Vantage has a few options to connect to AWS, including CloudFormation, the AWS CLI, a Terraform module, and the AWS IAM Console. All options are described below.
How Vantage Connects with AWS
Vantage understands security concerns and aims to provide as secure a connection as possible with your AWS accounts. Vantage uses a mechanism called a Cross-Account IAM Role to interact with services in your AWS account. AWS has publicly documented this method and officially recommends it as the preferred method of doing any cross-account interactions on AWS. Numerous internal AWS services and systems also leverage this method.
This means that Vantage never needs access credentials, account logins, or passwords for AWS.
Read-Only by Default
When you create a Cross-Account IAM Role using the provided CloudFormation template, or via Terraform, you provide Vantage with various permissions. All these permissions, by default, are read-only. We created this list of permissions based on the official AWS ReadOnlyAccess policy. In addition, we removed some of the permissions AWS includes in this list to prevent Vantage from seeing certain information, like reading from S3 buckets and reading from databases.
Vantage only collects metadata about your infrastructure and never attempts to read sensitive information from the underlying services. Our CloudFormation template is public, and you can audit the template's list of permissions.
AWS GovCloud Environments
Vantage supports ingesting costs for infrastructure in GovCloud environments. Note that at this time, we are unable to sync active resources from GovCloud regions; however, you will have access to all other Vantage functionality.
Create a Connection
Navigate to the Vantage Integrations page, and create a new AWS connection. On the AWS connection page, you will see a few options to connect.
- AWS Console: Click the purple Connect Vantage via AWS Console button to directly log in to AWS. You will be directed to CloudFormation to create the necessary stack that will contain prefilled parameters.
- AWS CLI: Click the More Connection Options dropdown and select Connect via AWS CLI. The CLI commands needed to create a connection are provided on this screen.
- Terraform: Click the More Connection Options dropdown and select Connect via AWS Terraform. Instructions for how to connect using the Terraform module are provided on this screen. See the section below for more details.
- AWS IAM Console: Click the More Connection Options dropdown and select Connect via AWS IAM Console. Instructions are provided on this screen. See the section below for more details.
- CloudFormation StackSet for Multiple Member Accounts: Click the Connect via CloudFormation StackSet button. The necessary commands to create this connection are displayed. See the next section for more information.
After you create your integration between AWS and Vantage, you can view the status of your connection on the AWS Settings page.
Connect Multiple AWS Accounts
You can connect multiple AWS accounts to Vantage; however, we strongly advise that you connect your root or management AWS account first. When you connect the root account, you can see all costs for the organization, including linked accounts.
If you connect only a linked or member account, you will experience the following issues:
- You will see only costs and costs by resource for that linked account, rather than for your whole organization.
- You will be unable to see costs for the other member accounts in your AWS organization.
- You may not see the full coverage of cost allocation tags from the organization.
- If Reserved Instances (RIs) are purchased in the linked account, those instances will be realized in the linked account first instead of being realized across the organization.
Once you connect your root/management AWS account, Vantage will profile all member accounts present in the organization. Vantage will be able to show you accrued costs from all member accounts in the organization, as well as Active Resources that are present in that root AWS account.
If you have multiple member accounts and want to view Active Resources present in those accounts, you use the CloudFormation StackSet that will create one role per AWS member account. You're also welcome to skip this step and add/remove individual AWS accounts from your account settings whenever you want.
We recommend using StackSets if you have several accounts you want to connect. Using the StackSet will automate the process for all the accounts in your organizational unit. When connecting your account, if you have at least one member account, you will see instructions, specific to your account, on how to connect your member accounts using StackSets.
To leverage StackSets, you must enable your organization's access to operate a service-managed StackSet. You'll need to enable this setting in the AWS Management Console. If you don't have this setting enabled and attempt to run a StackSet command, you'll see the following error:
An error occurred (ValidationError) when calling the CreateStackSet operation: You must enable organizations access to operate a service managed stack set
For more information, see AWS's instructions for enabling this setting.
