Connecting an AWS Root ARN account (no CUR configured)

DigiUsher supports AWS Organizations service that allows linking several data sources to centrally manage data of multiple accounts while receiving all billing reports within a single invoice. The Root account (payer) will be the only one having access to collective data related to cloud spendings. When registering this type of profile in DigiUsher, the user is given an option for Cost & Usage Reports to be detected automatically.

To track a new AWS data source in your DigiUsher account, please select the AWS Root ARN Account tab at the Data Source Connection step during the initial configuration or later on in the Settings section of the main page. AWS New Source

You can find Terraform and Cloudformation templates for account provisioning here. If you prefer to set things up manually, you can also follow the instructions below.

Create Cost and Usage Report (CUR)

Creating a Cost and Usage Report is only available for the Root cloud account (payer), while all its Linked accounts will be centrally managed and receive their billing data through the main account’s invoice.

In order to utilize automatic / manual billing data import in DigiUsher, first, you need to create a Cost and Usage Report (CUR) in AWS. Please refer to their official documentation to become acquainted with the guidelines for CURs.

Navigate to Billing & Cost Management Dashboard → AWS Cost and Usage Reports.
Create a new report.
Step 1. Report content: Select both “Include resource IDs” and “Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.” checkboxes.
Step 2. Delivery options:
- Create a new or use an existing bucket for the report.
- Report path prefix is not required. In case it is configured, you will have to specify it during the cloud account creation as well.
- Pick “Daily” time granularity.
- Pick “Overwrite existing report” report versioning.
- Use “ZIP” compression type.
Step 3. Review. Confirm report creation. Report will be prepared by AWS during 24 hours.

Automatic Billing Data Import in AWS

Step 1. Having Cost and Usage Reports configured for your cloud account is the main prerequisite in order to proceed with the remaining actions.

Step 2. Update bucket policy

Navigate to the Permissions tab of your AWS S3 bucket and select Bucket Policy.
Replace <bucket_name> with the name of the bucket:

{
   "Version": "2012-10-17",
   "Statement": [
   {
       "Effect": "Allow",
       "Principal": {
       "Service": "billingreports.amazonaws.com"
       },
       "Action": [
       "s3:GetBucketAcl",
       "s3:GetBucketPolicy"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>"
   },
   {
       "Effect": "Allow",
       "Principal": {
       "Service": "billingreports.amazonaws.com"
       },
       "Action": "s3:PutObject",
       "Resource": "arn:aws:s3:::<bucket_name>/*"
   }
   ]
}

AWS BPOLICY Step 3. Create policy for read only access

Go to Identity and Access Management (IAM) → Policies.
Create a new policy for read only access to the bucket (<bucket_name> must be replaced in policy):

{
   "Version": "2012-10-17",
   "Statement": [
       {
       "Sid": "ReportDefinition",
       "Effect": "Allow",
       "Action": [
           "cur:DescribeReportDefinitions"
       ],
       "Resource": "*"
       },
       {
       "Sid": "GetObject",
       "Effect": "Allow",
       "Action": [
           "s3:GetObject"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>/*"
       },
       {
       "Sid": "BucketOperations",
       "Effect": "Allow",
       "Action": [
           "s3:ListBucket"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>"
       },
       {
       "Sid": "Stmt1612363708671",
       "Action": [
           "s3:GetBucketLocation"
       ],
       "Effect": "Allow",
       "Resource": "arn:aws:s3:::<bucket_name>"
       }
   ]
}

AWS IAMPOLICY AWS IAMPOLICY1

Step 4. Create role and grant policies

Go to Identity and Access Management (IAM) → Roles to create a new role.
Select AWS account as Trusted entity type
Select Another AWS account and fill the Account ID with 058264546051
Attach the created policy to the role:
Confirm creation of the role.

Step 5. Create data source in DigiUsher * Go to DigiUsher. * Register as a new user. * Log in as a registered user. * Create a data source. Provide Role ARN value and data from previous steps (see screenshot for more details) AWS CDS

After creating a data source, you will need to wait for the report to be generated by AWS and uploaded to DigiUsher according to the schedule (performed on an hourly basis).

Discover Resources

DigiUsher needs to have permissions configured in AWS for the user data source in order to correctly discover resources and display them under a respective section of the dashboard for the associated employee.

Make sure to include the following policy in order for DigiUsher to be able to parse EC2 resources data:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DigiUsherOperations",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketTagging",
                "iam:GetAccessKeyLastUsed",
                "cloudwatch:GetMetricStatistics",
                "s3:GetBucketAcl",
                "ec2:Describe*",
                "s3:ListAllMyBuckets",
                "iam:ListUsers",
                "s3:GetBucketLocation",
                "iam:GetLoginProfile",
                "cur:DescribeReportDefinitions",
                "iam:ListAccessKeys"
            ],
            "Resource": "*"
        }
    ]
}

Your AWS data source account should now be ready for integration with DigiUsher! Please contact our Support Team at support@digiusher.com if you have any questions or face any issues.