This blog demonstrates the process of provisioning the Microsoft Cost Management AWS connector which enables ingestion of your AWS cost details into Azure to oversee and manage your AWS expenditure.
Through this integration, you are presented with a unified single pane of glass within the Azure portal, enabling you to monitor and manage spending across Azure and AWS multi-cloud environments.
Microsoft Cost Management is a suite of FinOps tools optimized for FinOps teams to help analyze, monitor, and optimize Microsoft Cloud costs via automation and extending native capabilities to realize optimization and efficiency goals faster. The connector also enables capabilities, like budget and scheduling alerts.
Deployment Plan
AWS Cloud
Step 1 – Create a Consolidated Account
Step 2 – Create a Cost and Usage Report (CUR) in AWS
Step 3 – Create an IAM policy in AWS
Step 4 – Permission for the Cost and Usage report
Step 5 – Permission for your S3 bucket and objects
Step 6 – Permission for Cost Explorer
Step 7 – Permission for AWS Organizations
Step 8 – Permissions for Policies
Step 11 – Collect all the required details
Azure Cloud
Step 12 – Provision a management group
Step 13 – Create an AWS connector in Azure
Viewing Costing Analysis results
(Optional) Managed Services
Step 14 – Assign users to AWS connector
Step 15 – Manage AWS connectors
Deployment Steps
AWS Cloud
Step 1 - Create a Consolidated Account
Set up an AWS consolidated account
AWS Organizations provides consolidated billing so that you can track the combined costs of all the member accounts within your organization.
Permissions:
By default, permissions for an AWS consolidated account are set upon the account’s creation, based on the AWS connector permissions. The connector creator is the owner.
Deployment:
Open your AWS console https://aws.amazon.com/console/
Search and go to AWS Organizations console
Choose Create organization
*(Optional) Invite existing accounts to join your organization.
*AWS will charge your management account monthly for all the member accounts in a consolidated bill.
Create an organization from the account that you want to be the management account of your new organization.
Step 2 - Create a Cost and Usage Report (CUR) in AWS
Begin by creating a Cost and Usage (CUR) report:
Sign in to the AWS Management Console > search for billing and cost,
Select Billing and Cost Management
Go to Cost and Usage Reports,
Select Create report,
Select a custom report name,
Under Additional report details, select Include resource IDs,
For Data refresh settings > select the checkbox to refresh the automatically
(this will auto refresh the AWS Cost and Usage report whenever AWS applies refunds, credits, or support fees to your account after finalizing your bill. When a report refreshes, a new report is uploaded to Amazon S3),
Select Next,
#2 – Set delivery options:
In the Configure S3 Bucket dialog box,
Select Configure button:
Create or select a S3 Bucket > Select a descriptive S3 bucket name and the Region > Next,
Select the I have confirmed that this policy is correct,
Select Save,
Report path prefix, copy and paste the same report name into the box,
For Time unit > select Hourly,
For Report versioning, choose create new report version ,
Report data integration > leave all blocks unchecked,
Compression > select GZIP,
Select Next,
Select Review and Complete,
Note the report name,
*It can take up to 24 hours AWS to start delivering reports to your Amazon S3 bucket. After delivery starts, AWS updates the AWS Cost and Usage report files at least once a day.
Step 3 - Create an IAM policy in AWS
The Azure Cost Management BI service needs credential created in order to access the S3 bucket where the Cost and Usage report is stored.
Credentials will be provided by creating a new AWS role and policy.
*You need to save the role ARN and external ID in a safe place for later use. These resources are required to create the AWS connector in Azure,
In your AWS console > select Services > IAM > Policies,
Select Create policy,
Step 4 - Permission for the Cost and Usage report
Select Choose a service,
Enter Cost and Usage Report,
Select Access level > Read > DescribeReportDefinitions,
(This step allows Cost Management to read what CUR reports)
Step 5 - Permission for your S3 bucket and objects
Select Add more permissions,
Select Choose a service,
Search and select S3,
Select Access level > List > ListBucket.
-This action gets the list of objects in the S3 Bucket.
Select Access level > Read > GetObject.
-This action allows the download of billing files.
Select Resources > Specific.
In bucket, select the Add ARNs link to open another window.
In Resource Bucket name, enter the S3 bucket name created earlier to store the CUR files.
