top of page

Onboard AWS to CloudHiro's cost optimization platform

The following guide will show you how to set up your account to allow Costi to access it is a secure manner. To do this We will create a separate role for Costi.

There are two options: use a cloud formation template or set up the role manually.

Register to CloudHiro

  1. Register here.

  2. Confirm the email you get and login

Option 1 - Use Cloud formation template

  1. Login to your AWS account as an admin.

  2. Read Only + Creating the CUR (Cost and usage report) - please use this link

  3. Read \ Write permissions - please also use this link. It will permit CloudHiro to tag resources and shut\start EC2 Instances.

  4. Reserved Instances Management - Please contact your Account Manager.

  5. Click 'Next'. You will be asked for a parameter called ExternalID. You can find that parameter here.

  6. Mark the "I acknowledge that AWS CloudFormation might create IAM resources with custom names." checkbox at the bottom of the page.

  7. Click the "Create stack" button.

  8. That's it - We are all done!

Reserved Instance automation management

  1. To manage Reserved Instances automatically, please add the following roles to Costi. 

Option 2 - Set up the Role Manually

Using this manual way you can control what Costi can and can not do. The following steps will show you how.

  1. First, log in to your account and click the account menu in the top right corner.

  2. Click 'My Security Credentials' in the drop-down menu.
















     

  3. Select 'Another AWS account' as the type of the trusted entity.

  4. Enter '545334166883' (CloudHiro account ID) in the 'Account ID' text box.

  5. Mark the 'Require external ID (Best practice when a third party will assume this role)' in the options checkbox.

  6. You can find the unique value for ExternalID here.

  7. Click 'Next: Permissions' at the bottom to continue.















     

  8. Attach permissions policies. Select one or more policies to attach.

  9. If you want Costi to have read-only access please add the following permissions (This means Costi will not be able to start or stop any servers for you but will be able to send notifications and recommendations):

    1. AmazonEC2ReadOnlyAccess

    2. AmazonS3ReadOnlyAccess

    3. AmazonRDSReadOnlyAccess

    4. AmazonDynamoDBReadOnlyAccess

    5. AmazonRedshiftReadOnlyAccess

    6. AWSElasticBeanstalkReadOnlyAccess

    7. AmazonElastiCacheReadOnlyAccess

    8. CloudWatchReadOnlyAccess

    9. AmazonGuardDutyReadOnlyAccess

    10. AWSOrganizationsReadOnlyAccess

    11. For EKS please click the "Create policy" and then:

      1. Choose the EKS service and select both read and list checkboxes.

      2. Under resources choose all resources and Click Review policy.

      3. Give the policy the name EKS_RO and click Create Policy.

      4. Search for the policy and check the box on the left to attach it to the role
        ​​

  10. If you want Costi to have full access please add the following permissions:

    1. AmazonEC2FullAccess

    2. AmazonS3FullAccess

    3. AmazonRDSFullAccess

    4. AmazonDynamoDBFullAccess

    5. AmazonRedshiftFullAccess

    6. AWSElasticBeanstalkFullAccess

    7. AmazonElastiCacheFullAccess

    8. CloudWatchFullAccess

    9. AmazonGuardDutyFullAccess

    10. AWSOrganizationsReadOnlyAccess

    11. For EKS please click the "Create policy" and then:

      1. Choose the EKS service and select all services checkbox.

      2. Under resources choose all resources and Click Review policy.

      3. Give the policy the name EKS_All and click Create Policy.

      4. Search for the policy and check the box on the left to attach it to the role
         

  11. ​​Attach a newly created Trusted Advisor access policy

  12. Click on the Create Policy button.

  13. In the tab that opens, please click "Choose a service".

  14. Search for "Trusted Advisor", select it, and check "All Trusted Advisor actions".

  15. Under resources check "All resources".

  16. Then, click "Next: tags" and "Next: Preview".

  17. Give the policy a name "TrustedAdvisorAll" and click "Create policy".

  18. Once done, you can choose the newly created policy and add it to the permissions.

  19. Then click on the 'Next: Tags' at the bottom to continue. You can skip over the tags|

















     

  20. Review the information you just entered, then click 'Create role' to proceed.

















     

  21. That's it - We are all done! - The new role is now added to your Resource roles list.
     

bottom of page