Tim

Welcome to Tim's documentation

Tim, the Taloflow Instance Manager, is an AI that helps you reduce your AWS costs.

Get Started    

Connecting your cloud

Learn how to connect Tim to your AWS account.

Tim connects to your AWS account through IAM Roles. You'll also need to turn on hourly AWS Expense Reports and forward CloudWatch events for EC2 to Tim.

Permissions

Taloflow's AWS account will talk to your account through IAM Roles that limit what Tim has access to. Here are some things you should know about the Roles we require:

  • Tim does not become a User within your AWS account.
  • The Role is not authorized to add or modify any code.
  • Tim's event listener is registered to yours so we can listen to specific events.
  • The Role itself is an identity that has the required permissions.
  • The Role is not authorized to read data or even the log files.
  • During the Beta Program, the Role is only authorized to perform EC2 actions.

You can limit Tim as much as you want. For the Beta Program, we are listening only to the specific EC2 events that are needed to perform automations.

Access Setup

Step 1: Create an S3 Bucket for the Cost Report

If you already have an S3 bucket for your AWS cost report, please skip ahead to Step 2. If you do not have an S3 bucket set for your AWS cost report, please follow the steps just below:

  • Sign in to the AWS Management Console, and click on the Services tab in the top navigation bar.
  • Search for and select S3 from the menu.
  • In the S3 page, click on Create bucket.
  • Give your bucket a name and then click Next several times, and on the final Review page click Create bucket.
Create S3 bucket

Create S3 bucket

Please write down the name of your S3 bucket somewhere - you'll need it later.

Step 2: Bucket Permissions

Unless your bucket has the appropriate permissions, you will get an Invalid Bucket error in Step 3. To avoid this error you can add AWS' sample permissions. To do so, please follow the steps just below:

  • In Services tab in the top navigation bar for the AWS console, search for and select S3.
  • Click the hyperlink for the S3 bucket where you'd like your Cost Report to reside (or, the bucket you created in Step 1).
  • Within the bucket page, click on Permissions, and then Bucket Policy just under it.
  • Copy and paste the script below (this is AWS' sample policy) into the text area, replace [your-bucket-name] (occurs twice) with the name of the S3 bucket you created in Step 1 and click Save.
{
  "Version": "2008-10-17",
  "Id": "Policy1335892530063",
  "Statement": [
    {
      "Sid": "Stmt1335892150622",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::386209384616:root"
      },
      "Action": [
        "s3:GetBucketAcl",
        "s3:GetBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::[your-bucket-name]"
    },
    {
      "Sid": "Stmt1335892526596",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::386209384616:root"
      },
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::[your-bucket-name]/*"
    }
  ]
}
S3 bucket permissions - AWS sample bucket policy

S3 bucket permissions - AWS sample bucket policy

Step 3: Enable Cost Allocation Report

Billing authorization

To get cost allocation reports that include all the usage, costs, and tags you need to be authorized to add and configure cost reports under AWS Billing. If you lack this access, please ask your AWS administrator to do the following before moving on:

  1. In the IAM Console, go to Users in the left navigation pane.
  2. Click on the individual's account
  3. In the next screen, select the tab Attach existing policies directly
  4. Search or filter for Billing permissions, and select and apply it to the individual's account

To get the appropriate cost information, we'll need you to set up the cost allocation report correctly.

  • Sign in to the AWS Management Console and open the Billing and Cost Management console.
  • In the navigation pane to the left, choose Preferences.
  • For Receive Billing Reports, select the check box.
  • For Save to S3 Bucket, type a valid Amazon S3 bucket name, and then choose Verify.

S3 bucket permissions

You must apply appropriate permissions to your S3 bucket, otherwise, when you try to receive billing reports it will say invalid bucket. If you're stuck here, click on the sample policy link under the error message and copy and paste the snippet into the permissions for your S3 bucket or go to the Step 2: Bucket Permissions section on this page for a walk-through of these steps.

  • In the Report list, select the check box for Cost allocation report.
  • And, click Save Preferences. (Please be aware that turning on Cost Reports will result in additional S3 and bandwidth charges)
Activate Hourly Expense Reports

Activate Hourly Expense Reports

Step 4: Create a AWS Cost and Usage Report

AWS Cost and Usage Reports page

AWS Cost and Usage Reports page

  • Give your cost report a name. For example, general-cost-report
  • Make sure that both Include resource IDs and Data refresh settings are both checked.
  • Click Next
Create report content

Create report content

  • Under Delivery options, start by entering the name of the S3 bucket where your reports will reside and click Verify.
  • We recommend you create a path prefix in the next field. For example, main.
  • Please ensure that you've selected Hourly and GZIP.
  • Click Next
Delivery options page

Delivery options page

  • In the following page, please make note of the Report path prefix. Ignore what's between the last two slashes. In our example, the appropriate prefix is main/general-cost-report/.
  • Once noted down, click Review and Complete.

