1 of 20

North.cloud User Guide

Getting Started

Deploying North & signing up

Step 1

You can create a new North account, or access your current account at anytime at app.north.cloud

Step 2

Create login, using Gmail, Microsoft SSO etc.

Step 3

Input your AWS account credentials.

Best practice: If your AWS account is part of an AWS organization, please signup using the billing account (also called manager account) only. This will allow North to analyze usage throughout all your accounts and centralize savings opportunities into one view.

Step 4

Deploy IAM permissions.

Choose your IAM deployment method and follow the instructions.

Once your permissions deployed in your account, click verify.

IAM Permission & Deployment

As of December 5, 2024 we are combining the default and premier permissions into our onboarding, making the premier features available for all customers.

North requires an IAM permission for our app to read spending data that powers our ML engine to automate your FinOps.

North CAN NOT:

Read sensitive data
View or edit network rules
Create, change, alter, stop or pause instances or machines
Change or copy any development, test or production data

North's read-only baseline IAM permission and details are listed below. Baseline permissions allow basic functionality of our app and management system in order to fully benefit from the best savings posture. However, additional permissions may be required for some products. See product pages for more details.

Note to the community: It has come to our attention that various third-party services frequently grant themselves excessive permissions. We urge you to exercise caution and thoroughly review these permissions before implementation. For instance, a broad permission like "ec2:Describe*" permits third-party services to access your security groups. Such access is not required for cloud cost optimization and poses an increased security risk to your servers. Please ensure that permissions are appropriately limited to maintain optimal security and functionality.

North Baseline IAM Permission (Default Permissions)


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
               "ce:Get*" 
               "ce:Describe*" 
               "ce:List*" 
               "ce:Start*"
               "account:GetAccountInformation" 
               "billing:Get*"
               "payments:List*"
               "payments:Get*"
               "tax:List*"
               "tax:Get*"
               "consolidatedbilling:Get*"
               "consolidatedbilling:List*"
               "invoicing:List*"
               "invoicing:Get*"
               "cur:Get*" 
               "cur:Validate*"
               "freetier:Get*"
               "ec2:DescribeCapacity*"
               "ec2:DescribeReservedInstances*" 
               "ec2:DescribeSpot*"
               "rds:DescribeReserved*" 
               "rds:DescribeDBRecommendations"
               "rds:DescribeAccountAttributes"
               "ecs:DescribeCapacityProviders" #fargate
               "es:DescribeReserved*" #opensearch/elastic search
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "NorthCostAndUsageReadOnlyPolicyID"
        }
    ]
}

{
    "Version": "2012-10-17",
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy1",
          "Action": "iam:CreateServiceLinkedRole",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "compute-optimizer.amazonaws.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy2",
          "Action": "iam:PutRolePolicy",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy3",
          "Action": [
            "compute-optimizer:*",
            "ec2:DescribeInstances",
            "ec2:DescribeVolumes",
            "ecs:List*",
            "autoscaling:DescribeAutoScalingGroups",
            "lambda:ListFunctions",
            "lambda:ListProvisionedConcurrencyConfigs",
            "organizations:ListAccounts",
            "cloudwatch:GetMetricStatistics",
            "rds:DescribeDBRecommendations",
            "rds:DescribeReservedDBInstances*"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy4",
          "Action": "organizations:EnableAWSServiceAccess",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "organizations:ServicePrincipal": "compute-optimizer.amazonaws.com"
            }
          }
        }
      ]
    }
 }

Deploying North IAM Permissions (Base IAM Permission)

It is suggested that all customer manage permission deployment from the app onboarding. If you would like to deploy the permission(s) independently from the console, please see below.

