Step 1
Navigate to the ‘Account Manager’ tab.
If you don't have any accounts, your Account Manager menu will appear as shown below. Click the ‘Add environment’ button.
If you have existing accounts, your Account Manager menu will display as shown below. Click the ‘Add environment’ button.
Step 2
Click on the AWS (Amazon Web Services) button.
Step 3
Click on the ‘Cross Account Role’ (which allows access through IAM roles) button.
Step 4
4.1
You will be directed to the ‘Cross-account role connection’ page.
4.2
In the first field, enter the Account name. You can use a specific name or it will be named by default as ‘AWS,’ with the specific name not exceeding 32 characters.
4.3
Next, select the Access type:
Read/write: Allows you to use all functions such as converting to spot, scheduling resources, removing unused resources, and right-sizing your resources.
Read-only: Allows you to only view your resources and possible actions but does not provide access to the main functionality.
Read-write policy
Read-write policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:UpdateAutoScalingGroup",
"bedrock:GetAgent",
"bedrock:GetAgentActionGroup",
"bedrock:GetAgentAlias",
"bedrock:GetAgentVersion",
"bedrock:GetCustomModel",
"bedrock:GetDataSource",
"bedrock:GetKnowledgeBase",
"bedrock:GetModelCustomizationJob",
"bedrock:GetModelInvocationLoggingConfiguration",
"bedrock:GetProvisionedModelThroughput",
"bedrock:ListAgentActionGroups",
"bedrock:ListAgentAliases",
"bedrock:ListAgentKnowledgeBases",
"bedrock:ListAgentVersions",
"bedrock:ListAgents",
"bedrock:ListCustomModels",
"bedrock:ListDataSources",
"bedrock:ListKnowledgeBases",
"bedrock:ListModelCustomizationJobs",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListTagsForResource",
"ce:DescribeCostCategoryDefinition",
"ce:GetCostAndUsage",
"ce:GetCostAndUsageWithResources",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetTags",
"ce:GetUsageForecast",
"ce:ListCostCategoryDefinitions",
"cloudformation:UpdateStack",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:UpdateEnrollmentStatus",
"cur:DescribeReportDefinitions",
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks",
"ec2:AttachVolume",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateImage",
"ec2:CreateLaunchTemplate",
"ec2:CreateRoute",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeRouteTables",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:GetLaunchTemplateData",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:PurchaseReservedInstancesOffering",
"ec2:ReleaseAddress",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:DeleteService",
"ecs:RegisterTaskDefinition",
"ecs:UpdateContainerInstancesState",
"ecs:UpdateService",
"eks:CreateNodegroup",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:UpdateNodegroupConfig",
"elasticache:PurchaseReservedCacheNodesOffering",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"es:PurchaseReservedElasticsearchInstanceOffering",
"es:PurchaseReservedInstanceOffering",
"iam:CreateServiceLinkedRole",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateGrant",
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*",
"lambda:DeleteFunction",
"lambda:DeleteProvisionedConcurrencyConfig",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:GetProvisionedConcurrencyConfig",
"lambda:ListTags",
"lambda:PublishVersion",
"lambda:PutProvisionedConcurrencyConfig",
"lambda:UpdateAlias",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"logs:DeleteLogGroup",
"memorydb:DescribeReservedNodes",
"memorydb:DescribeReservedNodesOfferings",
"memorydb:DescribeSnapshots",
"memorydb:DescribeSubnetGroups",
"memorydb:PurchaseReservedNodesOffering",
"pricing:*",
"rds:DeleteDBInstance",
"rds:DescribeDBInstances",
"rds:PurchaseReservedDBInstancesOffering",
"rds:StartDBCluster",
"rds:StartDBInstance",
"rds:StopDBCluster",
"rds:StopDBInstance",
"rds:ModifyDBInstance",
"redshift:DescribeClusters",
"redshift:PauseCluster",
"redshift:PurchaseReservedNodeOffering",
"redshift:ResumeCluster",
"sagemaker:StartNotebookInstance",
"sagemaker:StopNotebookInstance",
"savingsplans:CreateSavingsPlan",
"elasticache:ModifyReplicationGroup",
"es:UpdateDomainConfig"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::%bucket_name%/*"
}
]
}
Tagging policy
Tagging policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"acm:AddTagsToCertificate",
"acm:RemoveTagsFromCertificate",
"apigateway:DELETE",
"apigateway:POST",
"appmesh:TagResource",
"appmesh:UntagResource",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudwatch:TagResource",
"cloudwatch:UntagResource",
"cognito-identity:TagResource",
"cognito-identity:UntagResource",
"ec2:CreateTags",
"ec2:DeleteTags",
"ecr:TagResource",
"ecr:UntagResource",
"ecs:TagResource",
"ecs:UntagResource",
"eks:TagResource",
"eks:UntagResource",
"elasticache:AddTagsToResource",
"elasticache:RemoveTagsFromResource",
"elasticbeanstalk:AddTags",
"elasticbeanstalk:RemoveTags",
"elasticfilesystem:CreateTags",
