I want my website to offer premium services to authenticated Cognito users, and so I want to be able to bill each user for the AWS resources they use. How can I track my monthly AWS spend back to the individual Cognito user? I see that I can assign cost allocation tags to user pools, but I'm looking for something at the user level, not the user pool level. I also see that I can use "Attribute-Based Access Control" in an identity pool, and that I can get tags called "Tag key for Principal" that can be referenced in IAM policies, but I'm not seeing a way to get those tags to map to cost allocation tags in the billing console.
The main resources I'm thinking about tracking initially are S3 storage and Lambda compute.
The only option I know of is the following:
https://aws.amazon.com/es/aws-cost-management/aws-cost-and-usage-reporting/
It may be what you need.
Related
There are several "accounts" in an AWS OU in my organization to isolate service utilization, billing, etc. But, these accounts don't necessarily provide any restrictions w.r.t the number of resources a user ( say in an Active Directory environment ) can use.
I am just wondering if there are any provisions in place for AWS to be able to restrict a specific user to not consume more than the allotted 'quota'?
I am a novice in the AWS area, please excuse me if there is any ambiguity in my question.
Not that I can think of.
If you really want to do this (restrict number of resources per user), you can create one account per user and restrict their rights so that they cannot request quota increase. This may not be a practical solution.
AWS does not associate resources with users.
When a user makes a request to create a resource (eg an Amazon EC2 instance), IAM will confirm that they are entitled to create the resource. If so, then the resource is created in the AWS Account associated with that user. There is no connection made between that resource and the user (aside from an entry in CloudTrail that records the creation request).
I have an AWS account. There are multiple users being managed by IaM service.
Each user has access key and is at liberty to perform various actions such as files upload.
Is there any means to monitor cloud costs and usage by user?
I utilize cost explorer AWS service and intend filtering and grouping costs/usages by user. Unfortunately haven't come up with any way to nail it in the most graceful way.
One common way to do this is to use Cost Allocation Tags.
You can define these tags and enforce them, e.g. using AWS Config and/or tag policies.
AWS does not track costs by user.
When an IAM User makes a request to AWS to create resources (eg an EC2 instance or an RDS database), the user's permissions are checked to confirm that they are permitted to make that API call. If they are permitted, then the API call is allowed and the resources are created.
Resources created in an AWS Account are owned by the AWS Account, not an individual user. Thus, there is no relationship between resources and the credentials used to create the resource.
The closest link between users and resources would be the audit trail of API calls kept by AWS CloudTrail. CloudTrail stores information about the API call and the user that made the call, but it does not directly link to the resources that were created. This would take some effort to back-trace resources to users.
Typically, cost management is done by tagging resources. Such tags would identify cost centers or project codes that can be used to charge-back the cost of systems. Enforcing tagging is difficult. Only some services allow tagging to be enforced when services are launched. For others, it would be a matter of identifying resources that do not meet tagging requirements. See: Using AWS Config Rules to Manage Resource Tag Compliance | Sumo Logic
You can monitor every IAM user action through cloud trails logs. So you could imagine a solution based on those logs to calculate the cost of all actions from one IAM user
I allways recomend to have an account per user type or subscription type in your system (free or premium for exmaple). Depending on the user who use your services, you will login that use with this account. Then, using the AWS Cost Categories, you can to see the cost by users type, and then, knowing your number of users for each tipe or subscription you could know your price per user.
I am trying to set up different user groups in the AWS user pool and grant them access to AWS resources based on the group they belong to I have two options.
Create two user groups in the user pool and associate respective roles to it. I can assume role using STS and get access to given AWS resources, something like this.
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Another option is two use Amazon Identity Pool for the same which internally uses STS.
what advantages I will get if I use the identity pool, given that sts is free and identify pool has a price associated with it.
I am confused about what should be the right approach to solve it?
Cognito is prices based on your monthly active users. Since you are going to be using user pool in both cases you will be charged the same regardless of what approach you take. But the first 50,000 monthly active users are free so you might get away with it on a smaller application.
Since pricing isn't a concern, you should just go with Identity pool since they have been made to work well with each other.
I have an AWS account with n number of IAM users. Each user will have access only to a specific list of services based on their role. Now I need to analyze the billing by each IAM user. This will provide the detailed view of each user for further cost optimization and other analysis.
But the AWS billing dashboard shows only the overall costs of that account. Can you please help me on this?
Billing details per IAM entities or which IAM user has spent how much is NOT possible. Also, resources are owned by the account itself (not the user who creates it) and IAM users/roles/groups are not for billing purpose.
If you wish to analyze costs of different persons, then you can consider creating (or inviting) multiple accounts in AWS Organizations.
In brief
We need to view AWS cost for resources created by a specific IAM user via aws:createdBy tag.
In full
My google search is not helpful - it gives me one idea to use Consolidated Billing for Organizations to have the view of cost-by-user billing but that requires to create separate AWS users, which again requires credit card.
Another solution I found is that we can view AWS cost by tag grouping via Cost Explorer report though we cannot find the mentioned tag createdBy as stated in that AWS guide?
The ideal solution should let us create as many IAM users as the number of projects may grow i.e. one IAM user per project; and then, give us the report of AWS cost for each of those users.
So, how can we get to it?
Costs are not incurred by IAM Users. The AWS Account owning the resource incurs the charge.
When an IAM User makes a request to AWS, their credentials are verified to ensure that they are the authorized person and their permissions are checked to confirm that they have permission to perform the operation. However, there is no further relationship between the person making the request and the resource that is created.
The closest connection is the audit log created by AWS CloudTrail that can show which user made each request. But this is not related to billing information.
If you wish to track costs, you should associate tags with resources. These tags could be based on department, cost center, person, etc. You can then configure your Detailed Billing Report to provide cost breakdowns by tag.
You could use a more concise solution systematically using your own tags by setting up Lambda, CloudWatch, CloudTrail, and SSM to achieve it.
Here are some references:
Automatically tag new AWS resources based on identity or role
GitHub - resource auto tag