CloudFormation

Click on this link ot direct link below:

https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https%3A%2F%2Fnorth-cloudformation-template-public.s3.amazonaws.com%2Fbilling-and-usage-read-only-cf-stack%2Fnorth-read-only-access.yaml&stackName=NorthCostAndUsageReadOnlyCloudFormationStack

Acknowledge and click “Create stack”

Terraform

Deploy the following file:

provider "aws" {
	region = "us-east-1" # Adjust the region as needed
}
	
resource "aws_iam_role" "MyIAMRole" {
	name = "NorthCostAndUsageRole"
	
	assume_role_policy = jsonencode ({
		Version = "2012-10-17"
		Statement = 	[
		{
			Effect = "Allow"
			Principal = {
			AWS = "arn:aws:iam::480850768557:root" # Specify the AWS account ID where the trusted account resides
			}
			Action = "sts:AssumeRole"
			}
			]
		}) 
	}
	
	resource "aws_iam_policy" "MyIAMPolicy" {
	name        = "NorthCostAndUsageReadOnlyPolicy"
	description = "Read-only policy for North Inc. cost and usage"
	
	policy = jsonencode ({
		Version = "2012-10-17"
		Statement = 	[
		{
			Sid    = "NorthCostAndUsageReadOnlyPolicyID"
			Effect = "Allow"
			Action = 	[
			"ce:Get*",
			"ce:Describe*",
			"ce:List*",
			"ce:Start*",
			"account:GetAccountInformation",
			"billing:Get*",
			"payments:List*",
			"payments:Get*",
			"tax:List*",
			"tax:Get*",
			"consolidatedbilling:Get*",
			"consolidatedbilling:List*",
			"invoicing:List*",
			"invoicing:Get*",
			"cur:Get*",
			"cur:Validate*",
			"freetier:Get*",
			"ec2:DescribeCapacity*",
			"ec2:DescribeReservedInstances*",
			"ec2:DescribeSpot*",
			"rds:DescribeReserved*",
			"rds:DescribeDBRecommendations",
			"rds:DescribeAccountAttributes",
			"ecs:DescribeCapacityProviders",
			"es:DescribeReserved*"
			]
			Resource = "*"
			},
			{
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy1",
          "Action": "iam:CreateServiceLinkedRole",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "compute-optimizer.amazonaws.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy2",
          "Action": "iam:PutRolePolicy",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy3",
          "Action": [
            "compute-optimizer:*",
            "ec2:DescribeInstances",
            "ec2:DescribeVolumes",
            "ecs:List*",
            "autoscaling:DescribeAutoScalingGroups",
            "lambda:ListFunctions",
            "lambda:ListProvisionedConcurrencyConfigs",
            "organizations:ListAccounts",
            "cloudwatch:GetMetricStatistics",
            "rds:DescribeDBRecommendations",
            "rds:DescribeReservedDBInstances*"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy4",
          "Action": "organizations:EnableAWSServiceAccess",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "organizations:ServicePrincipal": "compute-optimizer.amazonaws.com"
            }
          }
        }
		]
	})
	
	roles = 	[aws_iam_role.MyIAMRole.name]
}
	
output "RoleARNOutput" {
	value = aws_iam_role.MyIAMRole.arn
}

Run the following command in your terminal of choice:

aws cloudformation create-stack --stack-name NorthCostAndUsageReadOnlyCloudFormationStack --template-url https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml --region us-east-1 --capabilities CAPABILITY_NAMED_IAM

In the AWS Management Console, select CloudFormation and “Create Stack”
Select the "Specify an Amazon S3 template URL" and copy:

https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml// Some code

On the "Specify stack details" page, enter the following information: - Stack name: Enter "NorthCostAndUsageReadOnlyCloudFormationStack" (or your desired stack name)
Click the "Next" until you are able to “Create stack”

Security

IAM Permission Roles & Least Privilege

North uses limited IAM roles whenever possible to ensure that we cannot view critical machine data, edit machines, create/pause/stop instances or make any networking changes. We regularly hire third-party SecOps consulting to audit our risk exposure and ensure client security.

North SOC II Compliance

North as of May 2024, has passed their SOC II Type I Audit. More info can be requested, including the full compliance & audit report by reaching out to North directly.

North Savings Pods

North uses member accounts to deploy and manage savings plans & reserved instances in your AWS billing group. This approach enables customers to maintain their own billing account and AWS Organization. This also enables customers to maintain maximum security & limit exposure to 3rd party security events. While maintaining your own organization, you (the customer) are never subject to a reseller or 3rd party's Security Control Policies, or the SCPs of any sub-processors, employees or bad actors that may gain control of SCP administration in the billing org. This also allows the customer to retain full control of disconnecting the North service, and any North AWS accounts from the billing org at any moment for security or business purposes.

