AWS Account w/ Delegated Admin

The New Account Onboarding Process for FinOps Center is facilitated by access to the Account Management API in the Management Account. Within an AWS Cloud Estate, one account can be configured to be Delegated Admin and is the account FinOps Center is installed.

Steps to Create Delegated Admin if not created

1. Creation of New Account - Customers are advised to create an account (if not existing already) that requires Delegated Admin privileges, particularly for services like Security Hub and Systems Manager. While the naming convention is flexible, this account is referred to as the CloudOps Account by Cloud Scal3.

1. Enablement via Security Hub- Follow the instructions provided for enabling an account to be delegated Admin via Security Hub Setup. This involves configuring the Delegated Admin Account through Security Hub.

By following these steps, the integration for Account to Budget onboarding through FinOps Center is facilitated efficiently and securely.

We build and market our own products while also assisting Customers and ISVs in developing their Agentic Products.

To help Simply to Save with customer's AWS Cloud Financial Management, Cloud Scal3 is please to offer FinOps Center.

To Further Simply and Save with the power of Amazon Bedrock Agentic AI and Amazon Q, Cloud Scal3 is pleased to offer Agent Bill as a complement to customer FinOps Center implementation.

Each Release has the Features in the Release the CloudFormation Script to use with the Marketplace AMI.

Navigate to the Release of your FinOps Center

Functional:

Release 25.2.0 is primarily around the inclusion of the Amazon Q in QuickSight Framework with UI Updates and Changes the CUDOS Framework embedding from Anonymous to User-Based.

Enterprise

​https://finops-cf-templates.s3.us-east-1.amazonaws.com/25.6.0/ami-06a823dbc5e7a16a0-FinOps-Center-Enterprise-25.6.0.template.json​

FinOps-In-a-Box

​https://finops-cf-templates.s3.us-east-1.amazonaws.com/25.6.0/ami-0bb8211379fda513f-FinOps-In-a-Box-25.6.0.template.json

Hourly

https://finops-cf-templates.s3.us-east-1.amazonaws.com/25.6.0/ami-0112c9a73d1210b43-FinOps-In-a-Box-Hourly-25.6.0.template.json

The initial Admin user will receive the initial email to begin to onboard users to FinOps Center.

The Recommended approach is to Create an Initial Financial Admin users and one Product Owner to assist with populating the installation with data.

From the Business Requirements, the Financial Admin can create the Organization Naming from configuring the Budget Screen or via CSV Upload.

Additional Post Installation Steps include updating the application with your company's logo and customizing the Amazon Cognito Welcome Email.

Product Owners need to own their Monthly budgets that are scheduled from their Annual Approved AWS Budgets. Working with their Portfolio Management, their Monthly Budgets will be Accepted so that all Users understanding spending within the expected Spending Run Rate.

Monthly Budgets, can be updated via the Rescheduling Process.

Budget Scheduling is FinOps Center's weekly spend governance mechanism that replaces traditional monthly bill shock with granular weekly accountability. Each business week (running Sunday through Saturday, not Monday through Sunday) generates a spend card that follows a clear governance cycle. Product Owners review their weekly spend cards and either accept them (confirming the costs are expected) or dispute them (flagging unexpected charges). Portfolio Managers then approve or reject the spend cards, providing final authority on cost acceptance. The weekly cadence supports up to six weeks per month (W1-W6), with the first week starting on the 1st and ending at the first Saturday midnight. Spend card statuses progress through: Open, Accepted/Disputed (by Product Owner), Approved/Rejected (by Portfolio Manager), and finally Resolved. When a Portfolio Manager locks a budget after approval, Product Owners cannot modify it directly and must request a reschedule, which the Portfolio Manager then approves or denies. The Financial Admin has management oversight visibility into all spend card activity. This weekly governance model ensures cost discrepancies are caught within days rather than discovered at month-end reconciliation.

For maximum accountability, customers need their budet owners and their management to actively manage their spending during the billing cycle with approvals in that cycle.

With FinOps Center, we introduce the capability for Spend Cards that are created at the end of ever period.

Spend Card are created every Monday during the billing month with the last Card being created when the Cost and Usage Report includes the AWS Monthly invoice number indicating that the Billing Cycle has been finalized.

Vendor Manager Role deals around Buying and Discounts Activities.

View

Application

• All Financial Scope

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Vendor, AWS Spending

• CUDOS

Daily Activities

• Adding/Modifying Discounts

• Adding/Modifying Budgets

• Approves/Ignore Spending Recommendations

Weekly Activities

• Monitoring Spend Approvals

Business Unit Owners can manage one or multiple BUs.

View

Application

• Financial Scope in Business Unit(s)

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Spending - Business Unit

Daily Activities

• Monitoring Spending to Budgets

Weekly Activities

• Monitoring Spend Approvals

Monthly

• Download FP&A Files for Business

Department Owners can manage one or multiple Departmentss.

View

Application

• Financial Scope of Department(s)

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Spending - Department

Daily Activities

• Monitoring Spending to Budgets

Weekly Activities

• Monitoring Spend Approvals

Product Owners can manage one or multiple Products.

View

Application

• All Financial Scope within Portfolios

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Spending - Product

Daily Activities

• Create/Modify Budget

• Create Workload

• Claim/Unclaim Resources

Weekly Activities

• Approve/Reject Spend Cards

All Cloud Scal3 products are reviewed by AWS via their Foundation Technical Review.

FinOps Center is aligned to Customer Deployed Solution that requires that Customer Guidance is provided aligned to AWS Best Practices and are detailed in the subsection of the category.

Additionally our AWS Marketplace products are validated by the AWS Marketplace Onboarding team that both scans the AMIs that we upload and validate that our CloudFormation template adhere to their standards.

FinOps Center stores data in DynamoDB and aligns to general practices of using DynamoDB for Storage and Security.

As with all data storied in DynamoDB, customers can chose to encrypt the data at rest with the default AWS Owned , AWS Managed, or Customer Managed Keys

To accelorate Environment Setup, your Cloud Engineer can navigate to the Step Functions in the AWS Console.

Select the CURProcessingStateMachine

 {
  "source": "scheduler",
  "timestamp": {
    "props": {
      "inputPath": "$.time"
    }
  }
}

Add the above once the Start Execution has been selected

Prior to starting the installation of FinOps Center, customers must understand how their company is organized by Roles and Organizational Naming.

Roles

During the installation of FinOps Center, the Role Names are created in Amazon Cognito. The functionality of the Roles is independent of the naming but will help if they are align to your organizational naming.

Default Labels for Roles

Configured During FinOps Center CloudFormation Template

Organizational Naming is aligned to how customers Chart of Accounts are constructed. Organizational Naming can be update once a year aligned to your Creating of an annual budget.

Organization Naming is set via the Budget Creation Process which occurs via a csv upload or via the Budget Screen. The Organization Naming will be visible throughout the FinOps Center application and will need to be implemented in the Amazon Q in Quicksight Topics (if changed).

Default Organization Naming

Organization Naming

When creating Budget, you will be ble to provide Orgnaization Naming in the Create Budget.

Add the Domain for the FinOps Center Applicatoin and select the DNS Validation

Save the CNAME name and CNAME Value

Logi into Route 53 Account (likely Management Account)

Navigate to your Hosted Zone and Create a new A Record

Add the DNS Entries to the subdomain from the what was saved and the Value to Validate the SSL Certificate.

In approxiately 5 to 10 minutes the Certificate in the FinOps Center Account will show as Validated and able to be added to Distbitution.

FinOps Center leverages the work from AWS CID Framework that so customer can leverage the Various QuickSight Dashboards created by the OPTICS Team. Scripts need to be run in both the Management and Data Collection Account.

https://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/deployment-in-global-regions.html UPDATED Location

To enable the Cost Recommendation Process and Data, the Cost Optimizaton Recommendations need to be enables in both the Master Payer and Data Collector Account (FinOps Center Account).

Once the CloudFront Distribution is created, the distribution needs to be configured in your DNS.