Please write down the Report path prefix - you'll need it later.

Finding the Cost Report Path

Finding the Cost Report Path

Step 5: Create an IAM Role for Tim

  • Sign in to the AWS Management Console and open the IAM console.
  • In the navigation pane of the IAM console, choose Roles.
  • Click Create role.
Create role

Create role

  • For the type of Trusted Entity, select Another AWS Account
  • Under Account ID, add Tim's AWS account ID: 845897643164
  • Check off the option for Require external ID and enter tim-ext-id (You can use any ext ID, except your Role setup keys and External IDs cannot have $ or # in them)
  • Click Next: Permissions

Please write down the name of your Role setup key / External ID somewhere - you'll need it later.

Add Tim as a Trusted Entity

Add Tim as a Trusted Entity

  • In the next screen, click on Create policy. This should open a new browser tab. Please make sure to keep both browser tabs open.
  • In the new browser tab, select the JSON tab, and copy and paste the following JSON snippet into the JSON field and make the following changes:
  • Make sure that you replace [your-bucket-name] in the two areas where it appears in the JSON script with the name of the S3 bucket where your Expense Reports are sent to. For example, costreportbucket2. (Please make sure that the square brackets are removed)
  • And, replace [AccountID] with your AWS Account ID in the one place it occurs. Your AWS Account ID can be found here. For example, 158436883414.

Please write down the name of your AWS Account ID somewhere - you'll need it later.

{
    "Version": "2012-10-17",
    "Statement": [
        {
    
            "Sid": "TaloflowS3xExpenseBucket0",
            "Effect": "Allow",
            "Action": [
            
                "s3:GetObject",
                
                "s3:ListBucket"
                
            ],
            "Resource": ["arn:aws:s3:::[your-bucket-name]",
                        "arn:aws:s3:::[your-bucket-name]/*"]
        },
   {
            
            "Sid" :"TaloflowCostAndUsageMetrics0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:List*",
                "cloudwatch:ListMetrics"
            ],
            "Resource": "*"
        },
   {
           
            "Sid" :"TaloflowResourceInformationMetrics0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:Describe*",
                "ec2:Describe*",
                "ec2:DescribeInstanceStatus",
                "sns:Get*",
                "sns:List*"
            ],
            "Resource": "*"
        },
 
{
          
            "Sid" :"TaloflowInstanceRecomendationEngine0",
            "Effect": "Allow",
            "Action": [
                 "ec2:StopInstances",
                 "ec2:StartInstances",
                 "ec2:TerminateInstances"
            ],
            "Resource": "*"
        },
 {
         
            "Sid" :"TaloflowAutoSetupRuleForEventMapping",
            "Effect": "Allow",
            "Action": [
              
                 "events:EnableRule",
                 "events:DisableRule",
               
                "events:PutEvents"
 
            ],
            "Resource": [
              "arn:aws:events:us-east-1:845897643164:event-bus/default"            ]
        },
        {
           
            "Sid": "IAMPassRoleForCloudWatchEvents",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::[AccountId]:role/InvokeTaloflowEventBusRole"
        },
        {
           
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "events.amazonaws.com"
                }
            }
        },
        {
          
            "Sid": "TaloflowPricing000",
            "Action": [
                "pricing:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
    {
           
            "Sid": "TaloflowTagging000",
            "Action" : [
                "tag:GetTagKeys",
                "tag:GetTagValues",
                "tag:GetResources",
                "tag:AddResourceTags",
                "tag:RemoveResourceTags",
                "tag:TagResources",
                "tag:UntagResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Replace [your-bucket-name] and [AccountID] in the JSON

Please ensure that you're replacing the placeholder bucket name (found twice) with your own bucket, and replace the placeholder for the Account ID (found once) with your AWS Account ID. Otherwise you'll be met with a failed legacy parsing error in the following step.

  • Click Review policy
  • In the following screen, give the Policy this name: taloflowInstructionProcessorPolicy
  • Scroll down and click Create policy
Create Instruction Processor Policy

Create Instruction Processor Policy

Invalid policy name

Please ensure that there are no spaces before or after the policy names you add.

