AWS Onboarding

After you successfully created an account you can add your AWS billing accounts.

Add your payer account number(s)

Best practice: If your AWS account is part of an AWS organization, please signup using the billing account (also called manager account) only. This will allow North to analyze usage throughout all your accounts and centralize savings opportunities into one view.

Select your integration method

We recommend using the CloudFormation option. This deploys all the required permissions within a couple of minutes through a couple clicks. Or you can use Terraform, CLI, or console commands to deploy the required permissions.

Click here to open a pre-configured CloudFormation stack in a new tab.
Once in the page, scroll to the bottom and click "I acknowledge".
Finally, click "Create stack" to create the stack.

Create .tf file

provider "aws" {
  region = "us-east-1" # Specify your AWS region
}

resource "aws_iam_role" "my_iam_role" {
  name               = "NorthCostAndUsageRole"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = {
          AWS = "arn:aws:iam::480850768557:root"
        }
        Action    = ["sts:AssumeRole"]
      }
    ]
  })
}

resource "aws_iam_policy" "my_iam_policy" {
  name        = "NorthCostAndUsageReadOnlyPolicy"
  description = "Read-only policy for cost and usage reporting"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "NorthCostAndUsageReadOnlyPolicyID"
        Effect = "Allow"
        Action = [
          "ce:Get*",
          "ce:Describe*",
          "ce:List*",
          "ce:Start*",
          "account:GetAccountInformation",
          "billing:Get*",
          "payments:List*",
          "payments:Get*",
          "tax:List*",
          "tax:Get*",
          "consolidatedbilling:Get*",
          "consolidatedbilling:List*",
          "invoicing:List*",
          "invoicing:Get*",
          "cur:Get*",
          "cur:Validate*",
          "freetier:Get*",
          "ec2:DescribeCapacity*",
          "ec2:DescribeReservedInstances*",
          "ec2:DescribeSpot*",
          "rds:DescribeReserved*",
          "rds:DescribeDBRecommendations",
          "rds:DescribeAccountAttributes",
          "ecs:DescribeCapacityProviders",
          "es:DescribeReserved*"
        ]
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "attach_policy_to_role" {
  policy_arn = aws_iam_policy.my_iam_policy.arn
  role       = aws_iam_role.my_iam_role.name
}

resource "aws_iam_role" "north_premium_iam_role" {
  name               = "NorthCostAndUsageRolePremium"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = {
          AWS = "arn:aws:iam::480850768557:root"
        }
        Action    = ["sts:AssumeRole"]
      }
    ]
  })
}

resource "aws_iam_policy" "north_premium_iam_policy" {
  name        = "NorthCostAndUsagePremiumPolicy"
  description = "Premium read-only policy for cost and usage reporting"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid     = "NorthPremiumPolicy1"
        Effect  = "Allow"
        Action  = "iam:CreateServiceLinkedRole"
        Resource = "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*"
        Condition = {
          StringLike = {
            "iam:AWSServiceName" = "compute-optimizer.amazonaws.com"
          }
        }
      },
      {
        Sid     = "NorthPremiumPolicy2"
        Effect  = "Allow"
        Action  = "iam:PutRolePolicy"
        Resource = "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
      },
      {
        Sid     = "NorthPremiumPolicy3"
        Effect  = "Allow"
        Action  = [
          "compute-optimizer:*",
          "ec2:DescribeInstances",
          "ec2:DescribeVolumes",
          "ecs:List*",
          "autoscaling:DescribeAutoScalingGroups",
          "lambda:ListFunctions",
          "lambda:ListProvisionedConcurrencyConfigs",
          "organizations:ListAccounts",
          "cloudwatch:GetMetricStatistics",
          "rds:DescribeDBRecommendations",
          "rds:DescribeReservedDBInstances*"
        ]
        Resource = "*"
      },
      {
        Sid     = "NorthPremiumPolicy4"
        Effect  = "Allow"
        Action  = "organizations:EnableAWSServiceAccess"
        Resource = "*"
        Condition = {
          StringEquals = {
            "organizations:ServicePrincipal" = "compute-optimizer.amazonaws.com"
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "attach_premium_policy_to_role" {
  policy_arn = aws_iam_policy.north_premium_iam_policy.arn
  role       = aws_iam_role.north_premium_iam_role.name
}

output "role_arn" {
  value = aws_iam_role.my_iam_role.arn
}

output "role_arn_premium" {
  value = aws_iam_role.north_premium_iam_role.arn
}

Run the following command on the AWS CLI

aws cloudformation create-stack --stack-name NorthCostAndUsageReadOnlyCloudFormationStack --template-url https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml --region us-east-1 --capabilities CAPABILITY_NAMED_IAM