If in your DNS is in Route53, add the subdomain the distribution

If in alternative DNS Server, add the distrbution as a CNAME

FinOps Center Enterprise

FinOps Center FinOps-in-a-Box

FinOps Center FinOps-in-a-Box Hourly

Release 25.6.0

• Updated Admin Screens for Financial Admins for Account Allocation

• Update Month Close to run Final Cards based on seeing Invoice Number to Run Final Cards vs Manual Running Cards once Invoice is Recieved

• Updated Budget Screen for all Users

• Adding Resource Launch Date to Resource Table to assist with Workload Allocation

FinOps Center is major Update with new User Experience and the integration of Cost Optimization Hub Approval Process.

While the prior UI was simplier that the AWS Console, we thought we could do better and are very happy to launch the New UI in 25.8.0.

The New U1 continues to have both Light and Dark Mode.

Another Major enhancement is the Saving Management Process that leverages AWS Cost Optimization Hub Data Exports.

Workload Resource Start Date

To assist users identify Workload Resource for Claiming for Workload and/or specialized MAP Workload, Resources will have Start Date. Note: this capability will identify Resource Start date from Day 2 or FinOps Center installation.

FinOps Center Enterprise (Annual or Monthly)

FinOps-In-a-Box (Annual or Monthly)

FinOps-in-a-Box (Hourly)

This is the initial Release of Amazon Q in QuickSight FinOps Center Framework

Topics Created

• AWS Product

• AWS Portfolio

• AWS Department

• AWS Business Unit

• AWS Spending

• AWS Vendor

DataSet Created

• FinOps_Center_E1

• FinOps_Center_E2

• FinOps_Center_E3

• FinOps_Center_E4

Amazon Q in QuickSight Backend Framework

Amazon Q in QuickSight Topics Components

(We recommend that you keep instances with previous AMI until the upgraded installation is confirmed to be working properly. If recovery is required - you can restart the EC2 instance with the prior AMI which will update the CDK bucket with that version. Follow below instruction.)

Marketplace customers will receive an email that their is a new version of the FinOps Center AMI available. The AMI will be available in their EC2 Console for launch leveraging the same IAM Profile used during initial installation. The launched instance will update the FinOps Center cdk bucket with the updates. Select the FinOpsCenterStack.template.json and update the CloudFormation Stack with the object URL.

Click to Zoom

Click to Zoom

Validate the Parameters and advance through the next few screens and hit update.

Upon Completions, Code is Updated.

Customers can update the header and login logo in the FinOps Center implementation

Customers' logo needs to have the file name customer-logo and format svg. (if you have image in different format they must be converted to svg.)

The logo gets uploaded in the s3 bucket of the frontend application in the root directory.

During installation, default Lamda Limits are set for 3008MB.

Targeted Lamda Function to increase

• UsagesLambdaHandler

• UsagesLambdaHandler

FinOps Center onboards AWS Accounts via the Account Management API that is connected to AWS Organization when installed in the configured Delegated Admin Account.

When a new Account is Vended the Financial Admin, VM, or Cloud Engineers and Add the new Account by Checking for New Account.

Accounts can be additionally Onboarded when they show on the Cost and Usage Report.

Roles and Users have Allocation/Visibility within their Financial Scope. The allocation is across all Tabs and within their Amazon Q Topics.

On the Summary Page, the Account Allocation for the User are shown Across Current, Expiring, New, Past, and Future.

For Financial Admin, Admin, Vendor Management, Business Unit Owner, Department Owner, and Portfolio Owners Accounts/Workload needs have a Workload Created by the Product Owner for it to be visible.

Budget Pages, Reporting, and Amazon Q Visibility will be defined on their Functional Page Documentation.

Product Owners will navigate to their Budget Page and select the Product Budget that they want to schedule.

Within the Budget, Complete Schedule

Once Schedule is Completed, Product Owner Submit for Approvals and see the Budget Status as Pending.

As new Workload are added to Budgets, Monthly Schedules will need to be updated through a 2 Step Process.

First there is a Request to Reschedule the Budget by the Product Owner.

FinOps Center budgets Rollup through Roles and User Based on their Financial Scope.

For Budgets to be shown with Variance they must have Status Approved.

The Product Budget Status show the Product Budget Status.

Additionally the Reporting -> Variance Report shows Variance by Product.

Business Unit Roles have access to all spending data within the Business Unit(S) the have Financial Scope. Within Budgets Tables, their visuals are layered and can be navigated down to the Monthly Schedule per Budget.

The Page can be toggled Monthly vs Annual with all visuals updating on selection. The Heat Map Chart on the left scales to the contribution of total spending across the financial scope with the color representing spending to budget. If area is Gray, that individual budget is not approved.

Spend Cards are created every Monday. Each Product Owner will see their Cards to Approve or Dispute

Status will Change once Action is taken.

To insure that their is oversight on Spending, Portfolio Owners need to Approve, Reject Accepted Cards and Resolve Rejected.

While Spend Cards are Open, Portfolio have no Action

Portfolio Owner need to Approve, Reject, or Resolve Submitted Spend Cards

Management Users (Financial Admins, Vendor Management, Business Unit, & Department) can monitor the Cards in their Financial Scope with the capability to identify the Product and Portfolio Users that own the Card Approvals.

FinOps Center leverages AWS Cost Optimization Hub(CoH) Recommendations via Data Exports. CoH Data is integrated into FinOps Center and made available to Finance CCoE and Vendor Management Users to Approve or Ignore the Recommendations with Top Optimizations presended on Summary Page.

Financial Admins and Vendor Management make Approval and Ignore decisions on which Recommendations are to be Implemented by Cloud Engineers.

Cloud Engineers view the Recommendations that they are to take action on and then Mark that the Approved Recommendation has been taken action on and then mark as Implemented.

Adding and Managing AWS Credits can be very time consuming to FinOps teams. Customers are awarded credits aligned to a new AWS PoC or aligned to programs like the Migration Acceleration Program (MAP).

FinOps Center enables Financial Admins and Vendor Management to add Credits to be tracked for accrual at a Budget Level.

When a new Credit is available, the Financial Admin or VM add with the Credit information to FinOps Center

The Credit and Balance are available to users within Spaces and accounted for during the Month Close Process.

At the end of each Bill Period, Approved Spending needs to be integrated back to Core Financial Systems to both Pay your AWS Bill and Accrue Spending to Budgetary systems for FP&A or other KPI reconciliation.

To Create File, the Venofr, PO, Invoice, and Internal Memo must be complete.

FinOps Center generates the Account Payable Files for integration at the E1 Level (Default Business Unit). Note: Credits are applied for all of the Credits applied by AWS to your Cloud Estate within the CUR.

FinOps Center generates Budget level Accruals with Credits applied witihin FinOps Center.

As of FinOps Center 25.2.0, FinOps Center has 7 roles with specific Daily, Weekly, and Monthly Activies.

Financial Admins are the primary managers of the AWS Cloud Estate.

View

Application

• None

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Vendor, AWS Spending

• CUDOS

Daily Activities

• Add/Manage Users

• Add initial AWS Account Allocation to Budgets

• Claiming/Unclaiming Resources to Workloads

• Adding QuickSight Dashbaords/Topics

Weekly Activities

• Monitoring Spend Approvals

Monthly

• Close Month

• Download/Upload AP and FP&A Files

To assist with the user experience, we recommended that Filter Null Values are created for the Service and Product Family Services within each Topics Data Configuration

Agent Bill leverages Amazon Q in QuickSight's Forecasting Algorithm to provide users expected spending aligned to their Financial Scope.

Agent Bill loads data to Quick Sight via Athena for each role. Depending on the number of refreshes that customer configure, there will be at least 6 queries each day of large datasets. Query results bucket should have a lifecycle rule that deletes bucket results every 30 days to avoid undue costs.

A submitted Budget will then be sent to the Portfolio User to Approve or Reject.

From their Summary Page they will see they have a Budget Task to take action.

From the Budget Page, the Portfolio Owner will be guided to the Budget Requiring Action.

Porfolio Owner select and Take Action to Approve/Reject Budget Schedule

Upon Approval, the Budget Card will show approved for both Product and Portfolio User.

FinOps Center's Installation Components

The installation of FinOps Center requires configuring your AWS Cloud Estate within the Management Account and the Delegated Admin Account or Data Collection where the application will be installed.

