Tim

Welcome to Tim's documentation

Tim, the Taloflow Instance Manager, is an AI that helps you reduce your AWS costs.

Get Started    

Connecting your cloud

Learn how to connect Tim to your AWS account.

Tim connects to your AWS account through an IAM Role and Trusted Relationship status. You'll also need to turn on hourly AWS Expense Reports and forward CloudWatch events to Tim.

Access Setup

AWS Credentials

Your AWS credentials are not needed! In order to use Tim, you will instead need to create a Role for Tim within your AWS account. This authorization will allow Taloflow's AWS account to talk to your account. The Role has very specific and limited access to the things we need to do to save you costs.

Turn on Hourly Expense Reports

To get the appropriate cost information, we'll need you to have set up the cost allocation report correctly.

AWS Master Account

To get cost allocation reports that include all the usage, costs, and tags for the member accounts you may want to use a master account for this step.

  • Sign in to the AWS Management Console and open the Billing and Cost Management console.
  • In the navigation pane, choose Preferences.
  • For Receive Billing Reports, select the check box.
  • For Save to S3 Bucket, type a valid Amazon S3 bucket name, and then choose Verify.
  • In the Report list, select the check box for Cost allocation report.
  • Choose Manage report tags.
  • Make sure that all the tag keys you want in your report are selected
  • For Filter, choose Inactive tags in the drop down list, and then select the tags that you want to activate for your report.
  • Choose Activate.

Add a Trusted Relationship for Tim

  • Sign in to the AWS Management Console and open the IAM console.
  • In the navigation pane of the IAM console, choose Trusted Relationships.
  • Click Add Trusted Relationship.
  • Create a new security key (this provides enhanced security) and add it to the relationship.
  • In the Trusted Relationship, add this AWS account ID: 845897643164
  • Click Add

Add an IAM Role

  • Sign in to the AWS Management Console and open the IAM console.
  • In the navigation pane of the console, choose Roles and then choose Create role.
  • Choose the Another AWS account role type.
  • For Account ID, type this AWS account ID: 845897643164
  • Click Create role and give it whichever name you like (e.g.: Taloflow Instance Manager)
  • Once the new Role is created, choose Roles again and then choose Policies.
  • Select Create an inline policy
  • Copy and paste the following JSON snippet into the JSON field and replace the name TaloflowS3xExpenseBucket0 with the name of the S3 bucket where your Expense Reports are sent to:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TaloflowS3xExpenseBucket0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:HeadBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "TaloflowBilling0",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewAccount",
                "tag:*",
                "aws-portal:ViewBilling",
                "ce:*",
                "aws-portal:ViewUsage",
                "cur:DescribeReportDefinitions"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchEventsFullAccess",
            "Effect": "Allow",
            "Action": "events:*",
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRoleForCloudWatchEvents",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/AWS_Events_Invoke_Targets"
        },
        {
            "Sid": "TaloflowLogs",
            "Action": [
                "logs:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "autoscaling:Describe*",
                "sns:*",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "events.amazonaws.com"
                }
            }
        },
        {
            "Sid": "TaloflowPricing000",
            "Action": [
                "pricing:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "TaloflowEC2000",
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "TaloflowLoadBalancing",
            "Effect": "Allow",
            "Action": "elasticloadbalancing:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "ec2scheduled.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "transitgateway.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Setup Amazon CloudWatch Events to Forward to Tim

You will need to setup your AWS account to forward CloudWatch events to Tim's AWS account. Sending and receiving events between accounts is easy. Tim will walk you through those steps (including how to point to Taloflow's 12-digit ID) in the on-boarding flow.

If Cost Reports isn't turned on, there will be new fees (very small)

If you have Cost Reports turned on, please ignore this message. If you don't, please be aware that turning on Cost Reports will result in additional S3 and bandwidth changes.

Final Steps

Once you've completed the above steps, please share the following with Jason on the Taloflow team: jason@taloflow.ai

Role ARN
Name of S3 Bucket being used
Name of Report Directory for Cost Reporting
AWS Account ID
AWS Region
Role setup key

Once you've shared the above, the Taloflow team will setup a config file for your account.

Permissions

You can limit Tim as much as you want. For the Beta Program, we are listening only to the specific EC2 events that are needed to perform automations.

Here are some things you should know about the Role you will create for Tim within your AWS account:

  • Tim does not become a User within your AWS account.
  • The Role is not authorized to add or modify any code.
  • Tim's event listener is registered to yours so we can listen to specific events.
  • The Role itself is an identity that has the required permissions.
  • The Role is not authorized to read data or even the log files.
  • During the Beta Program, the Role is only authorized to perform EC2 actions.