Setting up Amazon S3 buckets for Application Cost Profiler - Application Cost Profiler

Setting up Amazon S3 buckets for Application Cost Profiler

To send usage data to and receive reports from AWS Application Cost Profiler, you must have at least one Amazon Simple Storage Service (Amazon S3) bucket in your AWS account to store data and one S3 bucket to receive your reports.

Note

For users of AWS Organizations, the Amazon S3 buckets can be either in the management account or in individual member accounts. The data in S3 buckets owned by the management account can be used to generate reports for the entire organization. In individual member accounts, the data in the S3 buckets can only be used to generate reports for that member account.

The S3 buckets you create are owned by the AWS account that you create them in. The S3 buckets are billed at standard Amazon S3 rates. For more information about how to create an Amazon S3 bucket, see Creating a bucket in the Amazon Simple Storage Service User Guide.

In order for Application Cost Profiler to use the S3 buckets, you must attach a policy to the buckets that gives Application Cost Profiler permissions to read and/or write to the bucket. If you modify the policy after your reports are set up, you may prevent Application Cost Profiler from being able to read your usage data or deliver your reports.

The following topics show how to set up permissions on your Amazon S3 buckets after you have created them. In addition to the ability to read and write objects, if you encrypted the buckets, Application Cost Profiler must have access to the AWS Key Management Service (AWS KMS) key for each bucket.

Giving Application Cost Profiler access to your report delivery S3 bucket

The S3 bucket that you configure for Application Cost Profiler to deliver your reports to must have a policy attached that allows Application Cost Profiler to create the report objects. In addition, the S3 bucket must be configured to enable encryption.

Note

When you create your bucket, you must choose to encrypt it. You may choose to encrypt your bucket with Amazon S3-managed keys (SSE-S3) or with your own key managed by AWS KMS (SSE-KMS). If you have already created your bucket with no encryption, you must edit your bucket to add encryption.

To give Application Cost Profiler access to your report delivery S3 bucket

  1. Go to the Amazon S3 console and sign in.

  2. Select Buckets from the left navigation, and then choose your bucket from the list.

  3. Choose the Permissions tab, then, next to Bucket policy, choose Edit.

  4. In the Policy section, insert the following policy. Replace <bucket_name> with the name of your bucket, and <AWS account> with the ID of your AWS account.

    { "Version":"2008-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"application-cost-profiler.amazonaws.com" }, "Action":[ "s3:PutObject*", "s3:GetEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "<AWS account>" }, "ArnEquals": { "aws:SourceArn": "arn:aws:application-cost-profiler:us-east-1:<AWS account>:*" } } } ] }

    In this policy you are giving the Application Cost Profiler service principal (application-cost-profiler.amazonaws.com) access to deliver reports to the specified bucket. It does this on your behalf, and includes a header with your AWS account and an ARN specific to your report delivery bucket. To ensure that Application Cost Profiler is accessing your bucket only when acting on your behalf, the Condition checks for those headers.

  5. Choose Save changes to save your policy, attached to your bucket.

    If you have created your bucket using SSE-S3 encryption, then you are done. If you used SSE-KMS encryption, then the following steps are necessary to give Application Cost Profiler access to your bucket.

  6. (Optional) Choose the Properties tab for your bucket, and under Default Encryption, select the Amazon Resource Name (ARN) for your AWS KMS key. This action displays the AWS Key Management Service console and shows your key.

  7. (Optional) Add the policy to give Application Cost Profiler access to the AWS KMS key. For instructions on adding this policy, see Giving Application Cost Profiler access to SSE-KMS encrypted S3 buckets.

Giving Application Cost Profiler access to your usage data S3 bucket

The S3 bucket that you configure for Application Cost Profiler to read your usage data from must have a policy attached to allow Application Cost Profiler to read the usage data objects.

Note

By giving Application Cost Profiler access to your usage data, you agree that we may temporarily copy such usage data objects to the US East (N. Virginia) AWS Region while processing reports. These data objects will be kept in the US East (N. Virginia) Region until the monthly report generation is complete.

To give Application Cost Profiler access to your usage data S3 bucket

  1. Go to the Amazon S3 console and sign in.

  2. Select Buckets from the left navigation, and then choose your bucket from the list.

  3. Choose the Permissions tab, then, next to Bucket policy, choose Edit.

  4. In the Policy section, insert the following policy. Replace <bucket-name> with the name of your bucket, and <AWS account> with the ID of your AWS account.

    { "Version":"2008-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"application-cost-profiler.amazonaws.com" }, "Action":[ "s3:GetObject*" ], "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "<AWS account>" }, "ArnEquals": { "aws:SourceArn": "arn:aws:application-cost-profiler:us-east-1:<AWS account>:*" } } } ] }

    In this policy you are giving the Application Cost Profiler service principal (application-cost-profiler.amazonaws.com) access to get data out of the specified bucket. It does this on your behalf, and includes a header with your AWS account and an ARN specific to your usage bucket. To ensure that Application Cost Profiler is accessing your bucket only when acting on your behalf, the Condition checks for those headers.

  5. Choose Save changes to save your policy, attached to your bucket.

If your bucket is encrypted with AWS KMS managed keys, then you must give Application Cost Profiler access to your bucket by following the procedure in the next section.

Giving Application Cost Profiler access to SSE-KMS encrypted S3 buckets

If you encrypt the S3 buckets that you configure for Application Cost Profiler (required for report buckets) with keys stored in AWS KMS (SSE-KMS), you must also give permissions to Application Cost Profiler to decrypt them. You do this by giving access to the AWS KMS keys used to encrypt the data.

Note

If your bucket is encrypted with Amazon S3 managed keys, then you do not need to complete this procedure.

To give Application Cost Profiler access to AWS KMS for SSE-KMS encrypted S3 buckets

  1. Go to the AWS KMS console and sign in.

  2. Select Customer managed keys from the left navigation, and then choose the key that is used to encrypt your bucket from the list.

  3. Select Switch to policy view, then choose Edit.

  4. In the Policy section, insert the following policy statement.

    { "Effect": "Allow", "Principal": { "Service": "application-cost-profiler.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "<AWS account>" }, "ArnEquals": { "aws:SourceArn": "arn:aws:application-cost-profiler:us-east-1:<AWS account>:*" } }
  5. Choose Save changes to save your policy, attached to your key.

  6. Repeat for each key that encrypts an S3 bucket that Application Cost Profiler needs to access.

Note

The data is copied out of your S3 bucket on import into Application Cost Profiler managed buckets (that are encrypted). If you revoke the access to the keys, Application Cost Profiler can't retrieve any new objects from the bucket. However, any data already imported can still be used to generate reports.