Pre-Requisite Task (~1hr)

Tasks in Management Account

• Create Cost and Usage Report via Data Exports - via CID Framework

Stack Configuration

FinOps Center creates IAM Roles and Policies. The Engineer deploying must have Administrative Privileges. (DO NOT INSTALL USING ROOT USER)

Upon Selecting Next you will be taken to the YAML form to complete the FinOps Center Installation.

Name Stack: No Requirements

Stack Parameter:

The Amazon Q in QuickSight FinOps Center Framework uses the same Deployment Model as FinOps Center via the Marketplace - AMI with CloudFormation.

Once the Offering is added to your AWS Accounts you will have an AMI that needs to be launch with the IAM Profile that was used for the Product Installation.

The Solution code will be deployed via 2 CloudFormation Scripts.

The First CFT builds and deploys the backend that will extract data from your FinOps Center application's DyanamoDB tables and pushes them to S3 that are created. Glue Crawlers then create the schema to be leverage for the 2nd CFT.

Note: Prior to proceeding to the 2nd CFT Script the Glue Crawlers must successfully complete and the new S3 buckets ( & ) must be shared with QuickSight.

Upon complete the configuration to your AWS Environment (QuickSight) you will navigate to the Amazon Q in QuickSight Marketplace offering and subscribe to the services

Upon Subscribing the page, will refresh to add the AMI

Click the Continue to Configuration and Select the AMI

Select your Version and Region and select Continue to Launch

Launch via EC2

Once the AMI is launched and the code is deployed to your cdk bucket, you navigate back to the Configure Screen to install the CloudFormation Templates.

The First CFT to launch is the Amazon Q in QuickSight FinOps Center Backend Framework.

Continue to Launch Stack

Prior to Launch the 2nd Stack -> navigate to Glue and Validate that the Crawlers have run successfully.

Launch the 2nd Stack - Amazon Q in QuickSight FinOps Center Q Topics

Finops Center provides your companies Core Cloud Financial Processes.

In FinOps Center 26.4.0, several CFM processes have been enhanced with new workflows. Weekly Spend Card Governance now enforces accountability at the product owner and portfolio manager level through weekly accept/dispute/reject cycles based on business weeks (Sunday to Saturday). Budget Management includes a full lifecycle with approval locks, reschedule requests, and status tracking. The cost allocation model follows the hierarchy: Budget > Account Allocation (%) > Workload > Resources, with open resources sharing cost by allocation percentage and claimed resources assigned 100% to a workload. Savings Management introduces a cost recommendations workflow where Financial Admins approve and Cloud Engineers implement optimizations. Vendor Management enables negotiated AWS discount tracking (EDP/PPA rates) through a vendor discounts pricebook.

• Financial Budget Onboarding/Modifying

FinOps Center Users are onboarded to the application by Admin Users. All users are stored in Amazon Cognito that accepts mass uploads. (contact support for assistance).

The Admin Configuration Screen is accessible to the Admin User that is created during the installation of FinOps Center. Additional Admin Users can be created like any other role

Admin users are responsible for adding users with their roles. Those Roles can be updated. Each users requires an unique email address. (+email are Supported)

Overview

User onboarding establishes each person's identity, role, and data scope within FinOps Center. The process creates a user in AWS Cognito for authentication, assigns one of seven application roles that determine governance capabilities, maps the user to a QuickSight access group for dashboard visibility, and defines their financial element scope (E1-E4) to configure Row Level Security.

FinOps Center maps Users to their Financial Budget/Scope. A key feature of FinOps Center is "Rollup" of Spending and Budget within the hierarchy.

As depicted below, the Roles rollup spending from the members of their Financial Scope.

From the Drop Down, A user will be added to the Financial Scope aligned to the Role they were onboarded to when they were added to FinOps Center.

Users can have multiple scopes within their hierarchy but must have the same "Parent". In the examples below Department can have multiple departments within Enterprise but not in different Business Units.

This mapping drives Row Level Security (RLS) across all QuickSight dashboards and datasets. A Business Unit Manager assigned to E1 sees all spending under their BU, while a Product Owner at E4 sees only their product's cost data. The Financial Admin manages all user-to-element allocations and can grant multi-element access when a user's responsibilities span multiple financial scopes.

FinOps Center is designed to have 2 tiers of allocation to a Financial Budg

Cloud allocation maps financial budgets to AWS infrastructure through a percentage-based distribution model. Budget flows from accounts to workloads to individual resources, with each resource either "claimed" (100% allocated to one workload) or "open/shared" (distributed by allocation percentage). The Financial Admin manages account allocation percentages, Product Owners claim resources for their workloads, and Cloud Engineers claim resources on behalf of Product Owners. Claimed resources show their full cost against the claiming workload, while shared cost is calculated as unblended cost multiplied by allocation percentage. The system tracks five discount types and net_cost calculations on a daily basis.

1. Account Allocation: Aligned to the multi-account framework, AWS Account Billing is split by percentage allocation to a budget. The Allocation begins to either the Vending date of the Account or the 1st of the Previous Month. Allocation can be updated to the beinning of Period (aka weekly). All resources will be allocated to that budget at the % rate.

All AWS Accounts are at minimum allocated to 1 Financial Budget and define as an Account Type (Production, Pre-Production, Shared, Development or Sandbox). To complete mapping the total allocation must be 100%.

Accounts can be mapped to multiple budgets but need to have total allocation of 100%.

Allocation can be updated to a new start date and allocation

Select Remap to update account allocation and start date

Product Owners own creating Workload Estimate in FinOps Center leveraging a AWS Pricing Calculating Link.

Any entity (internal user, AWS, AWS Partner) can create an estimate for a Workload via the AWS Calculator - . Each Workload Estimate should be for the Workload in that AWS Account. Once the Estimate is created, the Product Owner will add the Link to the Estimate with the Monthly Estimate.

Once the Estimate is created, the Product Owner will add the Link to the Estimate with the Monthly Estimate.

Workload Estimates flow to the Budget Schedule to be included in Monthly Budget Schedule.

The Estimate to Budget process enables Product Owners to forecast workload costs before they become committed budgets. The workflow follows five stages: (1) Create Workload Estimate, defining required AWS services, usage volumes, and environment type (Dev, Sandbox, Pre-Prod, Prod, or Shared); (2) Link AWS Pricing Calculator at calculator.aws for authoritative monthly and annual cost projections; (3) Submit for Approval with budget period selection (monthly or annual) and justification notes, via MCP action or dashboard workflow; (4) Portfolio Manager Review against portfolio budget capacity and strategic alignment; and (5) Convert to Active Budget, where approved estimates automatically become budget line items with cost tracking, weekly spend card generation (W1-W6), and QuickSight dashboard visibility. The Product Owner is the primary operator, while the Portfolio Manager serves as the approval gate ensuring estimates align with organizational priorities before becoming committed budgets.

Financial Admin and Vendor Manager Roles have access to all spending data. Within Budgets Tables, their visuals are layered and can be navigated down to the Monthly Schedule per Budget.

The Page can be toggled Monthly vs Annual with all visuals updating on selection. The Heat Map Chart on the left scales to the contribution of total spending across the financial scope with the color representing spending to budget. If area is Gray, that individual budget is not approved.

Below the Top Visual are the individual Business Units Spending. To drill down on a Business Unit Select the Details of the Departments

Each Department is visible within the Business Unit with the ability to view Portfolios within that Department

Financial Admins are the primary managers of the AWS Cloud Estate.

View

Application

• All Financial Scope

Amazon Q in QuickSight Topics / CUDOS Access

QuickSight Topics support custom instructions that guide how Agent Bill interprets and responds to natural language queries. In 26.4.0, topic-level custom instructions work alongside persona-level instructions (configured per role in the Custom Instruction page) to provide layered context. Topic instructions are shared across all users of that topic, while persona instructions are role-specific. Custom instructions can be managed via the QuickSight API using DescribeTopic (returns CustomInstructionsString), CreateTopic, and UpdateTopic operations. The character limit for topic custom instructions is approximately 3,000 characters.

