A Key configuration of your AWS Cloud Estate for FinOps Center Operation is the s3 Bucket Replication for the Cost and Usage Report and the new Data Exports.
Bucket Replication is utilized to ensure the accessibility of the Cost and Usage Report (CUR) for the account where FinOps Center is installed - CloudOps .
To set up Bucket Replication, several configurations are required in both the Management Account and the FinOps Center installed Account - Delegated Admin. Access to both accounts is necessary to make the necessary updates to the Bucket and IAM Roles. Here are the steps involved:
Create a Bucket for the CUR in CloudOps/Delegated Admin Account:
In the CloudOps/Delegated Admin Account where FinOps Center will be installed, create a Bucket for the CUR.
Ensure that Versioning is enabled when creating the Bucket.
In the Management Account, create a Role to facilitate Bucket Replication between the S3 Bucket receiving the CUR and the newly created Bucket in the FinOps Center Installed Account.
Navigate to the IAM Service to create a new Role, then select the S3 Service.
Create Replication Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::CURBUCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::TARGETBUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource": [
"arn:aws:s3:::TARGETBUCKET/*"
]
}
]
}Create Bucket Inventory Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutInventoryConfiguration",
"Resource": "*"
}
]
}Add S3-Full Access to Role
Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"batchoperations.s3.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}Target Bucket
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "Set permissions for objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MasterPayerAccount#:role/ROLENAME
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::TARGETBUCKET/*"
},
{
"Sid": "Set permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MasterPayerAccount#:role/ROLENAME"
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::TARGETBUCKET"
}
]
}- Navigate to the S3 in the MasterPayer Account and to the S3 Bucket that holds the CUR
- Select the Management Tab and Name Rule
.png)
Assuming that the S3 Bucket is limited to CUR data, Apply to all objects in the bucket
Add the Account Number and Bucket Name of the CloudOps/Replicated Bucket and change ownership to the destination.
.png)
Add the IAM Role that was create to Replicate from MasterPayer to CloudOps Bucket
.png)
Select Save
If you have had your CUR running for some time you are going to want to replicate your existing objects via S3 BatchOperation which you will be prompted for prior to the page loaded.
Select yes and the select a Bucket for S3 to save the inventory report for the operations.