Integrate Existing Cost Reports

Only use these instructions if you have pre-existing AWS Cost and Usage Reports.

Prerequisites

  • The Cost and Usage Report parameters should be set to Hourly, GZIP, Resource IDs and Create New Report Version.

  • Know the name of the S3 Bucket with the Cost Report, the AWS Region where the S3 Bucket is located, and the Report Name and Report Prefix for the Cost Report.

  • Top level bucket for the Cost and Usage Report. Please don't nest a cost reports folder inside another existing folder in your S3 Bucket.

  • An AWS Account with access to billing. Your AWS administrator can change the permissions to give you access with the following step.

Step 1: Run CloudFormation Template (Pre-Existing Bucket)

If you created a new S3 bucket with NO prior cost report history, then please follow the alternative steps instead.

Click on this link to run the CloudFormation Template on your account if you are using a Pre-existing Bucket‚Äč

Click on this link if you want to download and share the template with your security team.

Make sure that you are running the CloudFormation template in US East-1 (N. Virginia) or it will not run correctly.

  • In the console, keep both pre-selected options as the Template is ready, and Amazon S3 URL, and leave the URL as is, then click Next

  • Insert the name of the S3 Bucket with the Cost Report, the AWS Region where the S3 Bucket is located, and the Report Name and Report Prefix for the Cost Report.

  • For the External ID Field, you can use pretty much any External ID, (e.g.: tim-ext-id).

The External ID cannot have the following characters: $, #

  • Click Next

  • On the following page scroll down and click Next again

  • On the following page scroll down, acknowledge that this template might create IAM resources by checking the box, then click Create Stack.

  • In the next page, you will have to wait 2-3 minutes for the stack to get created. You can click the refresh icon in the Console.

  • When all is green, you are ready to go save for one more optional step.

Step 2: Update Statements in S3 Bucket Policy for Pre-Existing Bucket

Please update the statements in your S3 Bucket Policy by adding the snippet below. This simple change will allow us to Get Object and List Object in the resources that are buckets.

  • Go to the S3 Console.

  • Click on the bucket with the Cost Report.

  • Click Permissions, and then Bucket Policy, and update the Policy by adding the Statement

  • Please ensure that you replace the <Account ID> with your account ID, and the <Bucket Name> (occurs twice) with the name of this S3 Bucket.

{
"Sid": "Stmt1540642168130",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/taloflowInstructionProcessorRole"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<BUCKET_NAME>",
"arn:aws:s3:::<BUCKET_NAME>/*"
]
}

Two common oversights which cause errors in the implementation is to confuse the bucket policy with the lifecycle policy (please ensure that you're changing the bucket policy) and to forget to add commas in between statements for your S3 bucket policy.

Step 3: Add Sub Accounts