To assist the Quick Sight Topic understand how business weeks are defined, each topics needs to have a Custom Instruction

Customer Instruction

Week are defined by sunday to saturday. the first week of each month starts the 1st of month to saturday 23:59. The last week of the month starts Sunday 00:01 to the last day of that month. Normal weeks are sunday to saturday.

Upon considering to install the Amazon Q in QuickSight FinOps Center Framework please be aware of the following:

1. Lambda code hosted in your S3 buckets are not ingested nor scanned by AWS Marketplace. This creates an external dependency. Applications that require external dependencies on deployment must follow product usage policies which includes proper disclosure. In the Release Notes of each FinOps Center Release include the results of the AWS CodeGuru Scan.

2. FinOpsCenterQGlueCrawlerRole295A8956 : add a warning in your deployment guide, product access instructions, or clusters and resources long descriptions that customers should consider deploying into new AWS accounts because the permissions allow your application access to read, edit, and/or delete existing AWS resources in the AWS account.

You can add any QuickSight Dashboard to FinOps Center by adding the Dashboard ID and adding your application URL to the Embedded Dashboard management page. (Resticted to Financial Admin, Vendor Manager, and Admin Users.

In QuickSight, add the Dashboard to the Group you wish to view in FinOps Center

In the URL is the Dashboard ID for your QuickSight Dashboard

Add Dashboard ID to the Configuration Page in FinOps Center

Navigate to Reporting Page to View

Agent Bill is the embedded Data Assistant to FinOps Center that leverages Amazon Q in QuickSight.

Agent Bill for Amazon Q in Quicksight was built considering the challenge for Row Level Security. Each Role has their Athena Queries, QuickSight Datasets, and QuickSight Topics.

The Dataset are configured with User-based rules leveraging FinOps Center User table for Financial Scope. Users Scope is updated when the Dataset's SPICE is Refreshed.

Users see their Data in Scope of their Users Allocation of Accounts and Financial Budgets configured in FinOps Center.

In image below, FinOps Center users Products on the left are what are reflected in Embedded Amazon Q.

FinOps Center is licensed under the terms and conditions of the AWS Marketplace Standard Contract

Portfolio Owners can manage one or multiple Portfolios.

View

Application

• All Financial Scope within Portfolios

Amazon Q in QuickSight Topics / CUDOS Access

• Complete QuickStart and Create Business Requirements Document

• Allocated AWS Accounts to Financial Budgets prior to adding users

• Communicate to users that they will receive emails inviting them to FinOps Center but that they should wait a day to enter the application or they may not have their experience loaded

Agent Bill Amazon Q in QuickSight for FinOps Center is installed with currated Topics that can be customized to your organizational naming convention.

Each Topics need to be Modified to your Organization.

Additional Hints to provide the best expereince for your Users

Select Non Additive for the Monthly Periods

Last Updated: October 24,2024

Cloud Scal3 Inc. ("we," "us," or "our") uses cookies and similar tracking technologies to enhance your experience and analyze how our websites, [www.cloudscal3.com](http://www.cloudscal3.com) and [www.finopscenter.com](http://www.finopscenter.com), are used. This Cookie Policy outlines how we use these technologies for marketing purposes.

1. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us remember your preferences, understand how you interact with our websites, and provide tailored content, including personalized marketing messages.

2. Types of Cookies We Use

We use the following types of cookies on our websites:

- Essential Cookies: These cookies are necessary for the operation of our websites and enable features like secure login and form submissions. They cannot be disabled. - Analytical/Performance Cookies: These cookies help us understand how visitors use our websites, which pages are popular, and how we can improve site performance.

- Marketing/Advertising Cookies: These cookies track your online activity to deliver personalized ads relevant to your interests. We use these cookies to analyze user behavior and ensure our marketing efforts are effective.

- Third-Party Cookies: In some cases, we use third-party service providers (e.g., advertising networks, analytics services) that set cookies on our behalf to deliver tailored advertisements and analyze website traffic.

3. How We Use Cookies for Marketing

We use cookies to:

- Understand User Preferences: We track how you interact with our websites to understand your preferences and deliver personalized marketing content. - Display Targeted Ads: We use marketing cookies to deliver relevant ads on our websites and other platforms based on your interests and browsing behavior. - Measure Campaign Effectiveness: Cookies help us analyze the performance of marketing campaigns to optimize our advertising efforts.

4. Managing Your Cookie Preferences

You have the right to manage or disable cookies. Here’s how:

- Cookie Consent Tool: You can manage your preferences through the cookie consent tool that appears on our websites when you first visit or by clicking on the “Cookie Settings” link available on our website footer. - Browser Settings: You can adjust your browser settings to refuse cookies or delete existing cookies. However, this may affect the functionality of our websites. - Opt-Out of Targeted Advertising: You can opt out of personalized advertising by adjusting your preferences on advertising platforms or using industry opt-out tools like the [Network Advertising Initiative](https://www.networkadvertising.org/) or [Digital Advertising Alliance](https://youradchoices.com/).

5. Data Protection and Privacy

Cookies may collect personal data, such as IP addresses or unique identifiers, to tailor marketing efforts. For more details on how we handle personal data, please refer to our [Privacy Policy](#).

6. Changes to This Cookie Policy

We may update this Cookie Policy periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes through our websites or other communication channels.

7. Contact Us

If you have any questions about this Cookie Policy or how we use cookies, please contact us:

Cloud Scal3 Inc. Email: [email protected]

Last Updated: October 24, 2024

At Cloud Scal3 Inc. (“we,” “us,” or “our”), we value your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard the information you provide when visiting our website, [www.cloudscal3.com](http://www.cloudscal3.com), and www.finopcenter.com or interacting with us.

1. Information We Collect

We may collect and process the following types of personal data:

- Contact Information: This includes your name, email address, phone number, and any other contact details you provide. - Usage Data: Information about how you interact with our website, such as IP address, browser type, time zone, referring/exit pages, and clickstream data. - Marketing Data: Information about your preferences and interests, which may include responses to marketing campaigns or surveys you participate in. - Cookies and Tracking Technologies: We use cookies and similar tracking technologies to enhance your experience, understand your preferences, and deliver targeted advertisements.

2. How We Use Your Information

We use the information we collect in the following ways:

- To Improve Our Website: We analyze data to understand how visitors use our site, ensuring it is easy to navigate and tailored to user needs. - To Communicate with You: We may use your contact information to send you promotional content, newsletters, updates, or respond to your inquiries. - For Marketing Purposes: We use your information to provide personalized advertisements and special offers based on your interests, either through our website or third-party marketing partners. - To Comply with Legal Obligations: We may process your data to comply with legal requirements or respond to legal requests.

3. Sharing Your Information

We do not sell your personal data. However, we may share your information with:

- Service Providers: Third-party vendors who assist us in providing website functionality, marketing services, analytics, and other business operations. - Advertising Partners: Marketing agencies and advertisers to help deliver tailored content and ads that may interest you. - Legal Authorities: When necessary to comply with legal obligations, prevent fraud, or protect the rights of Cloud Scal3 Inc. and others.

4. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy, or as required by law. You may request deletion of your data by contacting us at [insert contact email].

5. Your Privacy Choices

You have the following rights regarding your personal data:

- Opt-Out: You can opt out of receiving marketing communications by following the unsubscribe instructions in the emails we send or contacting us directly. - Access and Correction: You may request access to, correction of, or deletion of your personal data by contacting us. - Cookie Preferences: You can manage your cookie settings through your browser or our cookie consent tool.

6. Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, loss, misuse, or alteration.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post any updates on this page and notify you of significant changes through our website or other communication channels.

8. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Cloud Scal3 Inc. Email: [email protected]

All FinOps Center APIs are managed by Cognito

FinOps Center AppSync API Credential Management

• Amazon Cognito Federated Identities issue short-lived AWS credentials using STS under an IAM role.

• Amazon Cognito User Pools issue JWT tokens that are used to authenticate AppSync requests.

• Because Cognito-issued credentials are automatically rotated and expire frequently (typically after 1 hour), long-term key rotation is not required for day-to-day operations.