Deploy a CloudFormation stack in the AWS console that will create a read-only cross-account role. This will enable North to recommend the best savings posture based on your usage.
In the AWS Management Console, select CloudFormation and “Create Stack”.
Select the "Specify an Amazon S3 template URL" and enter the URL below:

https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml

On the "Specify stack details" page, enter the following information:
- Stack name: Enter "NorthCostAndUsageReadOnlyCloudFormationStack" (or your desired stack name)
Click the "Next" until you are able to click “Create stack”

Verify access

We will automatically verify your access after your deployment. We recommend that you wait until all the permissions are successfully deployed. You can also verify manually or send over the instructions by email to another team member.

Make sure to have the proper permissions on your billing account to create roles and policies.

Start saving!

You will get a confirmation email once North AI has the perfect savings report ready and have access to all our features for free. You can even start savings that same hour.

PreviousGetting Started NextGCP Onboarding

Last updated 1 day ago

provider "aws" { region = "us-east-1" # Specify your AWS region } resource "aws_iam_role" "my_iam_role" { name = "NorthCostAndUsageRole" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { AWS = "arn:aws:iam::480850768557:root" } Action = ["sts:AssumeRole"] } ] }) } resource "aws_iam_policy" "my_iam_policy" { name = "NorthCostAndUsageReadOnlyPolicy" description = "Read-only policy for cost and usage reporting" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "NorthCostAndUsageReadOnlyPolicyID" Effect = "Allow" Action = [ "ce:Get*", "ce:Describe*", "ce:List*", "ce:Start*", "account:GetAccountInformation", "billing:Get*", "payments:List*", "payments:Get*", "tax:List*", "tax:Get*", "consolidatedbilling:Get*", "consolidatedbilling:List*", "invoicing:List*", "invoicing:Get*", "cur:Get*", "cur:Validate*", "freetier:Get*", "ec2:DescribeCapacity*", "ec2:DescribeReservedInstances*", "ec2:DescribeSpot*", "rds:DescribeReserved*", "rds:DescribeDBRecommendations", "rds:DescribeAccountAttributes", "ecs:DescribeCapacityProviders", "es:DescribeReserved*" ] Resource = "*" } ] }) } resource "aws_iam_role_policy_attachment" "attach_policy_to_role" { policy_arn = aws_iam_policy.my_iam_policy.arn role = aws_iam_role.my_iam_role.name } resource "aws_iam_role" "north_premium_iam_role" { name = "NorthCostAndUsageRolePremium" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { AWS = "arn:aws:iam::480850768557:root" } Action = ["sts:AssumeRole"] } ] }) } resource "aws_iam_policy" "north_premium_iam_policy" { name = "NorthCostAndUsagePremiumPolicy" description = "Premium read-only policy for cost and usage reporting" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "NorthPremiumPolicy1" Effect = "Allow" Action = "iam:CreateServiceLinkedRole" Resource = "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*" Condition = { StringLike = { "iam:AWSServiceName" = "compute-optimizer.amazonaws.com" } } }, { Sid = "NorthPremiumPolicy2" Effect = "Allow" Action = "iam:PutRolePolicy" Resource = "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { Sid = "NorthPremiumPolicy3" Effect = "Allow" Action = [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:List*", "autoscaling:DescribeAutoScalingGroups", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "organizations:ListAccounts", "cloudwatch:GetMetricStatistics", "rds:DescribeDBRecommendations", "rds:DescribeReservedDBInstances*" ] Resource = "*" }, { Sid = "NorthPremiumPolicy4" Effect = "Allow" Action = "organizations:EnableAWSServiceAccess" Resource = "*" Condition = { StringEquals = { "organizations:ServicePrincipal" = "compute-optimizer.amazonaws.com" } } } ] }) } resource "aws_iam_role_policy_attachment" "attach_premium_policy_to_role" { policy_arn = aws_iam_policy.north_premium_iam_policy.arn role = aws_iam_role.north_premium_iam_role.name } output "role_arn" { value = aws_iam_role.my_iam_role.arn } output "role_arn_premium" { value = aws_iam_role.north_premium_iam_role.arn }

aws cloudformation create-stack --stack-name NorthCostAndUsageReadOnlyCloudFormationStack --template-url https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml --region us-east-1 --capabilities CAPABILITY_NAMED_IAM