Skip to content

Legacy - Connecting an AWS Root account (no CUR configured)

DigiUsher supports the AWS Organizations service that allows linking several data sources in order to centrally manage data of multiple users while receiving all billing reports within a single invoice. The Root account (payer) will be the only one having access to collective data related to cloud spendings. When registering this type of profile in DigiUsher, the user is given an option for Cost & Usage Reports to be detected automatically.

To track a new AWS data source in your DigiUsher account, please select the AWS Root Account tab at the Data Source Connection step during the initial configuration or later on in the Settings section of the main page. AWS New Source

Create Cost and Usage Report (CUR)

Creating a Cost and Usage Report is only available for the Root cloud account (payer), while all its Linked accounts will be centrally managed and receive their billing data through the main account’s invoice.

In order to utilize automatic / manual billing data import in DigiUsher, first, you need to create a Cost and Usage Report (CUR) in AWS. Please refer to their official documentation to become acquainted with the guidelines for CURs.

  • Navigate to Billing & Cost Management DashboardAWS Cost and Usage Reports.
  • Create a new report.
  • Step 1. Report content: Select both “Include resource IDs” and “Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.” checkboxes. AWS CUR
  • Step 2. Delivery options:
    • Create a new or use an existing bucket for the report.
    • Report path prefix is not required. In case it is configured, you will have to specify it during the cloud account creation as well.
    • Pick “Daily” time granularity.
    • Pick “Overwrite existing report” report versioning.
    • Use “ZIP” compression type.
  • Step 3. Review. Confirm report creation. Report will be prepared by AWS during 24 hours.

Automatic Billing Data Import in AWS

Step 1. Having Cost and Usage Reports configured for your cloud account is the main prerequisite in order to proceed with the remaining actions.

Step 2. Update bucket policy

  • Navigate to the Permissions tab of your AWS S3 bucket and select Bucket Policy.
  • Replace <bucket_name> with the name of the bucket:
{
   "Version": "2012-10-17",
   "Statement": [
   {
       "Effect": "Allow",
       "Principal": {
       "Service": "billingreports.amazonaws.com"
       },
       "Action": [
       "s3:GetBucketAcl",
       "s3:GetBucketPolicy"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>"
   },
   {
       "Effect": "Allow",
       "Principal": {
       "Service": "billingreports.amazonaws.com"
       },
       "Action": "s3:PutObject",
       "Resource": "arn:aws:s3:::<bucket_name>/*"
   }
   ]
}

AWS BPOLICY Step 3. Create policy for read only access

  • Go to Identity and Access Management (IAM)Policies.
  • Create a new policy for read only access to the bucket (<bucket_name> must be replaced in policy):
{
   "Version": "2012-10-17",
   "Statement": [
       {
       "Sid": "ReportDefinition",
       "Effect": "Allow",
       "Action": [
           "cur:DescribeReportDefinitions"
       ],
       "Resource": "*"
       },
       {
       "Sid": "GetObject",
       "Effect": "Allow",
       "Action": [
           "s3:GetObject"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>/*"
       },
       {
       "Sid": "BucketOperations",
       "Effect": "Allow",
       "Action": [
           "s3:ListBucket"
       ],
       "Resource": "arn:aws:s3:::<bucket_name>"
       },
       {
       "Sid": "Stmt1612363708671",
       "Action": [
           "s3:GetBucketLocation"
       ],
       "Effect": "Allow",
       "Resource": "arn:aws:s3:::<bucket_name>"
       }
   ]
}

AWS IAMPOLICY AWS IAMPOLICY1

Step 4. Create user and grant policies

  • Go to Identity and Access Management (IAM)Users to create a new user.
  • Select Access type - Programmatic access (access key ID and secret key are used for access to the bucket and DigiUsher report file) AWS GPOLICY
  • Attach the created policy to the user: AWS APOLICY
  • Confirm creation of the user.

Step 5. Create data source in DigiUsher * Go to DigiUsher. * Register as a new user. * Log in as a registered user. * Create a data source. Provide user credentials and data from previous steps (see screenshot for more details) AWS CDS

  • After creating a data source, you will need to wait for the report to be generated by AWS and uploaded to DigiUsher according to the schedule (performed on an hourly basis).

Discover Resources

DigiUsher needs to have permissions configured in AWS for the user data source in order to correctly discover resources and display them under a respective section of the dashboard for the associated employee.

Make sure to include the following policy in order for DigiUsher to be able to parse EC2 resources data:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DigiUsherOperations",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketTagging",
                "iam:GetAccessKeyLastUsed",
                "cloudwatch:GetMetricStatistics",
                "s3:GetBucketAcl",
                "ec2:Describe*",
                "s3:ListAllMyBuckets",
                "iam:ListUsers",
                "s3:GetBucketLocation",
                "iam:GetLoginProfile",
                "cur:DescribeReportDefinitions",
                "iam:ListAccessKeys"
            ],
            "Resource": "*"
        }
    ]
}

Your AWS data source account should now be ready for integration with DigiUsher! Please contact our Support Team at support@digiusher.com if you have any questions or face any issues.