AWS
In SavingsNow, AWS is categorized into AWS-Global and AWS-CN based on the service region, with no differences in data access operations between the two.
Create a connection
STEP1: Grant cross-account roles
In the multi-cloud access list, select AWS-Global or AWS-CN, and click the [+ Cloud Account] button to open the connection configuration drawer.
The system provides two methods to create a connection to a cloud account: "Use roles for cross-account access" and "Use IAM access Key".
-
select [Use roles for cross-account access]
-
External ID & AWS Role ARN:Both are required. The External ID provides an additional layer of authentication for assuming IAM roles by external entity; while the AWS Role ARN is a unique string that identifies an AWS IAM role.
-
On the current page, click [Start CloudFormation Stack] to initiate the stack template in AWS.
-
In this case, the system will automatically retrieve [External ID] and fill it into the corresponding text field.
-
Under "Capabilities" section, select [I Acknowledge that AWS CloudFormation might create IAM resources with custom names], then select Create Stack.
-
-
In the stack page, go to the Outputs tab and copy the CrossAccountRoleArn Key value. Paste it into the corresponding text field in the SavingsNow configuration.
-
Alias : Required; to differentiate cloud accounts represented by a string of numbers or characters, you can customize an alias for easier identification in the platform.
-
This account is a payment account : Optional, check this box only if the account is a billing or organization account. Otherwise, leave it unchecked.
-
Remark : Optional, use this field to add additional information about the current connection.
-
Click the [Confirm] button to complete the cloud account integration; Click the [Cancel] or [X] button to abandon the access. Returning to the list of cloud accounts.
-
Select [Use IAM Access Key]
-
Access Key ID & Secret Accsess ID : Both required; The Access Key ID identifies the IAM user or role associated with the AWS account, while the Secret Access Key is a private key used in conjunction with the Access Key ID to sign requests sent to AWS.
-
Log into the AWS Management Console using the cloud account credentials associated with your multi-cloud integration. Navigate to the "IAM Dashboard" feature.
-
Create & Select Policy : Select [Policies] from the left menu and click the [Create Policies] button; Choose to create a policy either through the visual editor or by using JSON. For JSON configurations, refer to the description in "STEP 3."
Note:
-
If you configure the policy using the visual editor, you need to select each cross-account role to associate with the policy.
-
Ensure the storage bucket used for storing billing-related data such as CUR, DBR, and CloudTrail has the necessary permissions included in the policy.
-
-
Create an IAM user : Navigate to the [IAM Administration]screen, select a user from the left menu, and click the [Add User]button; Enter the name of the new user and grant permissions in the permission digest, define "labels" as needed and click [Create User] to do complete the process.
-
Get AK/SK file : Execute [Create access key] under this user and click [Download .csv file] to save the security credentials locally.
-
Fill AK/SK to the system : Open the csv file, copy the access key ID and secret access key, and paste the value into the corresponding field.
-
-
Account alias : required; to differentiate cloud accounts represented by a string of numbers or characters, you can customize an alias for easier identification in the platform.
-
This account is a payment account : Optional, check this box only if the account is a billing or organization account. Otherwise, leave it unchecked.
-
Note : Optional, use this field to add additional information about the current connection.
-
Click the [Confirm] button to complete the cloud account integration; Click the [Cancel] or [X] button to abandon the access. Returning to the list of cloud accounts.
STEP2: Specify billing data source
Note: AWS CUR (Cost and Usage Report) is a customizable report that provides detailed information about resource usage and costs within your AWS account. Through CUR, you can regularly obtain CSV or Parquet format files containing AWS resource usage and cost information, which are stored in an Amazon S3 bucket.
One of the important data sources in the cost analysis process for SavingNow is billing data, currently utilizing AWS CUR. Therefore, when creating a connection, it is necessary to configure the CUR data source information to ensure that the system can obtain the latest billing data according to the specified data retrieval mechanism.
After completing the first step "Grant cross-account roles", [Billing Storage Configuration] button will automatically appear in the operations column of the list. Click it to enter the detail page:
- Bucket : required; specify the exact bucket name under S3 where the billing data for this account is stored.
- Area : required; specify the region where the bucket is located, as S3 has multiple regions and buckets with the same name can exist in different regions.
- Billing Report name : required; the unique report name created in AWS CUR and saved to the specified bucket.
- Billing report prefix : not required; automatically generated by AWS when creating the CUR report to ensure the report's uniqueness and recognizability.
Click the [Confirm] button to complete the cloud account integration; Click the [Cancel] or [X] button to abandon the access. Returning to the list of cloud accounts.
