Skip to main content

Amazon Web Services

Flexera One uses bill data to provide an accurate view of your costs across accounts and services. This data is consumed by the Flexera One platform and made available for pre-built and ad-hoc analyses. In order to gather the cost information, certain configuration steps must be performed with specific data and credentials being shared with Flexera One.

This topic describes how to configure AWS for cost reporting purposes and what information is needed to connect AWS billing data to Flexera One. The following steps must be completed in order for Flexera One to provide insight on your AWS bill:

  1. Enable Cost and Usage Reporting on Your AWS Payer Account
  2. Cost and Usage Report Configuration
  3. Configure Access to AWS for Flexera One
  4. Submit the Information

For information on Reserved Instance and Savings Plan Reallocation, see Reserved Instance and Savings Plan Reallocation.

For instructions on how to add or update billing information, see Adding Billing Data or Updating Billing Data Configurations. For instructions on connecting your cloud accounts to Policies, see Managing Credentials for Policy Access to External Systems.

Enable Cost and Usage Reporting on Your AWS Payer Account

In order to obtain all of the detail required to accurately display your cost information, we require you to enable the AWS Cost and Usage report. If your account is part of a consolidated billing group, this action must be performed on the master payer account. This process is detailed in AWS documentation on creating cost and usage reports in their Billing and Cost Management console: Creating Cost and Usage Reports.

When Cost and Usage Reporting has been enabled on your AWS payer account, continue with Cost and Usage Report Configuration.

Cost and Usage Report Configuration

note

Flexera One supports AWS Legacy Cost and Usage Reports (CUR). CUR 2.0 is not supported. At this time, Flexera One cannot process CUR 2.0 files. For information about legacy cost and usage reports, see the AWS documentation topic, Legacy Cost and Usage Reports.

Follow the instructions to configure a Cost and Usage report, and consider also requesting (optional) backfill of Cost and Usage Report data from AWS.

Configuring the Cost and Usage Report

There are two approaches for using the AWS Cost and Usage report:

  • Use an Existing Cost and Usage Report: For users who already have an AWS Cost and Usage report configured, simply confirm it is configured with the options Flexera One requires. The required AWS Cost and Usage Report configuration options appear in the following table.

    Configuration OptionSetting
    Include resource IDsenabled
    Data refresh settingsenabled
    Time granularityHourly
    Report versioningCreate new report version
    Compression typeGZIP
  • Configure a New Cost and Usage Report: For users who do not have an existing AWS Cost and Usage report or for whom the existing AWS Cost and Usage report does not have the proper configuration, configure a new AWS Cost and Usage report. Configuration options and recommendations appear in the following table.

    Configuration OptionSetting
    Include resource IDsenabled
    Data refresh settingsenabled
    Time granularityHourly
    Report versioningCreate new report version
    Compression typeGZIP
    Report NameFlexera recommends HourlyCostAndUsageReport .
    S3 Bucket NameFlexera recommends aws\-<AccountID>\-cost\-and\-usage\-report . For example, aws-123456789012-cost-and-usage-report.
    Report PrefixFlexera recommends HourlyCostAndUsageReport .

Optional: Requesting Backfill Cost and Usage Report Data from AWS

If your organization has Enterprise Support from AWS, you can request a backfill of Cost and Usage Report data from AWS customer support. This data is helpful for backfilling cost/usage data in a newly created Cost and Usage Report.

For backfill data, AWS supports a maximum number of 37 months from the creation date of the Cost and Usage Report.

See the sample AWS support ticket:

  • Case Type: Account

  • Case Category: Billing, Invoices and Reports

  • Case Subject: Request to backfill cost data for newly created Cost & Usage Report

  • Case Message Body:

    Hello, 

    We recently created a Cost & Usage Report and would like to put in a request to have the historical data backfilled. Here are the CUR Report details:

    Cost and Usage Report Name: <Replace with CUR Report Name>
    S3 bucket: <Replace with CUR Report S3 Bucket Name>
    S3 path prefix: <Replace with CUR Report Prefix>

    Please backfill the cost data from <Replace with Start of Invoicing Data> to the current month.

    Thank you

Once you have an AWS Cost and Usage Report created with the proper configuration options, take note of the S3 bucket the reports are being sent to as well as the value for Report Prefix. Then continue with the instructions in Configure Access to AWS for Flexera One.

