Chapter 4. Adding an Amazon Web Services (AWS) source to cost management

To add an AWS account to cost management, you must configure your AWS account to provide metrics, then add your AWS account as a source from the cost management user interface.

Note

You must have a Red Hat account user with Organization Administrator entitlements before you can add sources to cost management.

When you add your AWS account as a source, this creates a read-only connection to AWS in order to collect cost information hourly in cost management, but does not make any changes to the AWS account.

Before you can add your AWS account to cost management as a data source, you must configure the following services on your AWS account to allow cost management access to metrics:

  1. An S3 bucket to store cost and usage data reporting for cost management
  2. An Identity Access Management (IAM) policy and role for cost management to process the cost and usage data

As you will complete some of the following steps in the AWS console, and some steps in the cost management user interface, keep both applications open in a web browser.

Add your AWS source to cost management from the settings area at https://cloud.redhat.com/settings/sources/.

Note

As non-Red Hat products and documentation can change without notice, instructions for configuring the third-party sources provided in this guide are general and correct at the time of publishing. See the AWS documentation for the most up-to-date and accurate information.

4.1. Creating an S3 bucket for reporting

Cost management requires an Amazon S3 bucket with permissions configured to store billing reports.

Log into your AWS account to begin configuring cost and usage reporting:

  1. In the AWS S3 console, create a new S3 bucket or use an existing bucket. If you are configuring a new S3 bucket, accept the default settings.
  2. In the AWS Billing console, create a Cost and Usage Report that will be delivered to your S3 bucket. Specify the following values (and accept the defaults for any other values):

    • Report name: <any-name> (note this name as you will use it later)
    • Additional report details: Include resource IDs
    • S3 bucket: <the S3 bucket you configured previously>
    • Time granularity: Hourly
    • Enable report data integration for: Amazon Redshift, Amazon QuickSight (do not enable report data integration for Amazon Athena)
    • Compression type: GZIP
    • Report path prefix: cost

      Note

      See the AWS Billing and Cost Management documentation for more details on configuration.

  3. In the cloud.redhat.com platform, open the Sources menu (https://cloud.redhat.com/settings/sources/) to begin adding an AWS source to cost management:

    1. Navigate to Sources and click Add a source to open the Sources wizard.
    2. Enter a name for your source and click Next.
    3. Select cost management as the application and Amazon Web Services (AWS) as the source type. Click Next.
    4. Paste the name of your S3 bucket and click Next.

4.2. Activating AWS tags for cost management

To use tags to organize your AWS resources in the cost management application, activate your tags in AWS to allow them to be imported automatically.

Procedure

  1. In the AWS Billing console:

    1. Open the Cost Allocation Tags section.
    2. Select the tags you want to use in the cost management application, and click Activate.
  2. In the cloud.redhat.com Sources wizard, click Next to move to the next screen.

4.3. Enabling minimal account access for cost and usage consumption

To provide data within the web interface and API, cost management needs to consume the Cost and Usage Reports produced by AWS. For cost management to obtain this data with a minimal amount of access, create an IAM policy and role for cost management to use. This configuration provides access to the stored information and nothing else.

Procedure

  1. From the AWS Identity and Access Management (IAM) console, create a new IAM policy for the S3 bucket you configured previously.

    1. Select the JSON tab and paste the following content in the JSON policy text box:

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
              "s3:Get*",
              "s3:List*"
            ],
              "Resource": [
              "arn:aws:s3:::bucket_name",
              "arn:aws:s3:::bucket_name/*"
            ]
          },
      
          {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
              "s3:HeadBucket",
              "cur:DescribeReportDefinitions"
            ],
            "Resource": "*"
          }
        ]
      }
  1. Provide a name for the policy and complete the creation of the policy. Keep the AWS IAM console open as you will need it for the next step.

    1. In the cloud.redhat.com Sources wizard, click Next to move to the next screen.
    2. In the AWS IAM console, create a new IAM role:
  2. For the type of trusted entity, select Another AWS account.
  3. Enter 589173575009 as the Account ID to provide the cost management application with read access to the AWS account cost data.
  4. Attach the IAM policy you just configured.
  5. Enter a role name (and description if desired) and finish creating the policy.

    1. In the cloud.redhat.com Sources wizard, click Next to move to the next screen.
    2. In the AWS IAM console under Roles, open the summary screen for the role you just created and copy the Role ARN (a string beginning with arn:aws:).
    3. In the cloud.redhat.com Sources wizard, paste your Role ARN and click Next.
    4. Review the details and click Finish to add the AWS account to cost management.

Cost management will begin collecting cost and usage data from your AWS account and any linked AWS accounts.

The data can take a few days to populate before it shows on the cost management dashboard (https://cloud.redhat.com/cost-management/).

4.3.1. Enabling additional account access for cost and usage consumption

Cost management can display additional data that might be useful. For example:

  • Include the Action iam:ListAccountAliases to display an AWS account alias rather than an account number in cost management.
  • Include the Actions organization:List* and organizations:Describe* to obtain the display names of AWS member accounts if you are using consolidated billing rather than the account ID.

The following configuration provides access to additional stored information and nothing else.

Procedure

  1. From the AWS Identity and Access Management (IAM) console, create a new IAM policy for the S3 bucket you configured previously.
  2. Select the JSON tab and paste the following content in the JSON policy text box:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "s3:Get*",
            "s3:List*"
          ],
          "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/*"
          ]
        },
        {
          "Sid": "VisualEditor1",
          "Effect": "Allow",
          "Action": [
            "iam:ListAccountAliases",
            "s3:HeadBucket",
            "cur:DescribeReportDefinitions",
            "organizations:List*",
            "organizations:Describe*"
          ],
          "Resource": "*"
        }
      ]
    }

    The remainder of the configuration steps are the same as in Section 4.3, “Enabling minimal account access for cost and usage consumption”

You have completed adding your AWS account as a source.