Legacy - Connecting an AWS Root account (CUR already configured)

Amazon Web Services (AWS)

• Billing information is retrieved from the Cost and Usage Report (CUR) located in a designated S3 bucket in the cloud: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html

• Resource Discovery is performed via Discovery API:

  • https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
  • https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumes.html
  • https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSnapshots.html
  • https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html

• Amazon Cloud Watch is used as the source of Monitoring Data.

DigiUsher supports the AWS Organizations service that allows linking several data sources in order to centrally manage data of multiple users while receiving all billing reports within a single invoice. The Root account (payer) will be the only one having access to collective data related to cloud spendings. When registering this type of profile in DigiUsher, the user is given an option for Cost & Usage Reports to be detected automatically.

To track a new AWS data source in your DigiUsher account, please select the AWS Root Account tab at the Data Source Connection step during the initial configuration or later on in the Settings section of the main page.

Automatic Billing Data Import in AWS

Step 1. Having Cost and Usage Reports configured for your cloud account is the main prerequisite in order to proceed with the remaining actions. If CUR hasn’t been configured, refer to the following section:

Step 2. Update bucket policy

• Navigate to the Permissions tab of your AWS S3 bucket and select Bucket Policy.
• Replace <bucket_name> with the name of the bucket:

{
   "Version": "2012-10-17",
   "Statement": [
   {
       "Effect": "Allow",
       "Principal": {
       "Service": "billingreports.amazonaws.com"
       },
       "Action": [
       "s3:GetBucketAcl",
       "s3:GetBucketPolicy"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>"
   },
   {
       "Effect": "Allow",
       "Principal": {
       "Service": "billingreports.amazonaws.com"
       },
       "Action": "s3:PutObject",
       "Resource": "arn:aws:s3:::<bucket_name>/*"
   }
   ]
}

Step 3. Create policy for read only access

• Go to Identity and Access Management (IAM) → Policies.
• Create a new policy for read only access to the bucket (<bucket_name> must be replaced in policy):

{
   "Version": "2012-10-17",
   "Statement": [
       {
       "Sid": "ReportDefinition",
       "Effect": "Allow",
       "Action": [
           "cur:DescribeReportDefinitions"
       ],
       "Resource": "*"
       },
       {
       "Sid": "GetObject",
       "Effect": "Allow",
       "Action": [
           "s3:GetObject"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>/*"
       },
       {
       "Sid": "BucketOperations",
       "Effect": "Allow",
       "Action": [
           "s3:ListBucket"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>"
       },
       {
       "Sid": "Stmt1612363708671",
       "Action": [
           "s3:GetBucketLocation"
       ],
       "Effect": "Allow",
       "Resource": "arn:aws:s3:::<bucket_name>"
       }
   ]
}

Step 4. Create user and grant policies

• Go to Identity and Access Management (IAM) → Users to create a new user.
• Select Access type - Programmatic access (access key ID and secret key are used for access to the bucket and DigiUsher report file)
• Attach the created policy to the user:
• Confirm creation of the user.

Step 5. Create data source in DigiUsher

• Go to DigiUsher.
• Register as a new user.
• Log in as a registered user.
• Create a data source. Provide user credentials and data from previous steps (see screenshot for more details)
• After creating a data source, you will need to wait for the report to be generated by AWS and uploaded to DigiUsher according to the schedule (performed on an hourly basis).

Discover Resources

DigiUsher needs to have permissions configured in AWS for the user data source in order to correctly discover resources and display them under a respective section of the dashboard for the associated employee.

Make sure to include the following policy in order for DigiUsher to be able to parse EC2 resources data:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DigiUsherOperations",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketTagging",
                "iam:GetAccessKeyLastUsed",
                "cloudwatch:GetMetricStatistics",
                "s3:GetBucketAcl",
                "ec2:Describe*",
                "s3:ListAllMyBuckets",
                "iam:ListUsers",
                "s3:GetBucketLocation",
                "iam:GetLoginProfile",
                "cur:DescribeReportDefinitions",
                "iam:ListAccessKeys"
            ],
            "Resource": "*"
        }
    ]
}

Your AWS data source account should now be ready for integration with DigiUsher! Please contact our Support Team at support@digiusher.com if you have any questions or face any issues.