STEP3: Configure the data policy
In addition to the first two steps of obtaining the account role and specifying the billing data source, SavingsNow also needs to obtain other relevant data permissions (primarily "read-only" permissions) to comprehensively understand and manage cloud resource usage and costs before conducting cloud cost analysis and governance. The main data and permissions involved at this stage include:
- Billing data permissions: In addition to specifying the data source location in STEP 2, it is also necessary to configure access permissions for the corresponding S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"cur:DescribeReportDefinitions",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{Bucket name}/*", // Enter the S3 bucket directory for exporting bills
"arn:aws:s3:::{Bucket name}" // Enter the S3 bucket directory for exporting bills
],
"Effect": "Allow"
}
]
}
- Cost Explorer Related permissions: Used to obtain RI, SP utilization, and existing optimization suggestions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ce:GetReservationUtilization",
"ce:GetTags",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetCostAndUsage",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:StartSavingsPlansPurchaseRecommendationGeneration",
"ce:GetSavingsPlansPurchaseRecommendation"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- Cost optimization suggestions related authority: same as Cost Explorer Related permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
"compute-optimizer:GetLicenseRecommendations",
"cloudwatch:Describe*",
"cloudwatch:GenerateQuery",
"cloudwatch:Get*",
"cloudwatch:List*"
...
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- Cloud product metadata and API Permissions: ReadOnlyAccess,Used to obtain information on resource metering and billing characteristics. Typical examples include EC2, S3, RDS, AutoScaling, Elastic Load Balancing, Kafka, EMR, OpenSearch, ElastiCache, and Redshift.
-
EC2:
[
"ec2:Describe*",
"ec2:Get*"
] -
RDS:
[
"rds:Describe*",
"rds:List*"
] -
AutoScaling:
[
"autoscaling:Describe*"
] -
ElasticloadBalancing:
[
"elasticloadbalancing:Describe*"
] -
Kafka:
[
"kafka:Describe*",
"kafka:DescribeCluster",
"kafka:DescribeClusterOperation",
"kafka:DescribeClusterV2",
"kafka:DescribeConfiguration",
"kafka:DescribeConfigurationRevision",
"kafka:Get*",
"kafka:GetBootstrapBrokers",
"kafka:GetCompatibleKafkaVersions",
"kafka:List*",
"kafka:ListClusterOperations",
"kafka:ListClusters",
"kafka:ListClustersV2",
"kafka:ListConfigurationRevisions",
"kafka:ListConfigurations",
"kafka:ListKafkaVersions",
"kafka:ListNodes",
"kafka:ListTagsForResource"
] -
S3:
[
"s3:Get*",
"s3:List*"
] -
EMR:
[
"emr-containers:DescribeJobRun",
"emr-containers:DescribeManagedEndpoint",
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListJobRuns",
"emr-containers:ListManagedEndpoints",
"emr-containers:ListTagsForResource",
"emr-containers:ListVirtualClusters",
"emr-serverless:GetApplication",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:GetJobRun",
"emr-serverless:ListApplications",
"emr-serverless:ListJobRuns",
"emr-serverless:ListTagsForResource"
] -
OpenSearch:
[
"es:Describe*",
"es:Get*",
"es:List*"
] -
ElastiCache:
[
"elasticache:Describe*",
"elasticache:List*"
] -
Redshift:
[
"redshift:Describe*",
"redshift:View*"
]
-
The above permissions are all configured in the IAM policy. It should be noted that you can also modify or add relevant data permissions for cloud resources according to your actual situation.
Managing integrations
Integration list
In the integration list, we will display the integrations that have been created with AWS.
- Cloud Account : The ID of the cloud account connected via the specified cross-account role or Access key and secret key.
- Alias : Displays the custom alias information for the cloud account and the time it was connected.
- Status : Indicates the connection status of the cloud account, mainly to verify if the cross-account role is functioning correctly.
- Storage : The status of the bucket corresponding to the billing data source, primarily to ensure its existence and accessibility.
- Remark : Supplementary information about the current connection.
View integration information
Select an integration and click [Cloud Account] to view the current integration details, including the role ARN, cloud account ID, whether it is a payment account, remarks, etc.
Edit integration information
In the integration list, select an integration and click the [Edit] button in the action column to open the integraion details drawer.
Modify information such as External ID, Access Key ID, and Secret Access Key as needed. The specific steps are the same as when creating a new connection.
Remove an integration
From the integration list, you can either delete a single integration or delete multiple integrations in bulk. Note: Deleting an integration will prevent retrieval of the corresponding data.
- Delete an integration: Select an integration to be deleted from the list, click the [Delete] button in the action column, and confirm the deletion. If you do not confirm, the deletion will be canceled.
- Delete integrations in bulk: Check the boxes next to the integrations you want to remove, then click the [Delete in Bulk] button at the top right of the list. Confirm the deletion or cancel if needed.
Edit account aliases
To edit an integration alias, click the [Edit] icon button in the "Alias" column. This will open a pop-up window where you can make changes. Click [Confirm] to save, or cancel to discard them.
Edit the notes
To edit an integration, click the [Edit] icon button in the "Remarks" column. This will open a pop-up window where you can make changes. Click [Confirm] to save, or cancel to discard them.
