Taloflow

Welcome to Taloflow's documentation

Taloflow simplifies comparing, managing, and monitoring cloud products.

Integrate Existing Cost Reports

Tim connects to your AWS account through IAM Roles created via a CloudFormation template.

🚧

If don't have AWS Cost and Usage Reports or a Cost Report Bucket, please integrate using the steps linked here: Integrate New Cost Report Bucket (10 mins).

Granted Permissions

Taloflow's AWS account will talk to your account through IAM Roles that limit what Tim has access to. Here are some things you should know about the Roles we require:

  • Tim does not become a User within your AWS account.
  • The Role is not authorized to add or modify any code.
  • Tim's event listener is registered to yours so we can listen to specific events.
  • The Role itself is an identity that has the required permissions.
  • The Role is not authorized to read data or even the log files.
  • The Role is not authorized to perform actions.

Prerequisites

  • The Cost and Usage Report parameters should be set to Hourly, GZIP, Resource IDs and Create New Report Version.
  • Know the name of the S3 Bucket with the Cost Report, the AWS Region where the S3 Bucket is located, and the Report Name and Report Prefix for the Cost Report.
  • Top level bucket for the Cost and Usage Report. Please don't nest a cost reports folder inside another existing folder in your S3 Bucket.
  • An AWS Account with access to billing. Your AWS administrator can change the permissions to give you access with the following steps:
1. Log into the IAM Console (https://console.aws.amazon.com/iam/home)
2. Go to **Users** in the left navigation panel,
3. Click on the individual's account
4. In the next screen, select the tab **Attach existing policies directly**
5. Search or filter for **Billing** permissions
6. Select and apply it to the individual's account

Instructions

Step 1: Run CloudFormation Template (Pre-Existing Bucket)

🚧

For existing S3 buckets only with cost report history

If you created a new S3 bucket with NO prior cost report history, then please follow these steps instead Integrate New Cost Report Bucket (10 mins).

Click on this link if you want to download and share the template with your security team.

❗️

Make sure that you are running the CloudFormation template in US East-1 (N. Virginia) or it will not run correctly.

  • In the console, keep both pre-selected options as Template is ready, and Amazon S3 URL, and leave the URL as is, then click Next
  • Insert the name of the S3 Bucket with the Cost Report, the AWS Region where the S3 Bucket is located, and the Report Name and Report Prefix for the Cost Report.
  • For the External ID Field, you can use pretty much any External ID, (e.g.: tim-ext-id).

🚧

The External ID cannot have the following characters: $, #

  • Click Next
  • On the following page scroll down and click Next again
  • On the following page scroll down, acknowledge that this template might create IAM resources by checking the box, then click Create Stack.
  • In the next page, you will have to wait 2-3 minutes for the stack to get created. You can click the refresh icon in the Console.
  • When all is green, you are ready to go save for one more optional step.

Step 2: Update Statements in S3 Bucket Policy for Pre-Existing Bucket

Please update the statements in your S3 Bucket Policy by adding the snippet below. This simple change will allow us to Get Object and List Object in the resources that are buckets.

  • Go to the S3 Console.
  • Click on the bucket with the Cost Report.
  • Click Permissions, and then Bucket Policy, and update the Policy by adding the Statement
  • Please ensure that you replace the with your account ID, and the (occurs twice) with the name of this S3 Bucket.
{
      "Sid": "Stmt1540642168130",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:role/taloflowInstructionProcessorRole"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<BUCKET_NAME>",
        "arn:aws:s3:::<BUCKET_NAME>/*"
      ]
    }

❗️

Change the bucket policy, not the lifecycle policy

A common oversight which causes errors in the implementation is to confuse the bucket policy with the lifecycle policy. Please ensure that you're changing the bucket policy.

🚧

Ensure you add commas in between statements for your S3 bucket policy

Step 3: Add Sub Accounts

For every Sub Account that you have within the Master Account, please run the following CloudFormation Stack in each of them so that we can gather tags and other important telemetry from them: link to run the CloudFormation Template on your Sub Account(s) one at a time. Please note this is a different stack than mentioned in Integrate New Cost Report Bucket (10 mins).

Click on this link if you want to download and share the template with your security team.

Updated 3 days ago


Integrate Existing Cost Reports


Tim connects to your AWS account through IAM Roles created via a CloudFormation template.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.