FinOps Center 26.4.0 introduces the Liquid Glass theme system with two custom QuickSight themes: agent-bill-light (based on CLASSIC) and agent-bill-dark (based on MIDNIGHT). Both themes use the Open Sans font family with sans-serif fallback and feature a teal/amber accent palette with FBBF24 (amber/gold) as the accent foreground color. The dark theme is the default across the entire FinOps Center application. Themes are deployed at the account level using the update-account-settings API.

Below are the CLI Commands to install the Agent Bill Light and Dark Liquid Glass Themes with the Account Permissions.

aws quicksight create-theme \
    --aws-account-id AWSACCOUNT# \
    --theme-id "agent-bill-light" \
    --name "Agent Bill Light" \
    --base-theme-id "CLASSIC" \
    --configuration '{"DataColorPalette":{"Colors":["#0D9488","#F97316","#3B82F6","#10B981","#8B5CF6","#EC4899","#06B6D4","#F59E0B","#6366F1","#14B8A6"],"MinMaxGradient":["#CCFBF1","#0D9488"],"EmptyFillColor":"#E5E7EB"},"UIColorPalette":{"PrimaryForeground":"#1F2937","PrimaryBackground":"#FFFFFF","SecondaryForeground":"#6B7280","SecondaryBackground":"#F8FAFC","Accent":"#0D9488","AccentForeground":"#FFFFFF","Danger":"#EF4444","DangerForeground":"#FFFFFF","Warning":"#F97316","WarningForeground":"#FFFFFF","Success":"#10B981","SuccessForeground":"#FFFFFF","Dimension":"#3B82F6","DimensionForeground":"#FFFFFF","Measure":"#0D9488","MeasureForeground":"#FFFFFF"},"Sheet":{"Tile":{"Border":{"Show":false}},"TileLayout":{"Gutter":{"Show":true},"Margin":{"Show":true}}},"Typography":{"FontFamilies":[{"FontFamily":"Open Sans"},{"FontFamily":"sans-serif"}]}}' \
    --region us-east-1

Allow Permissions

Replace light for dark for light mode permissions to enable both themes.

Theme Deployment

The default theme is set at the account level using the update-account-settings API. Once the themes are created and permissions granted, set the dark theme as the account default to apply it across all dashboards and embedded experiences automatically.

Known Limitations

QuickSight themes do not fully apply to the Q/Chat visuals panel within embedded experiences. The chat response area and generated visuals may not inherit the custom theme colors. As a workaround, brand customization is used instead of themes for the embedded chat component. Theme inheritance does not propagate to all QuickChat UI elements, so the FinOps Center application CSS applies additional dark mode styling to ensure visual consistency across the full interface.

Workload allocation begins with the Product Owner creating an estimate for their workloads. Within Space, Product Owners will navigate to a Budget within their Scope and Select the AWS Account where the workload will be created.

Workload need to be named, have an AWS Pricing Calculator, and a Launch Date(Month). If there is a targeted Teardown for the workload enter the End Month. By default, Estimates will end a year of year.

Once Estimates are created Product Owners, Financial Admins, or Admins can Claim Resources to the Workload within the Resource Tab.

On load, Resource that are Open to be Claimed will be visible in the table. Users can use the search to identify by Service Name, Resource Name, or Tag.

Claiming Resources can be done across multiple Workload or Multiple Resources can be Bulk Claimed.

Multi-Workload

Bulk Claim

To view Claimed Resources, Select the Claimed Resource Checkbox. The Status visual provides information on which Budget it belongs , the date of action, and the User that made the action.

For Claimed Resources within the Budget Scope, the Resource(s) can be Released back to the available pool to be Claimed by another Workload or to Account Allocation.

Prerequisites for Agent Bill Amazon Q in QuickSight for FinOps Center

Agent Bill Amazon Q for QuickSight For FinOps Center brings the power of Amazon Q to your FinOps Users.

To be able to be installed, Customers need to have one of the FinOps Center versions installed, have FinOps Center Minimal Setup Complete (See Below), and have Amazon Q in QuickSiight enabled in there environment with at least 1 Author Pro Enabled with Embedding of your FinOps Center application configured.

FinOps Center Minimal Setup for the Amazon Q in QuickSight Framework:

1. One Product Owner Onboarded

2. One Budget Onboarded and Mapped to Product Owner

3. One AWS Account Mapped to Budget

4. One Workload Created to the Mapped AWS Account

5. One Resource Claimed to the Workload

All FinOps Center underlying compute (including Amazon Q in QuickSight) is the responsibility of Customers.

Pricing for Amazon Q in QuickSight - A $250/month per account Amazon Q enablement fee applies for accounts with at least one Pro user or with at least one Amazon Q Topic.

Click to Zoom Click to Zoom

To Install Agent Bill Amazon Q in QuickSight for FinOps Center customer must Add 1 Author Pro User to their QuickSight Environment.

Embedding must be enabled with the url of the FinOps Center Application.

Agent Bill 2.0 uses Amazon QuickSight embedded QuickChat (Quick Suite) to provide an AI-powered data assistant directly within the FinOps Center application. This is a migration from the previous embedded Q&A (Q Bar) approach. Each role gets a dedicated chat agent with persona-specific instructions, topic access, and optional MCP actions for workflow

Architecture

The embedded QuickChat integration uses an AppSync backend with a TypeScript Lambda function. When a user opens Agent Bill in FinOps Center, the application calls generate-embed-url-for-registered-user via AppSync, passing the user's Cognito identity to resolve their QuickSight registered user. The embed URL is configured with experience-configuration set to QuickChat and a fixedAgentArn in contentOptions that routes the user to their role-specific chat agent. The QuickSight Embedding SDK (awslabs/amazon-quicksight-embedding-sdk) renders the chat interface within the application.

Quick Actions and MCP Integration

Agent Bill 2.0 supports Quick Actions via MCP (Model Context Protocol) integration through Quick Spaces. When a persona instruction routes a query to ACTION/TASKS, the chat agent can trigger workflow actions such as budget management, spend card operations, and resource management. These actions are backed by GraphQL mutations via AppSync with Cognito authentication. Quick Spaces are configured in the QuickSight console and must be shared with the appropriate user groups. Note that the automation framework creates Athena queries, datasets, RLS, and topics automatically, but Spaces and embedded chat configuration are manual steps.

Configuration in FinOps Center

Agent Bill is configured in the FinOps Center application via the Configuration page. Financial Admins navigate to Configuration > Agent Bill Configuration to enable Amazon Q Topics and map agent IDs to roles. Each role has a unique agent ID and view ID that connects the FinOps Center application role to the correct QuickSight chat agent. The QuickSight Environment settings (Region, Account) are also configured on this page.

Additional IAM Permissions

The embedded QuickChat integration requires additional IAM permissions beyond standard QuickSight embedding. The embedding policy currently uses resource * and will need scoping for Marketplace onboarding. MCP actions require specific QuickSight action permissions beyond the standard Cognito read-only role. Actions may work in the QuickSight console but require additional sharing configuration to function in the embedded context. Q Business console settings may also need configuration for action authorization.

Troubleshooting

If the default QuickSight chat loads instead of the role-specific Agent Bill chat, verify that fixedAgentArn is set correctly in contentOptions. If users see embed failures, check their QuickSight user status via the CLI command describe-user — users with INACTIVE status will not be able to load the embedded chat. If MCP actions fail with permission errors in the embedded context but work in the QuickSight console, check that the additional IAM policies and QuickSight sharing configuration have been applied. Ensure allowedDomains in the QuickSight management console includes the FinOps Center application domain.automation.

Customer Support is initiated via https://www.cloudscal3.com (footer)

Support Tiers

Once the Initial User Admin receives the Cognito Email they can create the initial Financial Admin User. Prior to creating user, its best practice to configure the Welcome Email in Cognito.

Application Roles

FinOps Center 26.4.0 supports 7 application roles. These are not simply access levels — each role has distinct capabilities, workflows, and scope within the budget hierarchy (Business Unit > Department > Portfolio > Product). When Agent Bill is enabled, each role also maps to a dedicated QuickSight user group and chat agent with role-specific persona instructions and topic access.

As your datasets grow, the SPICE datasets can be adjusted to run incremental from the default Full. Unfortunately, the refresh can't be done via the UI and needs to be via CLI.

