The Finout Console for AWS Configuration

To begin utilizing Finout for cost observability of your cloud bill, we require access to your Amazon Cost and Usage Report (CUR).

Important: If you have several Amazon accounts, please provide access to the parent (or EDP) account.

Create a CUR in the AWS Console

Please skip this step if you already configured it.

Sign in to your AWS console, and create a new CUR.
Name your report with an indicative name, such as “yourcompanyname-billing-reports”.
Check these two checkboxes and click Next.
On the next screen, choose Configure, and name it indicatively. For example; “finout-cur-reports”.

Important: Record the bucket name as you will be required to enter it into the Finout console.
Verify the policy by clicking Save.
Give a path prefix and record this as you will be required to enter it into the Finout console.
Configure it as shown below:
Click Next and then click Review and Complete. The reports should be created after a few hours.
Go to the cost allocation tags screen: https://console.aws.amazon.com/billing/home#/tags
Ensure that all the tags you want Finout to analyze, both now and in the future, are activated.

Important: If a tag is not activated, the data will not be tagged in the CUR report, and this cannot be added retroactively.

Grant Finout Access to Your CUR Bucket

Once the CUR is created, you need to grant Finout access to your CUR bucket by creating an IAM role. This can be done using CloudFormation or manually, with CloudFormation being the recommended method.

Grant access using CloudFormation (recommended method)

Create a CloudFormation Stack from a template by following the instructions on the AWS website.
Use the following Amazon S3 URL for your Stack template: https://finout-public-assets.s3.amazonaws.com/FinoutBillingAndMetricsReadOnlyRole.json.
Complete the steps by filling in the “external-id” provided by the Finout console and the bucket name you created for your CUR.
Click Next and Submit until you get to the Stack details page. On this page, click Output and copy the value for the ARN IAM role. Paste this into the Finout console.

Grant access manually

Copy your “external-id” from the Finout console.
Click on creating a new cross-account role in IAM to create a role for another AWS account.
In the account ID, enter: 277411487094.
Choose the option - Require external ID and enter the “external-id” provided by the Finout console.
Click Next until the review screen is displayed.
Configure the review as shown below, with one exception: The role name should be: FinoutMetricsReadOnlyRole (unlike in the screenshot).
Go to your newly created role.
Copy the Role ARN and paste it into the Finout console.
Click on Add permissions and choose Create inline policy.

Choose the JSON format and paste the following JSON, replacing <CUR_BUCKET_NAME> with the name of the bucket you created in the first section or your existing CUR bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tag:GetTagKeys"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::<CUR_BUCKET_NAME>/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::<CUR_BUCKET_NAME>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeReservedInstances*",
        "ec2:GetReservedInstances*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "savingsplans:DescribeSavingsPlan*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      
    ]: "Action",
    "organizations:ListAccounts",
    "organizations:ListTagsForResource",
    [
      "*": "Resource": {
        
      },
      {
        "Effect": "Allow",
        "Action": [
          "ce:GetReservationUtilization",
          "ce:GetSavingsPlansUtilization",
          "ce:GetSavingsPlansUtilizationDetails",
          "ce:GetCostAndUsage",
          "ce:GetCostAndUsageWithResources"
        ],
        "Resource": "*"
      }
    ]
  }

Click Next until the review screen, and name it finout-access-policy.
Click Create policy to finalize the creation of your policy for the IAM role.

Details in the Finout Console

Cost center name - A custom name you can choose to name your AWS connection.
Role ARN - The Amazon Resource Name (ARN) specifies the role.
CUR bucket name - The S3 bucket name in which AWS stores your cost and usage Reports.
CUR folder name (Bucket prefix) - The folder in S3 in which the CUR files are located.
Region

Frequently Asked Questions About Integrating CUR with Finout

What format should the CUR file be in for optimal integration with Finout?

For optimal integration, we recommend using the CUR file in the Parquet format, although Finout supports text/CSV format as well. The Parquet format is preferred for its efficiency in processing and analytics, especially for large-scale data handling.
Does the CUR file need to be located in the master payer account?

No, the CUR file does not necessarily need to be in the master payer account. The important requirement is that the CUR must be comprehensive of all billing data for the master payer to ensure accurate and complete data analysis.
Is it acceptable for the CUR file to overwrite itself throughout the month?

Yes, it is acceptable for the CUR file to overwrite itself throughout the month. This practice allows for up-to-date data analysis as new billing information becomes available.
Can we use a CUR file from CloudHealth or another third-party service?

Yes, you can use a CUR file from services like CloudHealth, as long as it matches the settings required by Finout and is comprehensive of all necessary billing data. For integration, the directory structure should be in the format: s3://bucket_name/cur/year=2023/month=12/*.parquet.
How long does it usually take for data to appear in the Finout platform?

It usually takes about 24 hours for Finout to complete the first fetch of data from AWS. We recommend checking first thing in the morning (10 AM your local time) the next day.

What Should I Do If My AWS Self-Onboarding Process Fails?

If the self-onboarding process fails, check the following:

Verify S3 Bucket Content: Ensure that your S3 bucket contains the CUR files and is not empty.
Check S3 Path Prefix: The most common issue is an incorrect S3 path prefix. The path prefix should typically follow the format your-organization-name/cur-report-name/. Avoid including the date-range part in the prefix, as it is replaced dynamically with the actual date range. For example, use fedramp-org/finout-cur instead of including the date range in the path.
Manifest.json File: Confirm that the Manifest.json file is present in your S3 bucket, as it's essential for the CUR integration.

If the problem persists after these checks, please provide us with the necessary credentials for further debugging.

How can I correct an incorrect S3 path prefix?

The S3 path prefix should be static and consistent with the location of the CUR files in your S3 bucket, without including date ranges. If you included the date range in your path prefix, remove it and try again. For example, use your-path/cur-report-name/ instead of your-path/20240101-20240201/.

What if validations pass locally but fail during onboarding?

If validations pass locally but fail during onboarding, double-check the S3 path prefix to ensure that it matches the CUR setup in your S3 bucket. The prefix provided to Finout should match the prefix where the CUR files are stored. If you have made changes and everything is set up correctly, attempt the onboarding process again.

Still need help? Please feel free to reach out to our team at info@finout.io.

Connect CostGuard for GCP