Connect with Terraform
During onboarding, instead of following the CloudFormation process, you can use the Vantage Terraform module. Refer to the Terraform documentation for more information.
Connect by Manually Creating an IAM Role
If you want to create IAM roles manually or use another tool to manage your infrastructure, you can create the necessary cross-account role.
- On the AWS connection page in the Vantage console, click More Connection Options > Connect via AWS IAM Console.
- You will be presented with a Trust Relationship and an Inline Policy that is required for the role. Follow the steps provided in the Vantage console to set up the role. Keep this tab open as you will need some submit the ARN of the role to complete the connection.
- After creating the role in IAM, return to the onboarding page in Vantage and add the ARN of the created role to the Cross account arn field at the bottom of the connection workflow pop-up window. Then, click Connect to complete the connection.
AWS Data Ingestion Delay
Vantage creates both an IAM role and a Cost and Usage Report (CUR) integration when onboarding to AWS. While an IAM role is created within a minute, and historical data can be populated almost immediately, it can take AWS up to 24 hours to deliver the first CUR to Vantage. As a result, only partial data will be present until this first CUR is received.
This delay will impact a few features in the Vantage console:
- Active Resources will initially show only hourly and monthly rates. Once the first CUR is received, you can see actual accrued costs per resource, broken down by cost category and subcategory.
- Cost Reports will show line-item data per service initially but will not be able to show costs by resource until the first CUR is received.
- Both Autopilot and Savings Planner are unavailable until the first CUR is received.
Once Vantage receives its first CUR, this functionality will automatically be made available, and Vantage will alert you via email. Ultimately, this is a limitation imposed by AWS, and all Vantage features will become active once the data is received.
Backfill AWS CUR for Previous Reporting Periods
The first CUR that's sent to Vantage contains only the current month's data. If you want to see historical data in Vantage, you can backfill your CUR for re-ingestion into Vantage.
If you have existing historical CUR files, add a copy of these files to the shared Vantage S3 bucket. Then, email our Support team to ingest the backfilled CUR. By default, Vantage will automatically process CUR files for the current calendar month, but our Support team can manually process historical CURs when notified in a manual process.
Ideally, these files should be a daily CSV; however, Vantage can also support hourly and/or Parquet formats.
If you do not have this data available, you can contact AWS Support and open a ticket for AWS to backfill your CUR. Follow the steps below.
From your AWS root/management account, use the top search bar to search for and navigate to Cost and Usage Reports.
A table of CURs is displayed. Observe the Report Name column. You should see the CUR that was created by Vantage when the integration was set up. Take note of the values in the Report Name and S3 Bucket columns.
Open a ticket with AWS Support to backfill the Vantage CUR. You can use the sample email template below when creating your request.
AWS Support Request Template
Subject: Request for Backfilling AWS Cost and Usage Report
[Insert your organization name] needs help backfilling an AWS Cost and Usage Report per the below requirements:
- Please backfill the existing [Insert Vantage CUR report name] report from the [Insert CUR's S3 bucket name] S3 bucket.
- We need historical data for the following period: [Insert start date] to [Insert end date].
- This should be a daily CSV file.
Once the historical data is successfully backfilled into the above CUR, please send us a notification or confirmation.
[Insert your name]
Once AWS Support completes your request, please email email@example.com to re-ingest the backfilled CUR.
Update the Vantage AWS Integration
Occasionally, Vantage will modify the permission sets it uses to access billing and resource data on AWS. When this happens, you can update your integration.
- Navigate to the Integrations page of the Vantage console.
- From the AWS tile, click Manage.
- The Account list is displayed. Click Manage for the cloud account that you want to update. (For AWS organizations with multiple accounts, this will usually be the Management account.)
- Click Update Vantage via AWS Console to perform the update, or click More Update Options for command-line and other deployment methods.
Manage Workspace Access
See the Workspaces documentation for information on how to update workspace access for an integration.