": "*" }, ``` This policy allows Finout read-only permission to Cloudwatch metrics - these are crucial for all recommendations provided by CostGuard (Idle and Rightsizing recommendations). #### EBS Volumes ```json { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes" ], "Resource": "*" }, ``` This section of the policy allows CostGuard to provide recommendations for unattached EBS volumes. #### Organization Discovery ```json { "Effect": "Allow", "Action": "organizations:ListAccounts", "Resource": "*" } ``` This section allows CostGuard to provide recommendations on all your accounts in the organization.