Disconnecting North Savings Pods From Billing Org

Please note that all disconnecting of North savings pods, or cancelation of service is governed by the MSA agreed upon between the client & North.

To remove an AWS account from your organization (including North's Savings Pods) follow the below steps:

Sign into AWS management console for the biller/payer account.
Go to AWS Organizations.
Navigate to Accounts section.
Select account(s) to remove from org.

What access do these accounts hold in our AWS organization?

The savings pods hold no cross account access of any kind to the other accounts in your AWS organization. The only IAM permission in the account is a billing read only permission for the account to "phone home" back to North. This allows North to read net savings & utilization health data from the savings pod, to best administer them to your AWS organizaiton.

How are these savings pods secured?

While we can't share our full SecOps posture publicly we can say the following. Savings pods are secured at the root layer by using a password encyption software & MFA. No other IAM permissions are created for them, so no other access can be granted. North also monitors any access, or spend in these accounts. These essentially act as "dark sites" with no live usage activity other than the savings plans.

What happens to the costs of the Pods if they leave our org?

Product & Features

Savings Plans

100% Powered by AWS Compute Savings Plans.

North offers the best in class compute savings system, and the only provider in the industry to power their compute optimization 100% with flexible Compute Savings Plans. Additionally, CloudFront and SageMaker savings plans are also available.

Savings Plans Home Page Basics

Cost: Represents the last 30 days of total net spend for instance/compute charges for EC2, Lambda & ECS Fargate.
Savings Available: monthly savings available via North's compute saver program. Click SAVE NOW to subscribe & get started.
Spend Graph: offers a daily look at the compute spend by spend type (on-demand, spot instances, savings plans, reserved instances). Automatically showing the last 30 days.
Reservation Ledger & North Savings MTD Stats: Ledger shows your rate optimization health for both reservations made through North (identified with a pink dot) and those made directly to AWS (not flexible via the North program). Click VIEW MORE to expand to your reservation health page, and view advanced ESR and FinOps stats.

Reserved Instances

North offers flexible reserved instances for products not covered by compute savings plans. These RIs provide 3 year pricing optimization for AWS's relational database service (RDS), Opensearch & Elasticache.

RI Saver Home Page Basics

Cost: represents the last 30 days of total net spend for instance charges for RDS, OpenSearch & ElastiCache.
Savings Available: monthly savings available via North's compute saver program. Click SAVE NOW to subscribe & get started.
Spend Graph: offers a daily look at the compute spend by spend type (ondemand, reserved instances). Automatically showing the last 30 days.
Reservation Ledger & North Savings MTD Stats: Ledger shows your rate optimization health for both reservations made through North (identified with a pink dot) and those made directly to AWS (not flexible via the North program). Click VIEW MORE to expand to your reservation health page, and view advanced ESR and FinOps stats.

Details on North's Flexible RIs

North's RI Saver program offers customers the option to have North purchase RIs on the customer's behalf, without the traditional 3 year commitments. These RIs can always be purchased as new reservations with partial up front payment, or if the reservation type is available on our RI marketplace, you can request to take recycled RIs with no up front payment. In the latter scenario, the customer takes over the remaining unblended costs of the RI. Any RI handoffs, fees & terms are governed by the North MSA.

Analyzing Break-Even Projections

North will automatically analyze and show you TCO/breakeven statistics on each RI instance (total accrued costs vs On-Demand equivalent), both aggregated at the total account level, or broken down by individual service/instance type. To view, go to the checkout cart, Click DETAILS.

Reservation Health

North's all in one Rate Optimization Health Center.

North offers an immersive analytics center to understand current & historical rate optimization health & trends. Loaded with AI grades & scores to help you understand and accelerate your rate optimization journey.

Understand the Ledger

The ledgers offers a list of any reserved intances or savings plans (1 or 3 year) detected in your AWS organization. Flexible policies purchased via North will have a pink dot in the left hand colunm. You can view policy data, start/end dates, ESRs, utilization stats & MTD savings.

You may also filter by type, month and more.

You can export the list at any time by Clicking EXPORT

View your ESR & FinOps Score

Scroll down to view your total account level finops score, ESRs per service. All scoring is weighed against the scale of potential ESRs available given AWS's pricing of the products & savings reservation systems in each product type.

