Manual Integration

These instructions take much longer to go through. If you do not want to run a CloudFormation template provided by Taloflow, then you're at the right spot.
Taloflow's AWS account will talk to your account through IAM Roles that limit what Tim has access to.
Tim Permissions
/tim/faq/tim-permissions
The Cost Report Tim accesses can be limited to a sub account by following these additional steps:
Sub Account Filter
/tim/tim-setup/filter
Step 1: Create a AWS Cost and Usage Report
Sign in to the AWS Management Console and open the Billing and Cost Management console.
In the navigation pane to the left, choose Cost & Usage Reports under Cost Management in the left panel.
Click Create report.
Give your Cost Report a name. For example, general-cost-report
Make sure that both Include resource IDs and Data refresh settings are both checked.
Click Next 
Under Delivery options, select the S3 bucket where your Cost Reports currently reside and click Verify OR Create a new bucket if you do not currently have one for the Cost Report.
If you get a prompt to add a Default Bucket Policy, accept it
Please ensure that you create a new top level bucket for your Cost Reports and that you don't nest a Cost Reports Folder inside another existing folder in your S3 Bucket.
Please write down the name of your S3 bucket somewhere - you'll need it later.
We recommend you create a path prefix in the next field. For example, main.
Please ensure that you've selected Hourly, GZIP and Create New Report Version in the options.
Click Next 
In the confirmation page, please make note of the Cost Report Directory / report path prefix of the following page. Ignore what's between the last two slashes. In our example, the appropriate Cost Report Directory is main/general-cost-report/.
Once noted down, click Review and Complete.
Step 2: Create an IAM Role for Tim
Sign in to the AWS Management Console and open the IAM console.
In the navigation pane of the IAM console, choose Roles.
Click Create role.
For the type of Trusted Entity, select Another AWS Account
Under Account ID, add Tim's AWS account ID: 845897643164
Check off the option for Require external ID and enter tim-ext-id (You can use any ext ID, except your Role setup keys and External IDs cannot have $ or # in them)
Click Next: Permissions
Please write down the name of your Role setup key / External ID somewhere - you'll need it later.
In the next screen, click on Create policy. This should open a new browser tab. Please make sure to keep both browser tabs open.
In the new browser tab, select the JSON tab, and copy and paste the following JSON snippet into the JSON field and make the following changes:
Make sure that you replace [INSERT-BUCKET-NAME] in the two areas where it appears in the JSON script with the name of the S3 bucket where your Expense Reports are sent to. For example, costreportbucket2. (Please make sure that the square brackets are removed)
And, replace [INSERT-ACCOUNT-ID] with your AWS Account ID in the one place it occurs. Your AWS Account ID can be found here. For example, 158436883414.
Please write down the name of your AWS Account ID somewhere - you'll need it later.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "TaloflowS3xExpenseBucket0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::[INSERT-BUCKET-NAME]",
        "arn:aws:s3:::[INSERT-BUCKET-NAME]/*"
      ]
    },
    {
      "Sid": "TaloflowCostAndUsageMetrics0",
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:List*",
        "cloudwatch:ListMetrics"
      ],
      "Resource": "*"
    },
    {
      "Sid": "TaloflowResourceInformationMetrics0",
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "ec2:Describe*",
        "ec2:DescribeInstanceStatus",
        "sns:Get*",
        "sns:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "TaloflowAutoSetupRuleForEventMapping",
      "Effect": "Allow",
      "Action": [
        "events:EnableRule",
        "events:DisableRule",
        "events:PutEvents"
      ],
      "Resource": [
        "arn:aws:events:*:845897643164:event-bus/default"
      ]
    },
    {
      "Sid": "IAMPassRoleForCloudWatchEvents",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::[INSERT-ACCOUNT-ID]:role/InvokeTaloflowEventBusRole"
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
      "Condition": {
        "StringLike": {
          "iam:AWSServiceName": "events.amazonaws.com"
        }
      }
    },
    {
      "Sid": "TaloflowPricing000",
      "Action": [
        "pricing:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "TaloflowTagging000",
      "Action": [
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "tag:GetResources",
        "tag:AddResourceTags",
        "tag:RemoveResourceTags",
        "tag:TagResources",
        "tag:UntagResources"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
Please ensure that you're replacing the placeholder bucket name (found twice) with your own bucket, and replace the placeholder for the Account ID (found once) with your AWS Account ID. Otherwise you'll be met with a failed legacy parsing error in the following step.