Below are is the CLI

The CFT for the Backend Framework Setup and the creation of the QuickSight components create IAM in the AWS Account that it is installed.

Below is the list of the Roles and their Purpose:

FinOps Center S3, Lambda, and DynamoDB components like any other application via VPC Endpoints.

New VPC

• 1 VPC, e.g. 10.0.0.0/16

• At least 2 public and 2 private subnets across 2 AZs

Cloud Estate Design

When preparing for your FinOps Center installation, it's important to consider the design elements related to both your Cloud Estate and the AWS account for your FinOps Center installation.

Aligned with the Multi-Account Strategy, FinOps Center is designed to facilitate the management of your AWS Cloud Estate through the Delegated Admin Account. A Delegated Admin Account may already be created and configured in your Cloud Estate as you set up various AWS Management and Security services like Security Hub and IAM Identity Center.

FinOps Center runs on 100% native AWS Services and is deployed via CloudFormation. FinOps Center is access management services to assist with integrated with core AWS Plaftorm services to simplify AWS Cloud Financial Management.

Launch through EC2

Click to Zoom

Click to Zoom

Configure Instance to your companies standards. As note previously, the EC2 instanced provisioned is used to copy files to S3 for the FinOps Center deployment. We recommend a small instance (T3 Small) be used and can be shut down once the files are copied to S3.

Click to Zoom

Prior to Launch → the IAM Instance Profile much have a Role with Policy to S3 Create Bucket and S3 Write Access for FinOps Center Installation Bucket. Add your AWS Account Number to below Policies.

Navigate to IAM and follow below Steps

Step 1: Create a New Role for EC2 or Validate an Existing Role has above Policy.

Click to Zoom

JSON Policy - add account number of installed account.

Step 2: Create a Role

Click to Zoom

Step 3: Add Policy to Role

Click to Zoom

and Create Role

Click to Zoom

Return to EC2 to Launch Instance

No Key is Required as the Instance can be delete upon Install

Launch Instance

Navigate to S3

As the EC2 starts up, a bucket will appear beginning with cdk (see below)

Once you see the cdk Bucket is created navigate back to the Marketplace Listing to Launch CloudFormation.

Launch CloudFormation

Click Next

Note: All environment installation are “ Fresh Installs”. There is no separate installation pipeline between SDLC environment.

FinOps Center manages Financial Budgets that have been approved by customer's Core Financial Budgeting process. The Financial Budgets can be onboarded to FinOps Center via the Application UI or by uploading a CSV files.

Overview

Financial Budget Onboarding is the foundational process in FinOps Center's Cloud Financial Management framework. It establishes the four-level budget hierarchy (E1 through E4) that organizes all cloud spending, creates budget entries at each level, configures cost allocation percentages, and maps budgets to specific AWS accounts. Every other CFM process depends on this initial budget structure being in place.

Process Steps

1. Define the Budget Hierarchy - Establish the four-level financial element structure: Business Unit (E1), Department (E2), Portfolio (E3), and Product (E4). This hierarchy determines how costs roll up and how financial data is scoped for each role.

2. Create Budget Entries - Add budget line items at the appropriate hierarchy level. Budgets can be set on monthly or annual periods and support multiple fiscal years (2024, 2025, 2026). Each entry tracks both estimated and approved amounts.

3. Set Allocation Percentages - Configure what portion of each budget maps to AWS accounts. These percentages drive the cost allocation model: resources are either claimed (100% allocated to one workload) or open/shared (cost distributed by allocation percentage).

4. Assign to AWS Accounts - Link budget entries to specific AWS account IDs. Account names are resolved from the account_mapping table. Once assigned, cost tracking activates and QuickSight dashboards begin populating with spend data.

Key Concepts

Budget Hierarchy (E1-E4): Business Unit, Department, Portfolio, Product. Each level scopes financial visibility and governance accountability.

Allocation Percentages: Determine how budget and cost are distributed across AWS accounts. A 60% allocation means 60% of shared costs from that account are attributed to the corresponding workload.

Monthly vs Annual Periods: Budgets can operate on either cadence. Monthly budgets enable fine-grained spend tracking; annual budgets set broader spending envelopes.

Multi-Year Support: FinOps Center supports budget entries spanning 2024, 2025, and 2026 fiscal years with cross-year data visibility.

Integration Points

Budget onboarding feeds directly into Budget to Cloud Allocation (which maps budgets to workloads and resources) and Financial Budget Mapping to User (which connects budgets to specific users for role-based visibility). Without completed budget onboarding, no other CFM process can function.

FinOps Center Roles - Financial Admin & Vendor Manager (Default Roles)

Navigate to the Vendor Manager

Via Site

Define Organizational Naming for the Year

Add Line Item

Via CSV

The Financial Budget/Chart of Account Files is a comma delimited file (csv). The hierarchy of file goes from left to right with the top or your organization being the left column to the lowest product/project in the 4th column. The First Row of the file will drive the labels of the application.

Sample File:

File Name

The Chart of Account File should be generated from your Core Accounting System that reflects your Hierarchy and Approved Budget Spending for AWS.Budgets (via file format) can be updated based on Customer requirements.

Customer_2025_true_2025-11-01_false_Budget_v1.csv

I am a CCoE User and I want to create a New Budget for All Project for the New Budget Year.

I am a CcoE User and I want to up to update a Product’s Annual Budget on 7-01-XX

I am a CCoE User and I want to add a New Product and it’s budget

Chart of Account Integration

Admin users upload the Chart of Account File in the Configuration Page. The Chart of Account File is uploaded in the *.sorfile s3 Bucket and processed by Lambda into DynamoDB.

Invoice Integration

CCoE and Business Unit Users will be able to download csv to their desktops for integration into Core Financial and/or FP&A Solutions.

Custom Instructions are the persona-level rules embedded in each Agent Bill QuickSight Topic that control how Agent Bill responds to user queries. They define topic routing logic, keyword interpretation, business week alignment, and response behavior. Each Topic requires its own custom instruction tailored to the role it serves.

Routing Logic

Agent Bill persona instructions use a three-mode routing system to determine how to handle each user query:

FinOps Center is deployed entirely within customer’s AWS account and is built 100% on native AWS services, enabling centralized operations management, governance, and observability aligned with AWS best practices. It provides customers with full ownership and control of their operational environment while supporting scalable, secure, and compliant centralized management across their AWS workloads.

Centralized Operational Control

The solution is designed to support centralized visibility and control through seamless integration with AWS native tools, allowing customers to centrally manage infrastructure, security, and operations. Key components include:

• AWS CloudFormation: FinOps Center serverless infrastructure and application code is deployed with CloudFormation, ensuring consistency of deployments.

Agent Bill

Agent Bill is the AI layer inside FinOps Center that makes AWS cost management accessible to every team in your organization — in plain language, without the AWS Console, without raising a ticket, and without waiting for someone technical to get back to you.

What Agent Bill Does

AWS cost management has always required a technical intermediary. A Product Owner who wants to know if their workload is on budget has to ask a Cloud Engineer. A Finance Admin who needs to understand what drove a cost spike has to wait for a FinOps specialist to pull and interpret Cost Explorer data. A VP who wants a spending update gets a spreadsheet built the night before.

Agent Bill removes that dependency.

As an embedded AI assistant inside every FinOps Center workspace, Agent Bill understands your organization's specific context — your AWS account structure, your budget hierarchy, your team names, your cost allocation tags, and your commercial agreements. When a user asks a question, Agent Bill doesn't return generic AWS data. It returns an answer scoped to that user's role, their accounts, and their budgets — automatically.

Who Agent Bill Is For

Agent Bill is not a tool for Cloud Engineers. Cloud Engineers already have AWS Console access and Cost Explorer. Agent Bill is built for the people who don't have that access — and shouldn't need it to do their jobs.

What You Can Ask Agent Bill

Agent Bill is designed to answer the questions your teams ask most — and the ones they've stopped asking because getting an answer was too hard.

Finance & Budget Questions

• "Which workloads are over budget this month?"

• "What is our current spend vs. budget across all accounts?"

