top of page

Onboard AWS to CloudHiro's cost optimization platform

The following guide will show you how to set up your account to allow Costi to access it is a secure manner. To do this We will create a separate role for Costi.

There are two options: use a cloud formation template or set up the role manually.

Register to CloudHiro

  1. Register here.

  2. Confirm the email you get and login
     

Option 1 - Use Cloud formation template​

  1. Login to your AWS account as an admin.

  2. Creating a new CUR (Cost and usage report) and granting access to it. - please use the following link

    1. If you already have existing CUR - please use the following link which will grant access to the existing CUR. Please save the bucket-name and cur-name for later use. ​

  3. Adding permissions to all accounts (including child accounts):

    1. Go to create stacksets and enter in the "Amazon S3 url" the following JSON's (according to the permissions needed):​

      1. Read-only permissions to all accounts - it will permit CloudHiro to collect metrics on all resources.

      2. Reserved instances and Saving plans management permissions

      3. Read-write permissions so Cloudhiro can tag resources, shutdown'start EC2 instances, etc. 

    2. The first stackset will create "Costi" role and the other two, will add policies to the same role. 

      1. ​You will be asked for a parameter called ExternalID. You can find that parameter here. 

      2. Also, in the "Specify regions" section, specify at least one region.

      3. In "Maximum concurrent accounts - optional" please change both sections to "percentage" and "100%"​​

  4. Reserved Instances Management​

    1. Make sure that ×´Reserved Instances and Savings Plans discount sharing preference×´ is enabled for all accounts and enabled by default. AWS -> AWS billing -> Billing preferences -> "Reserved Instances and Savings Plans discount sharing preference".

  5. ​​That's it - We are all done!

​

​Option 2 - Set up the Role Manually​​

Using this manual way you can control what Costi can and can not do. The following steps will show you how.

  1. First, log in to your account and click the account menu in the top right corner.

  2. Click 'My Security Credentials' in the drop-down menu.
















     

  3. Select 'Another AWS account' as the type of the trusted entity.

  4. Enter '545334166883' (CloudHiro account ID) in the 'Account ID' text box.

  5. Mark the 'Require external ID (Best practice when a third party will assume this role)' in the options checkbox.

  6. You can find the unique value for ExternalID here.

  7. Click 'Next: Permissions' at the bottom to continue.
















     

  8. Attach permissions policies. Select one or more policies to attach.

  9. If you want Costi to have read-only access please add the following permissions (This means Costi will not be able to start or stop any servers for you but will be able to send notifications and recommendations):

    1. AmazonEC2ReadOnlyAccess

    2. AmazonS3ReadOnlyAccess

    3. AmazonRDSReadOnlyAccess

    4. AmazonDynamoDBReadOnlyAccess

    5. AmazonRedshiftReadOnlyAccess

    6. AWSElasticBeanstalkReadOnlyAccess

    7. AmazonElastiCacheReadOnlyAccess

    8. CloudWatchReadOnlyAccess

    9. AmazonGuardDutyReadOnlyAccess

    10. AWSOrganizationsReadOnlyAccess

    11. For EKS please click the "Create policy" and then:

      1. Choose the EKS service and select both read and list checkboxes.

      2. Under resources choose all resources and Click Review policy.

      3. Give the policy the name EKS_RO and click Create Policy.

      4. Search for the policy and check the box on the left to attach it to the role
        ​​

  10. If you want Costi to have full access please add the following permissions:

    1. AmazonEC2FullAccess

    2. AmazonS3FullAccess

    3. AmazonRDSFullAccess

    4. AmazonDynamoDBFullAccess

    5. AmazonRedshiftFullAccess

    6. AWSElasticBeanstalkFullAccess

    7. AmazonElastiCacheFullAccess

    8. CloudWatchFullAccess

    9. AmazonGuardDutyFullAccess

    10. AWSOrganizationsReadOnlyAccess

    11. For EKS please click the "Create policy" and then:

      1. Choose the EKS service and select all services checkbox.

      2. Under resources choose all resources and Click Review policy.

      3. Give the policy the name EKS_All and click Create Policy.

      4. Search for the policy and check the box on the left to attach it to the role
         

  11. ​​Attach a newly created Trusted Advisor access policy

  12. Click on the Create Policy button.

  13. In the tab that opens, please click "Choose a service".

  14. Search for "Trusted Advisor", select it, and check "All Trusted Advisor actions".

  15. Under resources check "All resources".

  16. Then, click "Next: tags" and "Next: Preview".

  17. Give the policy a name "TrustedAdvisorAll" and click "Create policy".

  18. Once done, you can choose the newly created policy and add it to the permissions.

  19. Then click on the 'Next: Tags' at the bottom to continue. You can skip over the tags|

















     

  20. Review the information you just entered, then click 'Create role' to proceed.

















     

  21. That's it - We are all done! - The new role is now added to your Resource roles list.


    Azure Onboarding

    AWS Onboarding

    GCP Onboarding

bottom of page