Select Add ARNs,
In object, select Any
Step 6 - Permission for Cost Explorer
Select Add more permissions,
Search and Select Choose a service,
Enter Cost Explorer Service
Select All Cost Explorer Service actions (ce:*)
Step 7 - Permission for AWS Organizations
Select Add more permissions,
Search & select Organizations
Select Access level > List > ListAccounts
Step 8 - Permissions for Policies
Select Add more permissions
Search & select IAM
Select Access level > List > ListAttachedRolePolicies and ListPolicyVersions and ListRoles,
Select Access level > Read > GetPolicyVersion
Select Resources > Specific > policy, and then select Any in this account
(These actions allow verification that only the minimal required set of permissions are granted to the connector)
Select Next
Step 9 - Review and create
In Review Policy, enter a custom descriptive name for your new policy,
Verify that you entered the correct information.
Add tags if you wish,
Select Create policy
Step 10 - Create a New Role
In your AWS console > select Services > IAM
Select Roles > Create Role
Select AWS account and then under An AWS account,
select Another AWS account
Under Account ID > populate this fixed ID = 432263259397
Select Require external ID
Under External ID, create your own and populate an external ID (which is a shared passcode between the AWS role and Cost Management),
Note the external ID, it will be required on the New Connector page in Cost Management, Microsoft recommends that you use a strong passcode policy when entering the external ID. The external ID should comply with AWS restrictions:
Type: String
Length constraints: Minimum length of 2. Maximum length of 1224.
Must satisfy regular expression pattern: [\w+=,.@: /-]*
Do not enable MFA
Select Next,
Now search for your newly created policy and select it,
Select Next,
Enter a role name,
(Record the name because you use it later when you set up the Cost Management connector),
Select Create role
Step 11 - Collect all the required details
Go to IAM > Roles > select the s3 bucket role name > copy & save the ARN
arn:aws:iam::975000000380:role/x
Copy and save the S3 bucket name,
Save the passcode you created earlier during step 9.
passcode created during step 8
Azure Cloud
Step 12 - Provision a management group
NOTE: This is a prerequisite!
Ensure that you have at least one management group enabled.
Create a management group that will be assigned to your Cost Management Power BI App subscription,
Add your Cost Management Power BI App subscription to the Management Group,
Step 13 - Create an AWS connector in Azure
NOTE: Before starting this step, ensure that all the previous steps have been completed.
Create an AWS connector to start monitoring your AWS costs in Azure,
Sign in to the Azure portal,
Select your Management Group,
Select Cost Analysis,
Select Configure management group
Select Connectors for AWS,
Select Add connector,
On the Create connector page, enter a name for your connector
Basic tab:
Create a custom Display name,
Select the target Management Group,
Select the target subscription in which Cost Management Power BI app is installed,
Select Auto-Renew to On if you want to ensure continuous operation. If you select the automatic option, you must select a billing subscription.
Next
Paste the ARN number into the Role ARN block,
paste the passphrase into the External ID block,
populate the Report name block with the CUR report name created earlier,
Select Next and then select Create.
It will take 24 hours for the new AWS scopes, AWS consolidated account, AWS linked accounts, and their cost data to appear.
Viewing Costing Analysis results
Cost analysis
After a few hours, you should receive an email informing you that your AWS cost data is now available in your Cost Management,
Click on the cost analysis link,
You are now able view and deep dive into various dimensions of your AWS costs analysis
Managed Services
Step 14 - Assign users to AWS connector
After you create the connector, we recommend that you assign access control to it. Users are assigned permissions to the newly discovered scopes: AWS consolidated account and AWS linked accounts.
The user who creates the connector is the owner of:
the connector,
the consolidated account,
and all linked accounts.
Assigning connector permissions to users after discovery occurs doesn’t assign permissions to the existing AWS scopes.
Instead, only new linked accounts are assigned permissions.
Step 15 - Manage AWS connectors
Manage AWS connectors
When you select a connector on the Connectors for AWS page, you can:
Select Access Control to manage the role assignment for the connector.
Select Edit to update the connector.
Select Verify to rerun the verification test to make sure that Cost Management can collect data by using the connector settings.
Manage AWS connectors
When you select a connector on the Connectors for AWS page, you can:
• Select Go to Billing Account to view information for the AWS consolidated account.
• Select Access Control to manage the role assignment for the connector.
• Select Edit to update the connector. You can’t change the AWS account number, because it appears in the role ARN. But you can create a new connector.
Verify connectivity:
Select the AWS connector,
Click on Verify the verification test makes sure that Cost Management can collect data by using the connector settings.
–I hope this blog simplified your setup of the AWS connector —-
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.