  • Now, switch back to the Roles browser tab you had open.
  • Under Attach permissions policies please search for the taloflowInstructionProcessorPolicy we just created and make sure it's selected or checked off.
  • Click Next: Tags to move onto the Review page
Attached permissions policies

Attached permissions policies

  • For the Role name field, please give the role the name taloflowInstructionProcessorRole
  • Click Create role
Create Instruction Processor Role

Create Instruction Processor Role

Step 6: Finding the Instruction Processor Role ARN

  • Click on Roles in the left navigation pane of IAM console and click on the hyperlink for your newly created taloflowInstructionProcessorRole
  • In the Role overview page, please make note of the Role ARN

Please write down the name of the Instruction Processor Role ARN somewhere - you'll need it later.

Finding the Role ARN

Finding the Role ARN

Step 7: Add a Second IAM Role for Tim

  • Sign in to the AWS Management Console and open the IAM console.
  • In the navigation pane of the console, choose Roles and then choose Create role.
  • This time, choose the AWS service role type.
  • Scroll to the bottom, and select CloudWatch Events
  • Under Select your use case, click on CloudWatch Events so that it's highlighted in blue.
  • Then, you can click on Next: Permissions, Next: Tags, and then Next: Review
Select CloudWatch Events (twice)

Select CloudWatch Events (twice)

  • In the Review page, give the Role the name taloflowInvokeEventBusRole (making sure there are no spaces before or after)
  • Click Create role
Create Event Bus Role

Create Event Bus Role

  • Under the Roles page, search for and click the hyperlink for the newly created taloflowInvokeEventBusRole
  • Click on Add inline policy
  • Select the JSON tab, and copy and paste the following JSON snippet into the JSON field (you will not need to make any changes)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:us-east-1:845897643164:event-bus/default"
        }
    ]
}
  • Click Review policy
  • In the following screen, give the Policy this name: taloflowInvokeEventBusPolicy
  • Scroll down and click Create policy

Step 8: Forward CloudWatch events to Tim

You will need to setup your AWS account to forward CloudWatch events to Tim's AWS account. The information forwarded are the EC2 events, including instance IDs and whether the instances are on or off.

  • Click on the Services tab in the top navigation bar for the AWS console
  • Search for and click CloudWatch
  • Click on Rules under Events in the left navigation pane and then click Create rule
  • Under Event Source, make sure that Event Pattern is the selected option.
  • Click Edit in the Event Pattern Preview text area and copy and paste the following snippet into the pop up text area and click Save.
{
 "source": [
   "aws.ec2"
 ]
}
  • To the right of the screen, click Add target
  • In the drop-down selector, scroll down and select Event bus in another AWS account
  • In the Account ID field, add Tim's AWS account ID: 845897643164
  • Just below, please select Use existing role
  • Under Use existing role search and select the taloflowInvokeEventBusRole you created earlier.
  • Scroll down and click Configure details to move onto the next page.
Create Event Bus Rule

Create Event Bus Rule

  • Please give the Rule the name taloflowInvokeEventBusRule and click Create rule

Step 9: Share setup information with Taloflow

Once you've completed the above steps, please share the following with Jason on the Taloflow team: jason@taloflow.ai

Required Information
Example

Role ARN for the InstructionProcessorRole

arn:aws:iam::629404546125:role/taloflowInstructionProcessorRole

S3 Bucket Name

costreportbucket2

Cost Report Directory

main/general-cost-report/

AWS Account ID

629404546125

AWS Region

us-east-1 or N. Virginia

Role setup key / External ID

tim-ext-id

To find your AWS Region you're in, simply look at the Top Right corner of the console menu. In our example, it's N. Virginia, also known as us-east-1.

Console menu

Console menu

Once you've shared the above, the Taloflow team will set up your account and confirm when you can move onto Step 9 to activate the Taloflow cost tags.

Step 10: Activate Taloflow Cost Tags

  • Sign in to the AWS Management Console and open the Billing and Cost Management console.
  • In the navigation pane to the left, choose Cost Allocation Tags.
  • Under the User-defined Cost Allocation Tags, please check all the tags with the taloflow: prefix.
  • Then click Activate just above User-defined Cost Allocation Tags
  • Finally, click again on Activate under AWS-Generated Cost Allocation Tags
  • If there are any other tags that you'd like to have available in your cost report, feel free to have them checked and activated in this step too.