LogoLogo
Contact Us
  • Finout Documentation
  • Get Started with Finout
    • Introduction to Finout's Suite of Features
    • Onboarding New Users to Your Finout Account
    • Single Sign-On (SSO) Setup
    • Enterprise Discount Program (EDP)
    • Cost and Usage Types
      • FairShare Cost
      • List Cost
  • Integrations
    • Cloud Services
      • Connect to AWS
      • Connect to Azure
      • Connect to Oracle
      • Connect to GCP
    • Third Party
      • Connect to Confluent
      • Connect to Databricks
      • Connect to Snowflake
      • Connect to Jira
      • Connect to Datadog
        • Datadog API Cost Calculation
        • Datadog Integration Levels
        • Datadog Usage Attribution Tags (UAT)
      • Connect to Microsoft Teams
      • Connect to ServiceNow
      • Custom Cost Centers
      • Credentials Vault
    • Telemetry
      • S3 Telemetry Integration
      • Setting Up a Datadog - Finout Metrics Integration (Export)
      • MegaBill Telemetry
    • Kubernetes
      • Connect to Kubernetes Prometheus
      • Kubernetes - How Finout Calculates K8s Costs
      • Kubernetes MegaBill
      • Kubernetes Budgeting
      • Kubernetes Anomaly Detection
      • Kubernetes Custom Dashboards
      • Kubernetes Predefined Dashboards
      • Ensure Compatibility of Your Kubernetes Monitoring with Finout
  • User Guide
    • Inform
      • MegaBill
      • Custom Drilldown
      • Custom Cost Input
      • Virtual Tags
        • Relational Virtual Tags
      • Shared Cost Reallocation
        • How to Use Shared Cost Reallocation
      • FinOps Dashboards
      • Financial Plans
      • Data Explorer
    • Optimize
      • My Commitments
      • Commitments Log
      • Anomalies
      • CostGuard
        • CostGuard - Scans
        • Connect CostGuard for AWS
        • Connect CostGuard for GCP
    • Operate
      • Reports
      • Tag Governance
  • Configuration
    • Finout API
      • Generate an API Token
      • Filter Object Definition
      • Cost API
      • Query Language API
      • Virtual Tags API
      • CostGuard API
      • Endpoint API
      • Virtual Tag Metadata API
    • Role-Based Access Control (RBAC)
      • Role Permissions
      • Managing Roles
        • Creating a Custom Role
        • Permissions List
        • Managing a Role and its Permissions
      • Managing Users
        • Inviting a User
        • Edit a User's Roles
      • Data Access Control
      • Groups
        • Create a New Group
        • Edit Group Data Access
        • Delete a group
        • Edit Group Users and SAML Groups
      • RBAC FAQs
    • Endpoints
      • Slack Notification Endpoint
  • Common Features
    • List of Common Features
      • ACL Permissions
      • Saved Views
Powered by GitBook

Still need help? Please feel free to reach out to our team at support@finout.io.

On this page
  • Create a New CloudFormation StackSet
  • Adding Permissions Manually
  • Finout IAM Policy Details

Was this helpful?

Export as PDF
  1. User Guide
  2. Optimize
  3. CostGuard

Connect CostGuard for AWS

PreviousCostGuard - ScansNextConnect CostGuard for GCP

Last updated 2 months ago

Was this helpful?

Finout's CostGuard module provides actionable cost optimization insights. CostGuard scans surface idle resources, rightsizing opportunities, and offers commitment purchase recommendations. In order to do this, CostGuard needs read only permissions to certain metrics. The role created during the standard AWS cost data integration has the necessary permissions to perform CostGuard scans and discover linked accounts within the master payer account. However, to run CostGuard scans for resources within linked accounts, you need to create a CloudFormation StackSet that applies the necessary configurations across all linked accounts. This onboarding procedure assumes that the payer AWS account has been onboarded. If it has not, please go through that procedure first as per the instructions in .

Create a New CloudFormation StackSet

This procedure is relevant for AWS Multi accounts.

  1. Open the .

  1. Choose StackSet then select Create StackSet. The Specify StackSet details step appears.

    For existing Finout AWS integrations: On the Specify template page choose Template is ready, select Amazon S3 URL, specify the following URL, and then click Next. https://finout-public-assets.s3.amazonaws.com/FinoutMetricsReadOnlyRole.json

  1. Specify a name for the CloudFormation stack (e.g. finout-readonly-role), add a description, add the External ID in the Parameters section that was provided by Finout, and click Next. The Configure StackSet options step appears.

  1. Set the Execution configuration to Active in the Configure stackSet options page and click Next.

  2. Specify us-east-1 for the region, set the Deployment options, then click Next.

  3. Acknowledge the IAM notice and click Submit on the Review page to launch the new stack.

  4. Once the StackSets is complete, you can view one of the stacks from the Stack instances and copy the new role ARN from the Outputs tab.

  1. Share the role of ARN with Finout Support.

Adding Permissions Manually

Use the following JSON file to add permissions manually to your accounts:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:ListAccounts",
      "Resource": "*"
    }
  ]
}
}

The latest IAM policy with details about each statement can be found below.

Note: Finout applies a validation process on IAM policies applied per account, so please make sure to contact us before modifying the policy on your own.

Finout IAM Policy Details

Cloudwatch Metrics

{
  "Effect": "Allow",
  "Action": [
    "cloudwatch:ListMetrics",
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:Describe*"
  ],
  "Resource": "*"
},

This policy allows Finout read-only permission to Cloudwatch metrics - these are crucial for all recommendations provided by CostGuard (Idle and Rightsizing recommendations).

EBS Volumes

{
  "Effect": "Allow",
  "Action": [
    "ec2:DescribeVolumes"
  ],
  "Resource": "*"
},

This section of the policy allows CostGuard to provide recommendations for unattached EBS volumes.

Organization Discovery

{
  "Effect": "Allow",
  "Action": "organizations:ListAccounts",
  "Resource": "*"
} 

This section allows CostGuard to provide recommendations on all your accounts in the organization.

Connect to AWS
AWS CloudFormation console