FinOps Center

Command center for cost & usage data.

FinOps center lets you query all of your cost & usage data intelligently with immediate analysis based on the input/variables.

You can use this center to view costs on a daily or monthly granularity with the ability to apply advanced filters. All your historical data is within a couple clicks.

Understanding How to Filter the Data

Filter/create a customer report by following the below steps.

Choose your 1 or 2 "groupings"
Choose your date range & if you want the data shows in daily or monthly granularity. Click FILTER
Once the first filter updates, you will be able to further refine the results using group filters (drop downs). Once totally refined you FILTER] again for final results.

Anomaly Detection

North's hands free cost & usage anomaly detection system. Running for you with no human admin needed.

North's anomaly detection system is on by default, and will detect anomalies in cost & highly variance workloads worth human investigation.

Understanding the Priority System

North's software will automatically sort the alerts by highest priority of attention (#1) and sort down in numerical order from there. In short, if you only have a few minutes, work your way from the top the list and go downward.

Sharing the Alerts

You can share specific alert details to teammates with Slack, Jira, or by email.

Managing Alerts

You can mark that an anomaly has been sufficiently investigated & handled for it to be removed from the list, Click RESOLVED.

Reshaping

Reshaping analyzes your instance level usage & utilization data, scanning 100,000+ potential AWS machine architectures to find hidden efficiencies you can gain back by reducing your idle machine resources.

Intelligently integrated into your FinOps spending data (including effective savings rates, and RI footprint). Customizable via your account preferences on provisioning & headroom.

Understanding Home Dashboard

Reshaping will start by summarizing your monthly costs/service with graphs for current and previous month.

Click SEE DETAILS in each product box to expand your view for that product & review the AI suggestions to improve your architecture.

Expanded View & AI Suggestions

Your expanded view will show the savings detected, with exact instance changes that fit your preferences. Click AI SUGGESTION to reveal the details of each instance suggestion.

Understanding AI Suggestion Popup Box

The popup box will reveal even more details on the suggestion relative to historical usage patterns detected that governs the AI recommendations. North AI will suggest a different machine type or size based on your workloads. You can also see the historical usage patterns in CPU & network traffic to further analyze the recommendation.

Changing Your Reshaping Preferences

You can adjust the account preferences for how the machine learning model analyzes your machines and recommends improvements. To do this, click the gear icon on the reshaping homepage. Please note that changes will take 24 hours to appear in the output data as the analysis re-runs in the background. It is recommended to change preferences infrequently, ideally once a month or quarter, to avoid confusion.

GreenOps

Automated carbon footprint intelligence.

To access your GreenOps page, simple navigate to the NorthOps subsection in the app & choose GreenOps.

GreenOps requires zero technical setup, and will continuously run in the background.

Once on your dashboard, you will be able to view your last months carbon emissions profile, water & power usage estimations & an estimate of carbon credits needed to offset your footprint.

You will be able to access various filters to change the data reporting, or query specific regions or services that have high power draw & carbon output.

In order to request North purchase carbon offsets, please use the Go Carbon Neutral button at the top right, which will feature an authorization page allowing your to process the request with North. Please note that all receipts and a carbon neutral certification document can be provided upon request.

Account Management

Invoicing

North invoicing is powered by Stripe, with net 15 terms.

North is also available on the AWS Marketplace, see our Marketplace page.

AWS Marketplace

North can be billed via the AWS Marketplace. Listing link below. Either subscribe directly through the link or ask your North team to setup a private offer to be billed on the AWS marketplace.

https://aws.amazon.com/marketplace/pp/prodview-axjowgejulzlm

Service Cancelation

North's service can be canceled at anytime. Any savings plans or reserved instances can be disconnected from your billing organization and transitioned to another North customer. North via our MSA, requires 30 days notice on full account cancelations up to $10,000/mo in reservation under management monthly value, and up to 120 days notice if the reservations under management monthly value is over $10,000/mo.

Customer Support

Customers can request support 24/7 via their dedicated Slack channel, or book time directly with their team using this link:

FAQs

What does North do?

North is an AWS partner that automates and manages AWS discounting as a monthly subscription service. This allows customers to experience the ease of group buying, flexible discounts with zero-touch cost optimization.

Will North pause or change anything on my VPC?