Configure Access to AWS for Flexera One

To ingest your bill data, Flexera One requires read access to the S3 bucket that you are exporting the bills to. This can be accomplished most easily by using the Cloud Formation Quickcreate link to create the cross-account information.

note

Users who do not leverage the Cloud Formation Quickcreate link can work with the reference information and resources provided in this section, instead, to either manually create the IAM policy and IAM role or manually create the IAM policy and an IAM user (legacy).

If you elect to use a cross-account role (strongly recommended), the AWS Cloud Formation Template (CFT), linked in the instructions below, automates the creation of the IAM role and IAM policy and also outputs the Role ARN required to submit the billing information to Flexera One.

To create cross-account information for Flexera One

  1. In AWS, apply this CFT as a stack in the master payer account by deploying the Cloud Formation Template using either Cloud Formation Quickcreate (preferred) or JSON:
  2. Capture the value for RoleARN from the CFT Outputs.
  3. Submit the information to Flexera One. For details, see Submit the Information.

The following subsections provide supplementary details about the creation of an IAM policy, IAM role, and IAM user to provide read access to your cloud billing information:

IAM Policy (Cross-Account Role and IAM User) Creation Reference

To allow read-only access to your S3 billing bucket + metadata about the accounts referenced in your bill, create a new AWS IAM policy with the required Flexera One permissions. Using the following sample policy, simply replace the YOUR_BILLING_BUCKET_NAME_HERE with your bucket name. Take care not to delete the trailing /* in the s3:GetObject permission.

tip

This IAM policy applies to both the cross-account role and IAM user options.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::YOUR_BILLING_BUCKET_NAME_HERE"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR_BILLING_BUCKET_NAME_HERE/*"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ce:GetReservationPurchaseRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetReservationUtilization"
],
"Resource": "*"
}
]
}

Cross-Account IAM Role Creation Guidelines

Users who leverage the Cloud Formation Quickcreate link have the IAM role created automatically. Otherwise, you can use the steps described in Amazon’s AWS tutorial, “IAM Tutorial: Delegate Access Across AWS Accounts Using IAM Roles,” to create a cross-account role that with read-only access to the S3 bucket that contains your Cost and Usage Report + metadata about the accounts referenced in your bill. During the role creation process, use the following guidelines:

  • For Account ID, use 451234325714.

    Flexera ZoneAWS Account IDRole ARNFlexera Host
    North America451234325714arn:aws:iam::451234325714:role/production_customer_accessapp.flexera.com
    Europe451234325714arn:aws:iam::451234325714:role/production_eu_customer_accessapp.flexera.eu
    APAC451234325714arn:aws:iam::451234325714:role/production_apac_customer_accessapp.flexera.au
  • For Require External ID use your Flexera One organization ID.

  • Your organization ID can be found in the Flexera One URL after you log in:
    https://app.flexera.com/orgs/<ORG_ID>/...

  • Select the Flexera One role you created previously or create a new policy by selecting Create policy, selecting JSON, and supplying the IAM policy referenced above.

  • Find the newly created role and copy the ARN for the next step.

When complete, you can submit the information to Flexera One.

IAM User Creation (Legacy) Instructions

Users who choose not to use the IAM role can complete the following steps to create an IAM user with read-only access to the S3 bucket that contains your Cost and Usage Report + metadata about the accounts referenced in your bill.

info

Using an IAM user (legacy) for providing read access to the S3 bucket to which you are exporting bills is less secure than using an IAM role (preferred).

To create an IAM user (Legacy)

  1. Create a new IAM policy (see example above) which will allow read-only access to your S3 billing bucket and to metadata about the accounts referenced in your bill.
  2. Create a new IAM user which only has the newly created policy attached. Refer to Amazon’s AWS tutorial, “IAM Tutorial: Create and Attach Your First Customer Managed Policy,” for instructions on this process.
  3. Capture the access key ID and secret access key for the next step.

Then submit the information to Flexera One.

Submit the Information

Follow the instructions in Using API for Bill Connects to submit the bill connect information to Flexera One.

Reserved Instance and Savings Plan Reallocation

Starting September 13, 2023, all new AWS Bill Connects allow Reserved Instances (RI) and Savings Plan (SP) costs to be reallocated to areas where the discounts have been applied. Bill Connects made prior to September 13, 2023, may have been manually updated to support this feature or the reallocation may not have been enabled. If you have an AWS Bill Connect created prior to September 13, 2023, and want the reallocation enabled, contact Flexera Support.

For more information, see Understanding Reserved Instance and Savings Plan Reallocation.