"elasticfilesystem:DeleteTags",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags",
"es:AddTags",
"es:RemoveTags",
"fsx:TagResource",
"fsx:UntagResource",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser",
"kinesis:AddTagsToStream",
"kinesis:RemoveTagsFromStream",
"kms:TagResource",
"kms:UntagResource",
"lambda:TagResource",
"lambda:UntagResource",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"redshift:CreateTags",
"redshift:DeleteTags",
"route53:ChangeTagsForResource",
"route53domains:DeleteTagsForDomain",
"route53domains:UpdateTagsForDomain",
"s3:DeleteJobTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:PutBucketTagging",
"s3:PutJobTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:ReplicateTags",
"tag:TagResources",
"tag:UntagResources",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"logs:TagResource",
"logs:UntagResource",
"backup:TagResource",
"backup:UntagResource",
"cassandra:Alter",
"cassandra:AlterMultiRegionResource",
"cassandra:TagResource",
"cassandra:TagMultiRegionResource",
"cassandra:UnTagMultiRegionResource",
"cassandra:UntagResource",
"codecommit:TagResource",
"codecommit:UntagResource",
"cloudtrail:AddTags",
"cloudtrail:RemoveTags",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"events:TagResource",
"events:UntagResource",
"glacier:AddTagsToVault",
"glacier:RemoveTagsFromVault",
"glue:TagResource",
"glue:UntagResource",
"kafka:TagResource",
"kafka:UntagResource",
"timestream:TagResource",
"timestream:UntagResource",
"sagemaker:AddTags",
"sagemaker:DeleteTags",
"mq:CreateTags",
"mq:DeleteTags",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"ses:TagResource",
"ses:UntagResource",
"states:TagResource",
"states:UntagResource",
"sns:TagResource",
"sns:UntagResource",
"sqs:TagQueue",
"sqs:UntagQueue",
"appflow:TagResource",
"appflow:UntagResource",
"wafv2:TagResource",
"wafv2:UntagResource",
"elasticmapreduce:AddTags",
"elasticmapreduce:RemoveTags",
"emr-containers:TagResource",
"emr-containers:UntagResource",
"emr-serverless:TagResource",
"emr-serverless:UntagResource",
"bedrock:TagResource",
"bedrock:UntagResource",
"memorydb:TagResource",
"memorydb:UntagResource",
"elasticbeanstalk:UpdateTagsForResource"
],
"Resource": "*"
}
]
}
Read only policy
Read only policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"pricing:*",
"ce:DescribeCostCategoryDefinition",
"ce:GetRightsizingRecommendation",
"ce:GetCostAndUsage",
"ce:GetSavingsPlansUtilization",
"ce:GetReservationPurchaseRecommendation",
"ce:ListCostCategoryDefinitions",
"ce:GetCostForecast",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetDimensionValues",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetCostAndUsageWithResources",
"ce:GetReservationCoverage",
"ce:GetSavingsPlansCoverage",
"ce:GetTags",
"ce:GetUsageForecast",
"cur:DescribeReportDefinitions",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"bedrock:GetModelInvocationLoggingConfiguration",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:GetProvisionedModelThroughput",
"bedrock:ListModelCustomizationJobs",
"bedrock:GetModelCustomizationJob",
"bedrock:ListCustomModels",
"bedrock:GetCustomModel",
"bedrock:ListKnowledgeBases",
"bedrock:GetKnowledgeBase",
"bedrock:ListAgents",
"bedrock:GetAgent",
"bedrock:ListDataSources",
"bedrock:GetDataSource",
"bedrock:ListAgentAliases",
"bedrock:GetAgentAlias",
"bedrock:ListAgentVersions",
"bedrock:GetAgentVersion",
"bedrock:ListAgentActionGroups",
"bedrock:GetAgentActionGroup",
"bedrock:ListAgentKnowledgeBases",
"bedrock:ListTagsForResource",
"memorydb:DescribeSnapshots",
"memorydb:DescribeSubnetGroups",
"memorydb:DescribeReservedNodes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::%bucket_name%/*"
}
]
}
4.4
Then, select the Connection type (The chosen connection will be indicated by a white dot against a blue background.):
CloudFormation stack: ARN-role will be automatically created by the CloudFormation stack.
Manual: You will manually create a role using the External ID and Account ID below, giving you full control over creating policies and ARN-roles.
4.4.1
To access the manual, click the ‘Read manual’ button in the ‘Cross-account role connection’ pop-up.
The manual will look like this:
At the moment, we choose the CloudFormation stack. Otherwise, follow the manual steps.
4.4.2
After selecting the CloudFormation stack, select the region where you want to place the S3 bucket with CUR and click “Launch now”. If you already have an S3 bucket with CUR in some regions, we will not create a new one, we will use your S3 bucket.
If you return to Uniskai while adding an account, you will see a pop-up window
4.4.3
Sign in to the AWS Console.
4.4.4
You will see the Quick Create stack page.
4.4.5
Scroll down to the bottom of the page and select the checkboxes
4.4.6
Navigate to the next page:
4.5
Wait until the stack's status becomes "CREATE_COMPLETE" and return to Uniskai, the account will be added automatically. You can view the connected account on the Account manager page.