Nope! Our service simply monitors your AWS usage posture, finds savings & allocates discounts to bring your AWS spend down.

We offer subscription based Savings Plans for:

EC2
Lambda
ECS - Fargate

We also offer limited availability for flexible Reserved Instances for:

RDS
OpenSearch
ElastiCache

What does North do that we can't do natively with AWS?

Our SW monitors your environment and takes the manual work out of managing discounting commitments to AWS. We offer customers an alternative to directly buying their Savings Plans & Reserved Instances from AWS. With North customers enjoy the benefits of a 3 year term commitments without the vendor lock in or contracts. North automates the coverage of your savings reservations to closely match your real usage patterns in your AWS stack.

What happens if I need to reduce or cancel my service subscriptions with North?

For any cancelations of service or reduction requests, we create a small handoff period where we allocate between 30 to 120 days to find a new home for your Savings Plan or Reserved Instance, based on our . No hidden fees or gotchas.

What is a Flexible Savings Plan?

Flexible AWS Savings Plans are AWS Compute Savings Plans (up to 72% off on-demand) that North owns, and allows customers to access via a monthly subscription through our Savings Pods.

Do we need to install anything?

We require read-only permissions to your billing and usage data. We don't view any sensitive data. We run light, easy & secure.

What is your pricing?

Usage of the app for savings analysis and FinOps analysis is free via our startup version ($0/mo). If you choose to subscribe to our savings plans or reserved instances, we bill you for 20% of your monthly savings vs on-demand equivalent. For example, if we help you save $10,000/mo our savings fee will be 20%. If we do not help you save, we do not charge. Our advances features can be accessed via our Premier Version, which is $599/mo. More on our pricing, .

What security is in place?

Our application takes a extremely limited read only permission to your spending data only. We cannot edit, change or pause machines, or even view network or VPC rules. More details on our secops posture can be disclosed privately.

What is your customer support model?

We pride ourselves on customer experience. Every account gets 24/7 access to their account team, including our CTO, CEO and a certified Cloud FinOps practitioner via Slack. Premier version clients get a more immersive client experience that includes dedicated reporting & monthly meetings.

Can I have my billing delivered via email?

Yes. Our billing is powered by Stripe. We invoice around the 10th of each month.

Do I still pay AWS?

Yes. You still keep your billing account direct with AWS.

What if I have current savings plans or reserved instances?

That's OK. North's service spots and models any additional savings you can achieve. If you prefer our service, you can replace aging Savings Plans and RIs with our Flex SPs and Flex RIs. Our SW will identify existing savings plans and reserved instances and only suggest additional coverage that works in conjunction with your usage.

Do you support customers with EDPs?

Yes. Customers that have direct EDPs can still enjoy the benefits of rate optimization either directly with AWS or through North. Please reach out for more information. Our EDP customers save just as much as our non-EDP customers.

Do you also support EC2 Reserved Instances?

No. We only support Compute Savings Plans for EC2. Compute Savings Plans offer as good or better hourly discounting as Reserved Instances, but provide customers with dramatically more flexibility and ease of use. You can enjoy the discounting of SPs on any AWS compute services (EC2, Lambda or ECS and Fargate) anywhere in the world, without the stress of forecasting usage by region, server generation family or server size.

I see Savings Plans can't be transferred between AWS accounts. Is this true?

Savings Plans cannot be transferred from the base AWS account in which they were reserved. North commits to the SP on your behalf, underwritting the 3 year commitment to AWS, and shares the SP to your AWS org. You can use the SP as long as you wish, when no longer needed the AWS account converts back to a base payer account, where North covers the costs or transfers it to another customer who might need more SP coverage.

Do you also help with Google Cloud or Azure?

We are working on building our platform for Google Cloud. Azure is not currently covered. Please reach out for more details.

Does North have a bug bounty program?

Yes, email bugs@north.inc

How to

Upgrade to Premier

As of December 5, 2024 we are combining the default and premier permissions into our onboarding, making the premier features available for all customers. For all current customers you can automatically upgrade to premier by following the steps below.

If you are not a Premier member and wish to become one you can do so by clicking "Upgrade to Premier" on pop up modals or through settings.

You can also view the extensive benefits of upgrading to Premier on our features page or through our pricing page.

