Skip to content

Managing AWS Accounts

Integrating your AWS accounts with Spend Shrink is essential to gain a comprehensive understanding of your cloud spending and uncover actionable optimization opportunities. This guide outlines the steps for connecting both standalone and organization-linked accounts, ensuring a seamless setup process.

Table of Contents

  1. Overview
  2. Enabling Cost Explorer
  3. Using the Connection Wizard
  4. Assumable Role
  5. Access Keys
  6. Standalone Accounts vs. Organizations
  7. Recommendations
  8. Terraform
  9. Support

Overview

To maximize the value of Spend Shrink, it is critical to connect all your AWS accounts, including:

  • Standalone accounts.

  • Organization payer accounts and linked accounts.

By integrating all accounts, you achieve full visibility into your cloud spending, resource utilization, and potential optimization opportunities.

Enabling Cost Explorer (Required)

Why Cost Explorer is Required

Spend Shrink relies on AWS Cost Explorer to access accurate cost and usage data for your accounts. Without enabling Cost Explorer, Spend Shrink cannot provide accurate analysis or recommendations.

Steps to Enable Cost Explorer

  1. Log in to the AWS Management Console.
  2. Navigate to Billing > Cost Explorer.
  3. Click Enable Cost Explorer.

Important Details

Cost Explorer must be enabled at the payer account level for AWS Organizations and for any standalone accounts not part of an organization. Linked accounts usually inherit from the payer account so generally do not need to be enabled at the account level, however, you should always verify that cost explorer is enabled for each account as we require this for accessing accurate cost and billing data.

It can take up to 72 hours for AWS to process and backfill historical spend data. Initial results may be incomplete during this time, but Spend Shrink will automatically reprocess data every 24 hours to ensure accuracy.

Usage Costs:

AWS Cost Explorer incurs a small usage fee (typically $XX USD per month per AWS account). These costs are billed by AWS and are the responsibility of the customer.

Using the Connection Wizard

Spend Shrink’s Connection Wizard streamlines the process of connecting AWS accounts. Choose one of the following secure methods based on your organization's preferences:

  1. Select the Assumable Role option in the wizard.
  2. Deploy the role using either the CloudFormation button in our wizard or manually via Terraform (alternative method mentioned below)
  3. To automatically deploy, log in to AWS with an admin account in another browser tab and then press the deploy button in our wizard
  4. Follow the steps and allow CloudFormation to build the stack, then check the Cloud Formation stack outputs for the created role ARN.
  5. Provide the newly created Role ARN
  6. Click Add Account to finalize the process.

Access Keys (Legacy)

We highly recommend using the assume role method instead as its inherently more secure and avoids issues like stale credentials or personal user access keys being used.

  1. Select the Access Keys option in the wizard.
  2. Enter the Access Key ID and Secret Access Key.
  3. Ensure the access keys are associated with a user having the required permissions:
  4. Required permissions should mirror what we have mentioned in Terraform below.
  5. Click Add Account to complete the integration.

Standalone Accounts vs. Organizations

Spend Shrink supports both standalone AWS accounts and accounts within AWS Organizations:

  • Standalone Accounts: These are accounts not part of an AWS Organization. Each account must be added individually through the wizard.
  • AWS Organizations: For accounts under an organization, connect the payer account and all linked accounts to gain full visibility into consolidated billing and usage.

Best Practice: Add both the payer and all linked accounts to ensure Spend Shrink provides the most accurate and actionable insights. Omitting linked accounts may result in incomplete data and missed opportunities for optimization.

Recommendations

To achieve the most comprehensive insights, we recommend: - Adding all AWS accounts, including both payer and linked accounts. - Using the Assumable Role method whenever possible for enhanced security and scalability. - Regularly reviewing your connected accounts to ensure all active accounts are integrated.

Terraform

This terraform code is the equivalent of what we provide in our Cloud Formation template to get an assumable role with the required permissions. It is an alternative way to build the same required resources and trust relationships, if you use the cloudformation stack in our wizard then you do not need this.

We require read-only access becuase we look at an ever growing list of resources directly to find deeper discounts than traditional tooling that merely looks at cost metrics directly. Our example does include restrictions that block access to S3 files, secret values, and paramater store.

Terraform Role Example

resource "aws_iam_role" "spend_shrink_read_only" {
  name               = "SpendShrinkReadOnlyRole"
  assume_role_policy = jsonencode({
    Version : "2012-10-17",
    Statement : [
      {
        Effect    : "Allow",
        Principal : {
          AWS : "arn:aws:iam::537124977734:root"
        },
        Action : "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "readonly_access" {
  role       = aws_iam_role.spend_shrink_read_only.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "billing_readonly_access" {
  role       = aws_iam_role.spend_shrink_read_only.name
  policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
}

resource "aws_iam_policy" "spend_shrink_additional_required_access" {
  name        = "SpendShrinkAdditionalRequiredAccess"
  description = "Additional permissions required for SpendShrink"

  policy = jsonencode({
    Version : "2012-10-17",
    Statement : [
      {
        Effect   : "Allow",
        Action   : [
          "budgets:View*",
          "budgets:List*",
          "budgets:Get*",
          "budgets:Describe*",
          "budgets:ModifyBudget",
          "cur:*",
          "ce:*",
          "organizations:Describe*",
          "organizations:List*"
        ],
        Resource : "*"
      }
    ]
  })
}

resource "aws_iam_policy" "spend_shrink_deny_sensitive_access" {
  name        = "SpendShrinkDenySensitiveAccess"
  description = "Explicitly deny sensitive access to S3 objects, secrets, and parameters"

  policy = jsonencode({
    Version : "2012-10-17",
    Statement : [
      {
        Effect   : "Deny",
        Action   : [
          "s3:GetObject",
          "s3:GetObjectVersion",
          "secretsmanager:GetSecretValue",
          "ssm:GetParameter",
          "ssm:GetParameterHistory"
        ],
        Resource : "*"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "additional_access" {
  role       = aws_iam_role.spend_shrink_read_only.name
  policy_arn = aws_iam_policy.spend_shrink_additional_required_access.arn
}

resource "aws_iam_role_policy_attachment" "deny_sensitive_access" {
  role       = aws_iam_role.spend_shrink_read_only.name
  policy_arn = aws_iam_policy.spend_shrink_deny_sensitive_access.arn
}

output "spendshrink_role_arn" {
  description = "SpendShrink assumable role ARN."
  value       = aws_iam_role.spend_shrink_read_only.arn
}

Support

If you encounter any challenges while adding AWS accounts, our team is here to help:

  • Contact us directly at support@spendshrink.com

Begin your integration today to unlock the full potential of Spend Shrink for your cloud cost optimization strategy.