• "How much have we spent against our annual AWS commitment?"

Workload & Product Questions

• "How much did my application cost to run last week?"

• "What's driving the cost increase in the database tier this month?"

• "How much did my AI components cost in March vs. February?"

AI & Bedrock Questions

• "How much have we spent on Amazon Bedrock this month?"

• "Which model is consuming the most tokens across our workloads?"

• "What is the cost per request for my Bedrock integration?"

Management & Reporting Questions

• "Give me a summary of AWS spending this month for my management report."

• "How does this month's spend compare to last month?"

• "Which product teams are on track and which are at risk?"

How Agent Bill Knows Your Data

Agent Bill is not a generic AI assistant. It is scoped entirely to your organization's FinOps Center environment. This means:

It knows your structure. Agent Bill understands your AWS account hierarchy, your budget structure, and how accounts map to teams, products, and business units — because that structure is configured in FinOps Center.

It uses your naming conventions. When you ask about "the Payments application" or "the US East team," Agent Bill recognizes those names because they are your names — not generic AWS service names.

It only shows you your data. Every user's Agent Bill experience is scoped to their role and their accounts through Row Level Security. A Product Owner asking about "my workload" sees only their workload's data. A Finance Admin sees organization-wide data. A Department Manager sees only their department. No configuration is required from the user — it is automatic.

It understands your budget context. Questions about budget status are answered against your actual budget targets set in FinOps Center — not against AWS service limits or generic thresholds.

What Agent Bill Is Not

Understanding the boundaries of Agent Bill helps set the right expectations for your users.

Agent Bill is not a real-time cost alert system. It answers questions based on FinOps Center's data refresh cycle. For real-time anomaly alerting, use the FinOps Center budget alert and anomaly detection workflows.

Agent Bill does not execute actions. In its current implementation, Agent Bill answers questions and surfaces insights. Actions — budget approvals, savings plan purchases, optimization ticket creation — are taken through the FinOps Center workflow layer.

Agent Bill does not have access to data outside FinOps Center. It cannot query systems outside your FinOps Center environment — ERP systems, ITSM tools, or external financial systems — unless that data has been integrated into FinOps Center.

How Agent Bill Is Configured

Agent Bill's capabilities are determined by how FinOps Center is configured for your organization. The richer your FinOps Center setup — budget hierarchy, cost allocation tags, account-to-team mapping, persona workspaces — the more specific and useful Agent Bill's answers will be.

The Functional section of this documentation covers the configuration steps that shape Agent Bill's behavior:

• Quick Topics — the pre-built question libraries available to each persona

• QuickChat Personas — how Agent Bill's data scope is configured per role

• Custom Instructions — how to tailor Agent Bill's responses to your organization

Getting the Most From Agent Bill

A few principles that help users get better answers:

Be specific about scope. "What did we spend?" is harder for Agent Bill to answer usefully than "What did the Payments application spend in March?" The more context in the question, the more precise the answer.

Use your organization's naming conventions. Agent Bill recognizes the team names, account names, and application names configured in your FinOps Center environment. Use those names in your questions.

Ask follow-up questions. Agent Bill maintains context within a session. If the first answer raises a new question, ask it — Agent Bill will use the context of the prior exchange to give a more relevant answer.

If an answer seems incomplete, check the data refresh. Agent Bill answers are based on the most recent FinOps Center data refresh. If you are asking about very recent activity, confirm the dataset has refreshed before escalating.

Next Steps

→ Quick Topics — See the pre-built question libraries available per persona

→ QuickChat Personas — Understand how Agent Bill's data scope is configured per role

→ Persona Instructions Guide — Optimize Agent Bill for each persona in your organization

→ Row Level Security — Configure data scoping so every user sees only their data

Agent Bill uses a persona instruction system to deliver role-specific AI assistance within FinOps Center. Each persona instruction is a structured text block embedded in a QuickSight Topic that controls how Agent Bill responds to a specific user role. The instructions define the agent's identity, data scope, query routing logic, available topics, and business context. This page documents the structure, routing logic, per-role configuration, and management of persona instructions.

How Persona Instructions Work

Persona instructions sit within QuickSight Topics and are delivered to Agent Bill through the Amazon Quick Suite architecture chain: Dataset (with RLS) → Topic (with persona instructions) → Space (topics + MCP actions) → Chat Agent → Embedded in FinOps Center. When a user opens Agent Bill in the FinOps Center application, the system identifies their role via Cognito authentication, routes them to their dedicated QuickSight Chat Agent (via fixedAgentArn), and the agent loads the persona instruction associated with that role's topic.

Query Routing Logic

Every persona instruction defines how Agent Bill classifies and routes incoming user queries into one of three categories:

• DATA ONLY (Q Topics) — Cost queries, spending analysis, usage reports, and any question that can be answered from the QuickSight dataset. Agent Bill queries the semantic model directly. Examples: "What was my EC2 spend last week?", "Show me container costs by pod."

• ACTION/TASKS (MCP Server) — Workflow actions that modify data in FinOps Center via the MCP server backend. These are routed to Quick Spaces actions rather than dataset queries. Examples: "Accept my spend card for week 2", "Submit my budget for approval", "Claim this resource for my workload."

• COMBINED (Data + Action) — Queries that require both data retrieval and a workflow action. For example, "Show me my budget vs actuals and submit a reschedule request" combines a data query with an MCP action.

Topic Routing

For DATA ONLY queries, persona instructions also define which QuickSight Topic to route to. There are 4 topics available in Agent Bill 2.0, and not all roles have access to all topics:

• Cost Management (default topic) — The primary topic for all roles. Handles general spending, budget, and cost allocation queries. All personas default to this topic unless a more specific topic applies.

• Container Allocation — Routes container-specific queries (EKS, ECS, pods, tasks, Kubernetes). Triggered when the user mentions container, pod, task, EKS, ECS, or k8s keywords. Available to Financial Admins, Department Managers, Portfolio Managers, Product Owners, and Cloud Engineers.

• Marketplace Spending — Vendor-specific cost filtering and marketplace analytics. Currently available to Financial Admins only. When other roles ask about marketplace spending, the persona instruction redirects them to contact the FinOps team.

Instruction Template Structure

Each persona instruction follows a consistent template structure. The total instruction must stay within approximately 3,200 characters (the QuickSight topic custom instruction limit). The template sections are:

1. Agent Identity

Opens with "You are Agent Bill, an AI assistant helping [Role Name] manage cloud spending for their assigned [Scope]..." This establishes the agent's name, the user's role, and the organizational scope (e.g., product, portfolio, department, or business unit). The identity section also lists the user's primary responsibilities so Agent Bill understands what tasks the user performs in FinOps Center.

2. Data Scope

Defines the cost hierarchy terminology that applies to this role. Uses the FinOps Center budget hierarchy: Business Unit = Element 1 (E1), Department = Element 2 (E2), Portfolio = Element 3 (E3), Product = Element 4 (E4). The data scope tells Agent Bill which level of the hierarchy this user operates at, and what cost allocation model applies (Budget → Account Allocation % → Workload → Resources).

3. Query Classification Rules

Explicit rules for how to classify each incoming query as DATA ONLY, ACTION/TASKS, or COMBINED. This section defines keywords and patterns that trigger each routing path. For roles with MCP actions (Product Owners, Cloud Engineers), this section is more detailed because those roles can both query data and perform workflow actions.

4. Topic Routing Rules

Specifies the default topic (Cost Management for all roles) and when to route to specialized topics. For example, container-related keywords (pod, task, EKS, ECS, Kubernetes, k8s) trigger routing to the Container Allocation topic. Also defines unavailable topics for the role — when a user asks about a topic they don't have access to (e.g., Marketplace or Savings Plans for non-admin roles), Agent Bill responds with a redirect message: "For [topic] inquiries, please contact your FinOps team."

5. Cost Metric Definitions

Defines the key cost fields Agent Bill should use when answering queries: "cost" (combined claimed + shared cost), "net_cost" (after discounts), discount columns (distributor, private_rate, bundled, edp, spp), and credit visibility rules. Credits are only visible to Financial Admin personas — other roles do not see credit-related fields.