Click Upgrade to Premier in the Settings page.

Accept North Premier MSA and Premier billing.
After clicking Upgrade you will be redirected to Premier onboarding. Similar to the initial onboarding you have performed, this will set up cross account permissions that will allow North to further analyze your AWS ecosystem and improve your savings posture.

Invite users

Invite users as editors or viewers of your root North account. Editors will have the same permissions as you do and viewers will have read only.

Go to Settings>Accounts>Invite team members

You can then invite team members and selecting either viewer or editor as a role

You can only invite users with the same domain name. For example person1@north.cloud cannot invite person2@north.inc.

Viewer is best suited for users that only need read only access. Editor is best suited for users that can read and edit your profile.

IAM Permission & Deployment

As of December 5, 2024 we are combining the default and premier permissions into our onboarding, making the premier features available for all customers.

North requires an IAM permission for our app to read spending data that powers our ML engine to automate your FinOps.

North CAN NOT:

Read sensitive data
View or edit network rules
Create, change, alter, stop or pause instances or machines
Change or copy any development, test or production data

North Baseline IAM Permission (Default Permissions)


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
               "ce:Get*" 
               "ce:Describe*" 
               "ce:List*" 
               "ce:Start*"
               "account:GetAccountInformation" 
               "billing:Get*"
               "payments:List*"
               "payments:Get*"
               "tax:List*"
               "tax:Get*"
               "consolidatedbilling:Get*"
               "consolidatedbilling:List*"
               "invoicing:List*"
               "invoicing:Get*"
               "cur:Get*" 
               "cur:Validate*"
               "freetier:Get*"
               "ec2:DescribeCapacity*"
               "ec2:DescribeReservedInstances*" 
               "ec2:DescribeSpot*"
               "rds:DescribeReserved*" 
               "rds:DescribeDBRecommendations"
               "rds:DescribeAccountAttributes"
               "ecs:DescribeCapacityProviders" #fargate
               "es:DescribeReserved*" #opensearch/elastic search
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "NorthCostAndUsageReadOnlyPolicyID"
        }
    ]
}

{
    "Version": "2012-10-17",
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy1",
          "Action": "iam:CreateServiceLinkedRole",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "compute-optimizer.amazonaws.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy2",
          "Action": "iam:PutRolePolicy",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy3",
          "Action": [
            "compute-optimizer:*",
            "ec2:DescribeInstances",
            "ec2:DescribeVolumes",
            "ecs:List*",
            "autoscaling:DescribeAutoScalingGroups",
            "lambda:ListFunctions",
            "lambda:ListProvisionedConcurrencyConfigs",
            "organizations:ListAccounts",
            "cloudwatch:GetMetricStatistics",
            "rds:DescribeDBRecommendations",
            "rds:DescribeReservedDBInstances*"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy4",
          "Action": "organizations:EnableAWSServiceAccess",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "organizations:ServicePrincipal": "compute-optimizer.amazonaws.com"
            }
          }
        }
      ]
    }
 }

Deploying North IAM Permissions (Base IAM Permission)

It is suggested that all customer manage permission deployment from the app onboarding. If you would like to deploy the permission(s) independently from the console, please see below.

CloudFormation

Click on this link ot direct link below:

https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https%3A%2F%2Fnorth-cloudformation-template-public.s3.amazonaws.com%2Fbilling-and-usage-read-only-cf-stack%2Fnorth-read-only-access.yaml&stackName=NorthCostAndUsageReadOnlyCloudFormationStack

Acknowledge and click “Create stack”

Terraform

Deploy the following file:

provider "aws" {
	region = "us-east-1" # Adjust the region as needed
}
	
resource "aws_iam_role" "MyIAMRole" {
	name = "NorthCostAndUsageRole"
	
	assume_role_policy = jsonencode ({
		Version = "2012-10-17"
		Statement = 	[
		{
			Effect = "Allow"
			Principal = {
			AWS = "arn:aws:iam::480850768557:root" # Specify the AWS account ID where the trusted account resides
			}
			Action = "sts:AssumeRole"
			}
			]
		}) 
	}
	
	resource "aws_iam_policy" "MyIAMPolicy" {
	name        = "NorthCostAndUsageReadOnlyPolicy"
	description = "Read-only policy for North Inc. cost and usage"
	