Click Review policy
In the following screen, give the Policy this name: taloflowInstructionProcessorPolicy
Scroll down and click Create policy
Please ensure that there are no spaces before or after the policy names you add.
Now, switch back to the Roles browser tab you had open.
Under Attach permissions policies please search for the taloflowInstructionProcessorPolicy we just created and make sure it's selected or checked off. If it doesn't show up, please click the refresh button above the table's top right corner and new options should appear.
Click Next: Tags to move onto the Review page
For the Role name field, please give the role the name taloflowInstructionProcessorRole
Click Create role
Step 3: Finding the Instruction Processor Role ARN
Click on Roles in the left navigation pane of IAM console and click on the hyperlink for your newly created taloflowInstructionProcessorRole
In the Role overview page, please make note of the Role ARN 
Please write down the name of the Instruction Processor Role ARN somewhere - you'll need it later.
Step 4: Add a Second IAM Role for Tim
Sign in to the AWS Management Console and open the IAM console.
In the navigation pane of the console, choose Roles and then choose Create role.
This time, choose the AWS service role type.
Scroll to the bottom, and select CloudWatch Events
Under Select your use case, click on CloudWatch Events so that it's highlighted in blue.
Then, you can click on Next: Permissions, Next: Tags, and then Next: Review
In the Review page, give the Role the name taloflowInvokeEventBusRole (making sure there are no spaces before or after)
Click Create role
Under the Roles page, search for and click the hyperlink for the newly created taloflowInvokeEventBusRole
Click on Add inline policy
Select the JSON tab, and copy and paste the following JSON snippet into the JSON field (you will not need to make any changes)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:*:845897643164:event-bus/default"
        }
    ]
}
Click Review policy
In the following screen, give the Policy this name: taloflowInvokeEventBusPolicy
Scroll down and click Create policy
Step 5: Edit the S3 Default Bucket Policy
Sign in to the AWS Management Console, and click on the Services tab in the top navigation bar.
Search for and select S3 from the menu.
In the S3 page, click on the bucket with the Cost Report. (the one you selected in Step 1)
Click Permissions, and then Bucket Policy, and click Edit Policy
Paste the JSON statement below to modify the existing Policy (you are modifying the default policy added in Step 1) and replace [INSERT-BUCKET-NAME] and [INSERT-ACCOUNT-ID] with the bucket name for this bucket and your Account ID.
Please ensure that you paste the JSON statement below into the existing bucket policy right after the penultimate curly bracket \" } \" so it's still enclosed within the regular bracket \" ] \"
,{
           "Sid": "Stmt1540642168130",
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::[INSERT-ACCOUNT-ID]:role/taloflowInstructionProcessorRole"
           },
           "Action": ["s3:GetObject","s3:ListBucket"],
           "Resource": ["arn:aws:s3:::[INSERT-BUCKET-NAME]/*",
           "arn:aws:s3:::[INSERT-BUCKET-NAME]"
           ]
       }
Please write down the name of the S3 bucket region for the bucket somewhere (e.g.: US East 1 - US East (N. Virginia) ) - you'll need it later.
Step 6: Forward CloudWatch events to Tim
You will need to setup your AWS account to forward CloudWatch events to Tim's AWS account. The information forwarded are the EC2 events, including instance IDs and whether the instances are on or off.
Forward CloudWatch Events
/tim/tim-setup/forward-cloudwatch-events
Step 7: Share setup information with Taloflow
Once you've completed the above steps, please share the following with Tim: [email protected]​
Role ARN for the InstructionProcessorRole (e.g.: arn:aws:iam::629404546125:role/taloflowInstructionProcessorRole)
S3 Bucket Name
Cost Report Directory (e.g.: main/general-cost-report/)
AWS Account ID
AWS Region (region with the S3 bucket where the Cost Report is delivered)
Role setup key / external ID (e.g.: tim-ext-id)
Once you've shared the above, the Taloflow team will set up your account and confirm when you can get started!
Forward CloudWatch Events
Bucket Lifecycle Policy
Last updated 7 days ago