I am attempting to use CloudWatch AWS/Billing metrics to consolidate cost information in a central aggregator.
All the guides I can find seem to just point to setting "Receive Billing Alerts" on the master payer account. After doing that the metrics appear on that 'root' account. But none of the other accounts or users can see them.
UPDATE: I can get the data if I make a new IAM user in the Root Account, but i felt that since my user could see the Billing dashboard, it should also be able to see the CloudWatch metrics
Related
Is there any way to set an alarm for AWS users that been inactive for e.g. 60 days? I mean I need an alarm to be created which will send notification if an AWS user account have been inactive for a period of time
From GenerateServiceLastAccessedDetails - AWS Identity and Access Management:
GenerateServiceLastAccessedDetails() Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.
From GetServiceLastAccessedDetails - AWS Identity and Access Management:
GetServiceLastAccessedDetails() Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. You can use the JobId parameter in GetServiceLastAccessedDetails to retrieve the status of your report job. When the report is complete, you can retrieve the generated report. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.
So, take a look at those commands (available via AWS CLI or AWS SDK) and find the latest date of all the services that the user has accessed.
See also: Identify unused IAM roles and remove them confidently with the last used timestamp | AWS Security Blog
Yes and no. There is no plain Alarm that can do that. AWS CloudWatch Alarms can only alarm based on CloudWatch Metrics and IAM Users do not send any metrics to here.
You could write a Lambda, have it iterate through IAM Users and get their last active date. Then add an EventRule which will run this Lambda regularly, such as once per day. If Users are inactive, you could send a message to an SNS Topic, or if you wanted more adjustable alarms, send some metrics to CloudWatch Metrics in a custom namespace, then create a CloudWatch Alarm to alert on those metrics.
After enabling cross-account, cross-region access (in AWS CloudWatch Settings) in both the monitoring account and the sharing account, I receive an error in the CloudWatch Logs console upon selecting the sharing account from the drop-down at the top of the page:
"Logs can only be viewed for the account logged in - XXX. You are viewing data for YYY.Go back to XXX in us-east-1"
Viewing cross-account metrics and dashboards are working well, but logs are most useful to my use case. What could cause this error on the console?
I have the monitoring and sharing roles set up per the instructions here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html#enable-cross-account-cross-Region
Unfortunately, as at time of writing (2021-12-22), cross-account CloudWatch only supports dashboards, alarms, metrics and automatic dashboards. Logs are not yet visible across accounts.
From the documentation, my emphasis:
This functionality provides you with cross-account visibility to your dashboards, alarms, metrics, and automatic dashboards without having to log in and log out of different accounts.
I am wondering if it is possible to see billing information through the Amazon SDK/APIs. Specifically, I want to see how much EC2 instances are costing the account. Is it feasible to have it break down by user if it is an IAM account, or breakdown by account if you are using consolidated billing?
I have seen ways of doing this by either creating an S3 bucket to have billing info dumped into, or using CloudWatch APIs which require the user to pay. Is there an easier way to get EC2 billing information through just API calls or the SDK?
Billing information can be provided as records in an Amazon S3 bucket. You can then analyze the content of those files to obtain the information you list.
It is not possible to obtain the billing records themselves via an API call.
See: Cost and Usage Report
(The older Detailed Billing Report is scheduled to be retired.)
In brief
We need to view AWS cost for resources created by a specific IAM user via aws:createdBy tag.
In full
My google search is not helpful - it gives me one idea to use Consolidated Billing for Organizations to have the view of cost-by-user billing but that requires to create separate AWS users, which again requires credit card.
Another solution I found is that we can view AWS cost by tag grouping via Cost Explorer report though we cannot find the mentioned tag createdBy as stated in that AWS guide?
The ideal solution should let us create as many IAM users as the number of projects may grow i.e. one IAM user per project; and then, give us the report of AWS cost for each of those users.
So, how can we get to it?
Costs are not incurred by IAM Users. The AWS Account owning the resource incurs the charge.
When an IAM User makes a request to AWS, their credentials are verified to ensure that they are the authorized person and their permissions are checked to confirm that they have permission to perform the operation. However, there is no further relationship between the person making the request and the resource that is created.
The closest connection is the audit log created by AWS CloudTrail that can show which user made each request. But this is not related to billing information.
If you wish to track costs, you should associate tags with resources. These tags could be based on department, cost center, person, etc. You can then configure your Detailed Billing Report to provide cost breakdowns by tag.
You could use a more concise solution systematically using your own tags by setting up Lambda, CloudWatch, CloudTrail, and SSM to achieve it.
Here are some references:
Automatically tag new AWS resources based on identity or role
GitHub - resource auto tag
I am searching for a solution to let the AWS IAM user only restricted information to the billing information, only that part they generated.
I think that is not a build-in feature, but is that possible to be implemented with services like cloudwatch ?
This is not a built-in feature indeed, and I don't think this can be achieved in cloudwatch.
A workaround is to split into multiple AWS accounts with one account been the billing account, using consolidating billing. That way, users can only see the billing from their "own" AWS account, but not the global billing from the billing account.
You could aslo do sth with the tags and use budgets on it, e.g setting a tag "owner" to your instances. You could thus get detailed billing.