	policy = jsonencode ({
		Version = "2012-10-17"
		Statement = 	[
		{
			Sid    = "NorthCostAndUsageReadOnlyPolicyID"
			Effect = "Allow"
			Action = 	[
			"ce:Get*",
			"ce:Describe*",
			"ce:List*",
			"ce:Start*",
			"account:GetAccountInformation",
			"billing:Get*",
			"payments:List*",
			"payments:Get*",
			"tax:List*",
			"tax:Get*",
			"consolidatedbilling:Get*",
			"consolidatedbilling:List*",
			"invoicing:List*",
			"invoicing:Get*",
			"cur:Get*",
			"cur:Validate*",
			"freetier:Get*",
			"ec2:DescribeCapacity*",
			"ec2:DescribeReservedInstances*",
			"ec2:DescribeSpot*",
			"rds:DescribeReserved*",
			"rds:DescribeDBRecommendations",
			"rds:DescribeAccountAttributes",
			"ecs:DescribeCapacityProviders",
			"es:DescribeReserved*"
			]
			Resource = "*"
			},
			{
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy1",
          "Action": "iam:CreateServiceLinkedRole",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "compute-optimizer.amazonaws.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy2",
          "Action": "iam:PutRolePolicy",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy3",
          "Action": [
            "compute-optimizer:*",
            "ec2:DescribeInstances",
            "ec2:DescribeVolumes",
            "ecs:List*",
            "autoscaling:DescribeAutoScalingGroups",
            "lambda:ListFunctions",
            "lambda:ListProvisionedConcurrencyConfigs",
            "organizations:ListAccounts",
            "cloudwatch:GetMetricStatistics",
            "rds:DescribeDBRecommendations",
            "rds:DescribeReservedDBInstances*"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy4",
          "Action": "organizations:EnableAWSServiceAccess",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "organizations:ServicePrincipal": "compute-optimizer.amazonaws.com"
            }
          }
        }
		]
	})
	
	roles = 	[aws_iam_role.MyIAMRole.name]
}
	
output "RoleARNOutput" {
	value = aws_iam_role.MyIAMRole.arn
}

CLI

Run the following command in your terminal of choice:

aws cloudformation create-stack --stack-name NorthCostAndUsageReadOnlyCloudFormationStack --template-url https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml --region us-east-1 --capabilities CAPABILITY_NAMED_IAM

Console

In the AWS Management Console, select CloudFormation and “Create Stack”
Select the "Specify an Amazon S3 template URL" and copy:

https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml// Some code

On the "Specify stack details" page, enter the following information: - Stack name: Enter "NorthCostAndUsageReadOnlyCloudFormationStack" (or your desired stack name)
Click the "Next" until you are able to “Create stack”

FAQs

What does North do?

Will North pause or change anything on my VPC?

Nope! Our service simply monitors your AWS usage posture, finds savings & allocates discounts to bring your AWS spend down.

We offer subscription based Savings Plans for:

EC2
Lambda
ECS - Fargate

We also offer limited availability for flexible Reserved Instances for:

RDS
OpenSearch
ElastiCache

What does North do that we can't do natively with AWS?

What happens if I need to reduce or cancel my service subscriptions with North?

What is a Flexible Savings Plan?

Flexible AWS Savings Plans are AWS Compute Savings Plans (up to 72% off on-demand) that North owns, and allows customers to access via a monthly subscription through our Savings Pods.

Do we need to install anything?

We require read-only permissions to your billing and usage data. We don't view any sensitive data. We run light, easy & secure.

What is your pricing?

What security is in place?

What is your customer support model?

Can I have my billing delivered via email?

Yes. Our billing is powered by Stripe. We invoice around the 10th of each month.

Do I still pay AWS?

Yes. You still keep your billing account direct with AWS.

What if I have current savings plans or reserved instances?

Do you support customers with EDPs?

Do you also support EC2 Reserved Instances?

I see Savings Plans can't be transferred between AWS accounts. Is this true?

Do you also help with Google Cloud or Azure?

We are working on building our platform for Google Cloud. Azure is not currently covered. Please reach out for more details.

Does North have a bug bounty program?

Yes, email bugs@north.inc