I have an AWS account with n number of IAM users. Each user will have access only to a specific list of services based on their role. Now I need to analyze the billing by each IAM user. This will provide the detailed view of each user for further cost optimization and other analysis.
But the AWS billing dashboard shows only the overall costs of that account. Can you please help me on this?
Billing details per IAM entities or which IAM user has spent how much is NOT possible. Also, resources are owned by the account itself (not the user who creates it) and IAM users/roles/groups are not for billing purpose.
If you wish to analyze costs of different persons, then you can consider creating (or inviting) multiple accounts in AWS Organizations.
Related
There are several "accounts" in an AWS OU in my organization to isolate service utilization, billing, etc. But, these accounts don't necessarily provide any restrictions w.r.t the number of resources a user ( say in an Active Directory environment ) can use.
I am just wondering if there are any provisions in place for AWS to be able to restrict a specific user to not consume more than the allotted 'quota'?
I am a novice in the AWS area, please excuse me if there is any ambiguity in my question.
Not that I can think of.
If you really want to do this (restrict number of resources per user), you can create one account per user and restrict their rights so that they cannot request quota increase. This may not be a practical solution.
AWS does not associate resources with users.
When a user makes a request to create a resource (eg an Amazon EC2 instance), IAM will confirm that they are entitled to create the resource. If so, then the resource is created in the AWS Account associated with that user. There is no connection made between that resource and the user (aside from an entry in CloudTrail that records the creation request).
I have an AWS account. There are multiple users being managed by IaM service.
Each user has access key and is at liberty to perform various actions such as files upload.
Is there any means to monitor cloud costs and usage by user?
I utilize cost explorer AWS service and intend filtering and grouping costs/usages by user. Unfortunately haven't come up with any way to nail it in the most graceful way.
One common way to do this is to use Cost Allocation Tags.
You can define these tags and enforce them, e.g. using AWS Config and/or tag policies.
AWS does not track costs by user.
When an IAM User makes a request to AWS to create resources (eg an EC2 instance or an RDS database), the user's permissions are checked to confirm that they are permitted to make that API call. If they are permitted, then the API call is allowed and the resources are created.
Resources created in an AWS Account are owned by the AWS Account, not an individual user. Thus, there is no relationship between resources and the credentials used to create the resource.
The closest link between users and resources would be the audit trail of API calls kept by AWS CloudTrail. CloudTrail stores information about the API call and the user that made the call, but it does not directly link to the resources that were created. This would take some effort to back-trace resources to users.
Typically, cost management is done by tagging resources. Such tags would identify cost centers or project codes that can be used to charge-back the cost of systems. Enforcing tagging is difficult. Only some services allow tagging to be enforced when services are launched. For others, it would be a matter of identifying resources that do not meet tagging requirements. See: Using AWS Config Rules to Manage Resource Tag Compliance | Sumo Logic
You can monitor every IAM user action through cloud trails logs. So you could imagine a solution based on those logs to calculate the cost of all actions from one IAM user
I allways recomend to have an account per user type or subscription type in your system (free or premium for exmaple). Depending on the user who use your services, you will login that use with this account. Then, using the AWS Cost Categories, you can to see the cost by users type, and then, knowing your number of users for each tipe or subscription you could know your price per user.
I have an root aws account and also created one IAM users. The IAM user have full permission for EC2 service. He/She create a Instance(virtual machine - t2.nano) from his IAM account.
I am check my bill from root account. I am seeing as combined usage of root user and IAM user. Is it possible to separate the billing usage for IAM user alone?
Thanks,
There is no way to track the billing usage for a IAM user unless you create a (cost allocation) tag for that user and track it in billing reports. Even then, you can track only the compute costs (instance cost) not the costs associated with storage, data transfer etc.,
In brief
We need to view AWS cost for resources created by a specific IAM user via aws:createdBy tag.
In full
My google search is not helpful - it gives me one idea to use Consolidated Billing for Organizations to have the view of cost-by-user billing but that requires to create separate AWS users, which again requires credit card.
Another solution I found is that we can view AWS cost by tag grouping via Cost Explorer report though we cannot find the mentioned tag createdBy as stated in that AWS guide?
The ideal solution should let us create as many IAM users as the number of projects may grow i.e. one IAM user per project; and then, give us the report of AWS cost for each of those users.
So, how can we get to it?
Costs are not incurred by IAM Users. The AWS Account owning the resource incurs the charge.
When an IAM User makes a request to AWS, their credentials are verified to ensure that they are the authorized person and their permissions are checked to confirm that they have permission to perform the operation. However, there is no further relationship between the person making the request and the resource that is created.
The closest connection is the audit log created by AWS CloudTrail that can show which user made each request. But this is not related to billing information.
If you wish to track costs, you should associate tags with resources. These tags could be based on department, cost center, person, etc. You can then configure your Detailed Billing Report to provide cost breakdowns by tag.
You could use a more concise solution systematically using your own tags by setting up Lambda, CloudWatch, CloudTrail, and SSM to achieve it.
Here are some references:
Automatically tag new AWS resources based on identity or role
GitHub - resource auto tag
I am searching for a solution to let the AWS IAM user only restricted information to the billing information, only that part they generated.
I think that is not a build-in feature, but is that possible to be implemented with services like cloudwatch ?
This is not a built-in feature indeed, and I don't think this can be achieved in cloudwatch.
A workaround is to split into multiple AWS accounts with one account been the billing account, using consolidating billing. That way, users can only see the billing from their "own" AWS account, but not the global billing from the billing account.
You could aslo do sth with the tags and use budgets on it, e.g setting a tag "owner" to your instances. You could thus get detailed billing.