AWS Cost and Usage Reporting

Sysdig can connect to an Amazon Web Services (AWS) account and provide AWS private billing capabilities. You can view AWS usage reports and saving estimates in one location.

For AWS Cost and Usage Reporting, you can use one of the following methods to connect to an AWS account:

  • Use the CloudFormation template that Sysdig provides.

    Sysdig recommends using CloudFormation because it automatically creates all the resources required and it allows for setting up AWS Cost and Usage Reports and Athena automatically. You can do it using either of the following :

    • Use an AWS access key and secret key, and manually managing/rotating them as needed.
    • Use AWS Role Delegation.
  • Manually enter the AWS configuration.

Prerequisites

To give the required permissions to the SysdigCostAccessRoleName role:

  1. Add the following policy to the role:

Expand
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "athena:*"
            ],
            "Resource": [
                "arn:aws:athena:us-east-1:<AWS account id>:workgroup/<Athena workgroup name>"
            ],
            "Effect": "Allow",
            "Sid": "AthenaAccess"
        },
        {
            "Action": [
                "glue:GetDatabase*",
                "glue:GetTable*",
                "glue:GetPartition*",
                "glue:GetUserDefinedFunction",
                "glue:BatchGetPartition"
            ],
            "Resource": [
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/<Athena database>",
                "arn:aws:glue:*:*:table/<Athena table with CUR data>/*"
            ],
            "Effect": "Allow",
            "Sid": "ReadAccessToAthenaCurDataViaGlue"
        },
        {
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 bucket name for Athena query results>/<prefix for Athena query results>*"
            ],
            "Effect": "Allow",
            "Sid": "AthenaQueryResultsOutput"
        },
        {
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 bucket for CUR data>*"
            ],
            "Effect": "Allow",
            "Sid": "S3ReadAccessToAwsBillingData"
        },
        {
            "Action": [
                "organizations:ListAccounts",
                "organizations:ListTagsForResource",
                "organizations:ListAccountsForParent",
                "organizations:ListParents"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Sid": "ReadAccessToAccountTags"
        },
        {
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Sid": "ListEC2Metadata"
        },
        {
            "Action": [
                "lakeformation:GetDataAccess"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Sid": "LakeFormation"
        }
    ]
}

  1. Ensure the role has a trust relationship setup in such a way that the Sysdig backend can assume it:

Expand
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Sysdig AWS account id>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<customer's external id>"
                }
            }
        }
    ]
} 

The values for both the Sysdig AWS Account ID and the External ID can be retrieved via an API call to /api/v2/providers/info/awsCloudInformation:

curl --location '{host}/api/v2/providers/info/awsCloudInformation' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {api_token}'

The response should look like this:

{
  "apiToken" : "<Your user API token>", // not needed in this case
  "externalId" : "<customer's external id>",
  "awsSystemAccountId" : "<Sysdig AWS account id>"
}

Connect an AWS Account

  1. Log in to Sysdig Monitor as an Admin.

  2. From the left sidebar, select Integrations > Cloud Accounts.

    The Cloud Accounts page is displayed.

  3. On the Cloud Accounts screen, select Add Account > AWS.

  4. Select Cost and Usage Reporting.

    Add a new account or select an existing account.

  5. If you are adding a new account, select an appropriate integration method.

    • Role Delegation: Specify the following:

      • Account ID: Your AWS account ID.
      • Role: The name you will enter for the SysdigCostAccessRoleName field in the CloudFormation template. This role will be used by Sysdig to access the cost and billing data. The Outputs tab on the Sysdig-PrivateBilling Stacks details page gives you the SysdigCostAccessRoleName, which will be listed as the PrivateBillingRoleName. For more information on Role Delegation, see Role Delegation.
    • Access Key: Specify the following:

  6. Continue with one of the following:

  7. Complete the installation and click Confirm.

Configure Using the CloudFormation Template

On Sysdig Monitor UI

  1. On the Complete Configuration screen, click Use CloudFormation Template.

    You will be redirected to log in to your AWS account. Continue with On AWS Console.

On AWS Console

Sysdig provides a CloudFormation Template to create a stack corresponding to AWS Private Billing. The stack you create feeds cost data into Sysdig in each region specified in the template.

To see the CloudFormation Template, download the YAML file.

To continue with configuration:

  1. Ensure you are logged in to your AWS account.

  2. The following information, except CreateNewRole, will be populated in the QuickCreate page. Change if necessary.

    • Stack Name: This is the unique name to identify the stack you create.

      For Cost and Usage Reporting, the default name is Sysdig-PrivateBilling.

    • S3 Region: The region where your S3 bucket is located. Select a region from the drop-down.

    • S3 Bucket Name: Specify a unique name for the S3 bucket where your AWS cost and usage data will be stored.

    • S3BucketPrefix: The prefix for the cost and usage reporting files inside the S3 bucket. The default is billing-data.

    • S3 Athena Bucket Prefix: The prefix of the Athena query results inside S3 bucket. The default is athena-cur-query-results.

    • Sysdig Cost Access Role Name: Specify a name for the role. The role will be used by Sysdig to access the cost and billing data. Enter the same name you have used while configuring the account in the Sysdig Monitor UI.

    • Create New Role: Select true if you are creating a new role. If you are using an existing role, select false.

    • Sysdig AWS Account ID: The Sysdig AWS account ID that will assume the SysdigCostAccessRoleName to collect the private billing data.

    • Sysdig External ID: Your Sysdig External ID which will be used when assuming roles in the account

    • SpotDataFeedBucketName: Optional. The bucket where the spot data feed is sent if you enable the Setting up the Spot Data feed.

  3. Click Acknowledge that AWS CloudFormation might create IAM resources with custom names.

  4. Click Create Stack. Expect a 10-15 minute delay to complete creating the stack.

  5. Copy the following from the Outputs tab of your Sysdig-PrivateBilling stack to complete the configuration in the Sysdig Monitor UI:

    Monitor UIAWS
    Bucket NameS3BucketName
    RegionAthenaRegion
    DatabaseAthenaDatabase
    TableAthenaTable
    WorkgroupAthenaWorkgroup
    Spot Prices Feed Bucket NameSpotPricesBucketName

Configure Manually

If you’ve already created a Sysdig-PrivateBilling stack for AWS cost and usage reporting, you can manually associate your AWS account for AWS private billing.

  1. On the Complete Configuration screen, click configure your account manually.

  2. Provide the following information that you have copied from the Outputs tab of your Sysdig-PrivateBilling stack.

    Monitor UIAWS
    Bucket NameS3BucketName
    RegionAthenaRegion
    DatabaseAthenaDatabase
    TableAthenaTable
    WorkgroupAthenaWorkgroup
    Spot Prices Feed Bucket NameSpotPricesBucketName
  3. Complete the installation and click Confirm.