Step 1
Skip to Step 4 if you came to this guide from the Cross-account role connection page.
Navigate to the ‘Account manager’ tab.
Your Account Manager menu will look like the picture below if you don't have any accounts. Click the ‘Add environment’ button.
Your Account Manager menu will display differently if you already have some accounts. Click the ‘Add environment’ button.
Choose AWS cloud service.
Step 2
Select ‘Cross Account Role.’
Step 3
You will be directed to the ‘Cross-account role connection’ page.
Step 4
In the first field, enter an Account name. You can use a specific name (up to 32 characters) or leave it as the default ‘AWS.’
Step 5
Choose the Access type (The selected type will be marked with a white dot on a blue background):
Read/write: This allows you to use all functions, such as converting to spot, scheduling resources, removing unused resources, and rightsizing your resources.
Read-only: This only lets you view your resources and possible actions, without the ability to use the main functionality.
In this case, we select the Read/Write access type
Step 6
Select the Connection type (The selected type will be marked with a white dot on a blue background):
CloudFormation stack: The ARN role is automatically created by the CloudFormation stack.
Manual: You'll manually create a role using the External ID and Account ID.
In this case, we select the Manual connection type
Do not refresh this page during account connection! It will change the External ID!
Step 7
Login to AWS Console.
Step 8
In the search field type Cost and Usage Reports and click.
Step 9
After the page is loaded, click on the button Create report.
Step 10
Name your report, check to Include resource IDs and Refresh automatically boxes. Then click Next.
You can enter any name but with our prefix. Example: "psl-cur-{new-report}".
The part in {bold} can be changed
Step 11
Click Configure.
Step 12
Name S3 as psl-cur-%AWS-account-id% (paste your account ID instead of %AWS-account-id%), and select the region where you want to save the S3 bucket.
Step 13
Check the box The following default policy will be applied to your bucket and click Save.
Step 14
Name the S3 path prefix as psl-cur, and check the Overwrite existing report Radio button. Then check the Amazon Athena box and click Next.
Step 15
Scroll to the bottom of the page and click Create Report.
Step 16
Go back to Uniskai and click on the Open AWS CONSOLE button.
Step 17
Navigate to Policies on the sidebar and click Create policy.
Policy Read-Write
Policy Read-Write
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:UpdateAutoScalingGroup",
"bedrock:GetAgent",
"bedrock:GetAgentActionGroup",
"bedrock:GetAgentAlias",
"bedrock:GetAgentVersion",
"bedrock:GetCustomModel",
"bedrock:GetDataSource",
"bedrock:GetKnowledgeBase",
"bedrock:GetModelCustomizationJob",
"bedrock:GetModelInvocationLoggingConfiguration",
"bedrock:GetProvisionedModelThroughput",
"bedrock:ListAgentActionGroups",
"bedrock:ListAgentAliases",
"bedrock:ListAgentKnowledgeBases",
"bedrock:ListAgentVersions",
"bedrock:ListAgents",
"bedrock:ListCustomModels",
"bedrock:ListDataSources",
"bedrock:ListKnowledgeBases",
"bedrock:ListModelCustomizationJobs",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListTagsForResource",
"ce:DescribeCostCategoryDefinition",
"ce:GetCostAndUsage",
"ce:GetCostAndUsageWithResources",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetTags",
"ce:GetUsageForecast",
"ce:ListCostCategoryDefinitions",
"cloudformation:UpdateStack",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:UpdateEnrollmentStatus",
"cur:DescribeReportDefinitions",
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks",
"ec2:AttachVolume",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateImage",
"ec2:CreateLaunchTemplate",
"ec2:CreateRoute",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeRouteTables",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:GetLaunchTemplateData",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:PurchaseReservedInstancesOffering",
"ec2:ReleaseAddress",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:DeleteService",
"ecs:RegisterTaskDefinition",
"ecs:UpdateContainerInstancesState",
"ecs:UpdateService",
"eks:CreateNodegroup",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:UpdateNodegroupConfig",
"elasticache:PurchaseReservedCacheNodesOffering",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"es:PurchaseReservedElasticsearchInstanceOffering",
"es:PurchaseReservedInstanceOffering",
"iam:CreateServiceLinkedRole",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateGrant",
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*",
"lambda:DeleteFunction",
"lambda:DeleteProvisionedConcurrencyConfig",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:GetProvisionedConcurrencyConfig",
