Skip to main content
Skip table of contents

[CLI] AWS Billing Account Onboarding for Target

The Target Company is required to implement the following steps within the AWS Cloud Shell. Please sign in to the AWS console using the Admin account where billing has been set up, and then initiate the Cloud Shell from the navigation bar.

To carry out below steps, Tenant ID is required. Please consult your partner company to share tenant id before moving forward.

Step-1: Configure Cost Export

  1. Use existing report

    1. Check if the cost report exists with Time granularity : Daily / Hourly and File format : text/csv

      NONE 
      aws cur --region us-east-1 describe-report-definitions --max-items 5 --query "ReportDefinitions[?TimeUnit=='DAILY'||TimeUnit=='HOURLY' && Format=='textORcsv'].{ReportName:ReportName, S3Bucket: S3Bucket, S3Prefix: S3Prefix}"

      • If above command returns only one cost record then capture S3Bucket, S3Prefix and Report Name

      • If above command returns more than one report then choose oldest record from UI.

        • Log into AWS Console and go to Billing service

        • On the billing page, look for Cost & Usage Reports section

        • Out of multiple available reports, choose the oldest and the one having following properties

          1. Time granularity : Daily / Hourly

          2. File format : text/csv

        • Capture the S3 bucket, Report path prefix fields from the report details section for the report you

  2. Creating new report (This step is not required if you have a exiting report)

    1. Create new S3 bucket by entering <S3BucketName> (Skip this step if you want to use exiting S3 bucket)

      NONE 
      aws s3 mb s3://<S3BucketName>

    2. Apply policy to S3 bucket by entering <S3BucketName> and AWS billing account id (To get Tenant id execute this command : aws sts get-caller-identity --query Account --output text

      NONE 
      aws s3api put-bucket-policy --bucket <S3BucketName> --policy '{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "billingreports.amazonaws.com"
      },
      "Action": [
        "s3:GetBucketAcl",
        "s3:GetBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::<S3BucketName>",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:cur:us-east-1:<AccountId>:definition/*",
          "aws:SourceAccount": "<AccountId>"
        }
      }
    },
    {
      "Sid": "Stmt1335892526596",
      "Effect": "Allow",
      "Principal": {
        "Service": "billingreports.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<S3BucketName>/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:cur:us-east-1:<AccountId>:definition/*",
          "aws:SourceAccount": "<AccountId>"
        }
      }
    }
  ]
}'

    3. Create new cost and usage report by entering <ReportName> of your choice, <S3BucketName> & <S3BucketPrefix> created/caputured in above steps

      NONE 
      aws cur put-report-definition --region us-east-1 --report-definition '{
    "ReportName": "<ReportName>",
    "TimeUnit": "DAILY",
    "Format": "textORcsv",
    "Compression": "GZIP",
    "AdditionalSchemaElements": [
      "RESOURCES"
    ],
    "S3Bucket": "<S3BucketName>",
    "S3Prefix": "<S3BucketPrefix>",
    "S3Region": "us-east-1",
    "AdditionalArtifacts": [],
    "RefreshClosedReports": true,
    "ReportVersioning": "OVERWRITE_REPORT"
  }'

AWS takes up to 24 hours to create first report to the configured bucket

Step-2: Enable Cost Allocation Tags

  1. List cost allocation tags and capture the tags you want to use as dimensions for grouping and filtering cost data.

    CODE 
    aws ce list-cost-allocation-tags

  2.  Active cost allocation tags which you want from above tags by entering <"TagValue">

    CODE 
    aws ce update-cost-allocation-tags-status --cost-allocation-tags-status TagKey=<"TagValue">,Status=Active TagKey=<"TagValue">,Status=Active

Step-3: Create Role / IAM User

  1. Role Based

    Role-based access is generally considered to be more secure than user-based access, as it allows organizations to control access to resources and functions based on defined roles and responsibilities. We recommend using roles over individual users whenever possible.

    1. Create Role by Entering RoleName of your choice and tenantid(provided by your partner) and capture role ARN from output

      CODE 
      aws iam create-role --role-name <RoleName> --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::911403356698:root"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "<tenantid>"
          }
        }
      }
    ]
  }'

    2. Update role policy by entering <RoleName> created above, <PolicyName> of your choice. Enter <S3BucketName> captured from Step-1 while configuring Cost report

      CODE 
      aws iam put-role-policy --role-name <RoleName> --policy-name <PolicyName>  --policy-document '{
  "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
            },
            {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        }
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}'

  2. Access/Secret Key Based (This step is not required if you have created a Role)

    1. Create User by Entering <UserName> of your choice

      CODE 
      aws iam create-user --user-name <UserName>

    2. Update user policy by Entering <UserName> created above,Enter <PolicyName> of your choice. Enter <S3BucketName> captured from Step-1 while configuring Cost report

      CODE 
      aws iam put-role-policy --role-name <RoleName> --policy-name <PolicyName>  --policy-document '{
  "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
            },
            {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        }
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}'

    3. Create AccessKey and SecretAccessKey

      CODE 
      aws iam create-access-key --user-name ${UserName}

Step-4: Get Account ID

  1. Get your Account ID

    CODE 
    aws sts get-caller-identity --query Account --output text

Step-5: Capture the below details from the above steps and share with your partner.

  1. Account ID

  2. Role ARN or Access/Secret Key

  3. Bucket Name

  4. Report Path Prefix

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close