AWS Setup Guide
Configure your AWS account to work with Cloudo's cost analysis features.
Cloudo requires read-only access to your AWS Cost Explorer, EC2, S3, and CloudWatch data. We never modify your AWS resources.
Prerequisites
- An AWS account with billing access
- IAM permissions to create users and policies
- Cost Explorer enabled (free, but takes 24 hours to activate for new accounts)
Step 1: Enable Cost Explorer
If you haven't already enabled Cost Explorer, you'll need to do this first:
- Go to the AWS Cost Explorer Console
- Click "Enable Cost Explorer" if prompted
- Wait 24 hours for data to become available (for new activations)
Step 2: Create an IAM Policy
Create a custom policy with the minimum permissions Cloudo needs:
- Go to the IAM Policies Console
- Click "Create policy"
- Select the "JSON" tab
- Paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudoCostExplorerRead",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetTags"
],
"Resource": "*"
},
{
"Sid": "CloudoEC2Read",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Sid": "CloudoS3Read",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "CloudoCloudWatchRead",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Sid": "CloudoSTSRead",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}- Click "Next"
- Name the policy:
CloudoReadOnly - Add a description: "Read-only access for Cloudo FinOps platform"
- Click "Create policy"
Step 3: Create an IAM User
Create a dedicated user for Cloudo:
- Go to the IAM Users Console
- Click "Create user"
- Enter username:
cloudo-cost-reader - Click "Next"
- Select "Attach policies directly"
- Search for and select
CloudoReadOnly - Click "Next", then "Create user"
Step 4: Create Access Keys
- Click on the user you just created
- Go to the "Security credentials" tab
- Scroll to "Access keys" and click "Create access key"
- Select "Third-party service" as the use case
- Check the confirmation box and click "Next"
- Click "Create access key"
- Important: Copy both the Access Key ID and Secret Access Key. The secret will only be shown once!
Store your credentials securely. Never share them or commit them to version control.
Step 5: Add Credentials to Cloudo
- Go to your Cloudo Settings
- Find the "AWS Credentials" section
- Enter your Access Key ID
- Enter your Secret Access Key
- Select your AWS region (e.g., us-east-1)
- Click "Save" - we'll validate your credentials automatically
Permissions Explained
Here's what each permission does:
| Permission | Purpose |
|---|---|
ce:GetCostAndUsage | Retrieve historical cost and usage data |
ce:GetCostForecast | Predict future spending |
ce:GetDimensionValues | List available services, regions, and accounts |
ce:GetTags | List cost allocation tags for filtering |
ec2:DescribeInstances | List EC2 instances for utilization insights |
s3:ListAllMyBuckets | List S3 buckets for storage insights |
s3:GetBucketLocation | Get bucket region to fetch size metrics |
cloudwatch:GetMetricStatistics | Get CPU utilization metrics and S3 bucket sizes |
sts:GetCallerIdentity | Identify the AWS account for daily cost alerts |
Note: The EC2, S3, and CloudWatch permissions are optional but recommended. Without them, AI-powered insights will be based only on cost data. With them, Cloudo can identify underutilized instances and provide more actionable recommendations.
Troubleshooting
Error: "User is not authorized to perform ce:GetCostAndUsage"
This means the IAM policy isn't attached correctly. Double-check that:
- The policy was created successfully
- The policy is attached to the user
- You're using the correct access keys for that user
Error: "Data not available"
Cost Explorer data can take up to 24 hours to become available after:
- Enabling Cost Explorer for the first time
- Creating a new AWS account
- For the current day's costs (there's always a delay)
Which region should I use?
Cost Explorer is a global service, but the API endpoint is in us-east-1. You can select any region in Cloudo - it won't affect the cost data returned.
Need Help?
If you're having trouble setting up AWS, contact us at support@cloudo.finance