"lambda:ListTags",
"lambda:PublishVersion",
"lambda:PutProvisionedConcurrencyConfig",
"lambda:UpdateAlias",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"logs:DeleteLogGroup",
"memorydb:DescribeReservedNodes",
"memorydb:DescribeReservedNodesOfferings",
"memorydb:DescribeSnapshots",
"memorydb:DescribeSubnetGroups",
"memorydb:PurchaseReservedNodesOffering",
"pricing:*",
"rds:DeleteDBInstance",
"rds:DescribeDBInstances",
"rds:PurchaseReservedDBInstancesOffering",
"rds:StartDBCluster",
"rds:StartDBInstance",
"rds:StopDBCluster",
"rds:StopDBInstance",
"rds:ModifyDBInstance",
"redshift:DescribeClusters",
"redshift:PauseCluster",
"redshift:PurchaseReservedNodeOffering",
"redshift:ResumeCluster",
"sagemaker:StartNotebookInstance",
"sagemaker:StopNotebookInstance",
"savingsplans:CreateSavingsPlan",
"elasticache:ModifyReplicationGroup",
"es:UpdateDomainConfig"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::%bucket_name%/*"
}
]
}
Policy Tagging
Policy Tagging
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"acm:AddTagsToCertificate",
"acm:RemoveTagsFromCertificate",
"apigateway:DELETE",
"apigateway:POST",
"appmesh:TagResource",
"appmesh:UntagResource",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudwatch:TagResource",
"cloudwatch:UntagResource",
"cognito-identity:TagResource",
"cognito-identity:UntagResource",
"ec2:CreateTags",
"ec2:DeleteTags",
"ecr:TagResource",
"ecr:UntagResource",
"ecs:TagResource",
"ecs:UntagResource",
"eks:TagResource",
"eks:UntagResource",
"elasticache:AddTagsToResource",
"elasticache:RemoveTagsFromResource",
"elasticbeanstalk:AddTags",
"elasticbeanstalk:RemoveTags",
"elasticfilesystem:CreateTags",
"elasticfilesystem:DeleteTags",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags",
"es:AddTags",
"es:RemoveTags",
"fsx:TagResource",
"fsx:UntagResource",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser",
"kinesis:AddTagsToStream",
"kinesis:RemoveTagsFromStream",
"kms:TagResource",
"kms:UntagResource",
"lambda:TagResource",
"lambda:UntagResource",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"redshift:CreateTags",
"redshift:DeleteTags",
"route53:ChangeTagsForResource",
"route53domains:DeleteTagsForDomain",
"route53domains:UpdateTagsForDomain",
"s3:DeleteJobTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:PutBucketTagging",
"s3:PutJobTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:ReplicateTags",
"tag:TagResources",
"tag:UntagResources",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"logs:TagResource",
"logs:UntagResource",
"backup:TagResource",
"backup:UntagResource",
"cassandra:Alter",
"cassandra:AlterMultiRegionResource",
"cassandra:TagResource",
"cassandra:TagMultiRegionResource",
"cassandra:UnTagMultiRegionResource",
"cassandra:UntagResource",
"codecommit:TagResource",
"codecommit:UntagResource",
"cloudtrail:AddTags",
"cloudtrail:RemoveTags",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"events:TagResource",
"events:UntagResource",
"glacier:AddTagsToVault",
"glacier:RemoveTagsFromVault",
"glue:TagResource",
"glue:UntagResource",
"kafka:TagResource",
"kafka:UntagResource",
"timestream:TagResource",
"timestream:UntagResource",
"sagemaker:AddTags",
"sagemaker:DeleteTags",
"mq:CreateTags",
"mq:DeleteTags",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"ses:TagResource",
"ses:UntagResource",
"states:TagResource",
"states:UntagResource",
"sns:TagResource",
"sns:UntagResource",
"sqs:TagQueue",
"sqs:UntagQueue",
"appflow:TagResource",
"appflow:UntagResource",
"wafv2:TagResource",
"wafv2:UntagResource",
"elasticmapreduce:AddTags",
"elasticmapreduce:RemoveTags",
"emr-containers:TagResource",
"emr-containers:UntagResource",
"emr-serverless:TagResource",
"emr-serverless:UntagResource",
"bedrock:TagResource",
"bedrock:UntagResource",
"memorydb:TagResource",
"memorydb:UntagResource",
"elasticbeanstalk:UpdateTagsForResource"
],
"Resource": "*"
}
]
}
Step 18
Get back to AWS select the JSON tab and paste the policy below, instead of
%bucket_name% enter the created S3 bucket name. Then click Next.
Step 19
Name your policy and scroll down.
Step 20
Click Create policy.
Step 21
Navigate to Roles on the sidebar and click Create role.
Step 22
Choose the AWS account entity and scroll down after that choose Another AWS account.
Step 23
Get back to Uniskai and find your generated Account ID and External ID.
Step 24
Paste your Account ID. Check Require external ID, and paste the External ID. Then click Next.
Step 25
Type the Policy name created on step 14 in the search bar and check it.
Step 26
Type ReadOnlyAccess in the search bar and check it. Then click Next.
Step 27
Come up with any Role name and scroll down.
Step 28
Click Create role.
Step 29
Click View role.
Step 30
Copy ARN-role .
Step 31
Paste ARN-role on Role ARN field in Uniskai. Now you can finally press the Connect Account.