6. Calendar Guidelines (Business Week Alignment)

Critical section that enforces FinOps Center's Sunday-to-Saturday business week definition. All weeks run SUNDAY to SATURDAY (not the default Monday-Sunday). The instruction includes explicit week definitions (W1 through W6) for each month, with rules for partial first and last weeks. The "SUNDAY to SATURDAY" rule is stated at the top of this section and reinforced at the bottom as a reminder. This ensures that when users ask "show me week 2 spending," Agent Bill uses the correct date range aligned to FinOps Center's period cards.

7. Response Formatting Guidelines

Optional section that controls how Agent Bill formats its responses. May include instructions to always show costs in USD, include time period labels, group by specific dimensions, or present data in a particular format suited to the role's needs.

Per-Role Topic Assignments

The following table summarizes which topics and capabilities are available to each role's persona instruction. Full persona instructions for each role are documented on the QuickChat Personas page.

• Financial Admins — Topics: Cost Management, Container Allocation, Marketplace Spending, Savings Plans Management. Credits: Yes. MCP Actions: No (admin oversight role). Scope: Full organization.

• Business Unit Managers — Topics: Cost Management only. Credits: No. MCP Actions: No. Scope: Business unit (E1), view-only.

• Department Managers — Topics: Cost Management, Container Allocation. Credits: No. MCP Actions: No. Scope: Department (E2), view-only.

Managing Persona Instructions via API

Persona instructions can be managed programmatically using the AWS QuickSight API. This is essential for version control, bulk updates across roles, and automated deployment pipelines. The three relevant API operations are:

• DescribeTopic — Retrieves the current persona instruction for a topic. The custom instruction is returned in the CustomInstructions object via the CustomInstructionsString field. Use this to read and verify instructions before making changes.

• CreateTopic — Creates a new topic with a persona instruction included at creation time via the CustomInstructions field. Used when setting up Agent Bill for a new role or creating a new environment.

• UpdateTopic — Modifies the persona instruction on an existing topic. This is the primary API for iterating on instructions. Use DescribeTopic first, modify the instruction text, then call UpdateTopic to apply changes.

Best Practices for Creating and Iterating on Instructions

• Stay within the ~3,200 character limit. QuickSight topic custom instructions have a hard character limit. If your instruction exceeds this, prioritize the routing rules and calendar guidelines over verbose descriptions.

• Reinforce critical rules at both the beginning and end of the instruction. The business week definition ("SUNDAY to SATURDAY") is stated at the top and repeated at the bottom because AI models can lose track of rules in the middle of long instructions.

• Test with real user queries after each iteration. Use the QuickSight embedded chat preview to test questions like "What was my spend last week?" and verify the response uses the correct date range and topic.

Web Application Bucket Configuration

FinOps Center delivers its web application frontend through a secure Amazon S3 + Amazon CloudFront distribution. This component provisions the frontend hosting layer using a customer-owned custom domain and SSL/TLS certificate, ensuring compliance with AWS security best practices and enterprise DNS requirements.

This step is mandatory and must be completed before any users access FinOps Center.

FinOps Center leverages native services encryption of data at rest and in transit.

All FinOps Center data is stored in S3 or DynamoDB when at rest. When users are accessing the application CloudFront provides the SSL connection for the frontend application.

1. React Frontend (S3 Hosting)

Data at Rest:

Upon completion of the FinOps Center installation, log into the AWS Account of the applicatoin and navigate to the Amazon Cognito Service and the FinOpsCenterPool

In the left hand navigation, click on the Manage Template and sellect Invitation Message then Edit.

Add Welcome to FinOps Center in the Subject

The Recommended HTML that requires an update for your FinOps Center URL

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Welcome to FinOps Center</title>
  <style type="text/css">
    /* Import Lato font */
    @import url('https://fonts.googleapis.com/css2?family=Lato:wght@400;700&display=swap');
    
    /* Reset styles for email clients */
    body, table, td, p, a, li, blockquote {
      -webkit-text-size-adjust: 100%;
      -ms-text-size-adjust: 100%;
    }
    
    body {
      margin: 0;
      padding: 0;
      font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif;
      line-height: 1.6;
      color: #333333;
      background-color: #f0f4f8;
    }
    
    table {
      border-spacing: 0;
      border-collapse: collapse;
      mso-table-lspace: 0pt;
      mso-table-rspace: 0pt;
    }
    
    img {
      border: 0;
      height: auto;
      line-height: 100%;
      outline: none;
      text-decoration: none;
      -ms-interpolation-mode: bicubic;
    }
    
    /* Main container */
    .container {
      max-width: 600px;
      margin: 0 auto;
      background-color: #ffffff;
      border-radius: 8px;
      overflow: hidden;
      box-shadow: 0 3px 10px rgba(0, 0, 0, 0.1);
    }
    
    /* Header */
    .header {
      padding: 30px 0;
      text-align: center;
      background-color: #000000;
      color: #ffffff;
    }

    /* Logo */
    .header img {
      border: 0;
      display: block;
      margin: 0 auto;
      max-width: 80%;
      height: auto;
    }
    
    /* Content */
    .content {
      padding: 30px;
      font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif;
    }
    
    /* Credentials box */
    .credentials-box {
      background-color: #e0f7fa;
      border: 1px solid #b2ebf2;
      border-radius: 5px;
      padding: 20px;
      margin: 20px 0;
      font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif;
    }
    
    .credentials-item {
      margin-bottom: 10px;
    }
    
    .credentials-label {
      font-weight: bold;
      display: inline-block;
      width: 120px;
      font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif;
      color: #00363a;
    }
    
    .credentials-value {
      font-family: monospace;
      background-color: #ffffff;
      padding: 3px 6px;
      border-radius: 3px;
      border: 1px solid #b2ebf2;
      color: #006064;
    }
    
    /* Button */
    .button-container {
      text-align: center;
      margin: 30px 0;
    }
    
    .button {
      display: inline-block;
      background-color: #ffc107;
      color: #333333 !important;
      text-decoration: none;
      padding: 12px 30px;
      border-radius: 4px;
      font-weight: bold;
      font-size: 16px;
      font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif;
      box-shadow: 0 2px 5px rgba(0, 0, 0, 0.1);
    }
    
    /* Footer */
    .footer {
      padding: 20px;
      text-align: center;
      font-size: 12px;
      color: #666666;
      background-color: #e0f7fa;
      font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif;
      border-top: 1px solid #b2ebf2;
    }
    
    a {
      color: #00838f;
      text-decoration: underline;
    }
    
    /* Responsive adjustments */
    @media screen and (max-width: 600px) {
      .container {
        width: 100% !important;
        border-radius: 0;
      }
      
      .content {
        padding: 20px !important;
      }
      
      .credentials-label {
        display: block;
        width: 100%;
        margin-bottom: 5px;
      }
    }
  </style>
</head>
<body>
  <table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#f0f4f8">
    <tr>
      <td align="center" style="padding: 40px 0;">
        <table class="container" width="600" border="0" cellpadding="0" cellspacing="0">
          <!-- Header -->
          <tr>
            <td class="header">
              <img src="https://finopscenterlogobin.s3.amazonaws.com/FinOpsCenter_VerticalLogo_Main.png" alt="FinOps Center Logo" width="250" style="max-width: 80%; height: auto; display: block; margin: 0 auto;">
            </td>
          </tr>
          
          <!-- Content -->
          <tr>
            <td class="content">
              <p style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #333333;">Hello,</p>
              <p style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #333333;">Your FinOps Center account has been created successfully. Below are your login credentials:</p>
              
              <!-- Credentials Box -->
              <div class="credentials-box">
                <div class="credentials-item">
                  <span class="credentials-label">Username:</span>
                  <span class="credentials-value">{username}</span>
                </div>
                <div class="credentials-item">
                  <span class="credentials-label">Temporary Password:</span>
                  <span class="credentials-value">{####}</span>
                </div>
              </div>
              
              <p style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #333333;">For security reasons, you will be required to change your password upon your first login.</p>
              
              <!-- Button -->
              <div class="button-container">
                <a href="https://<<FinOps Center/login" class="button" style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif;">Access FinOps Center</a>
              </div>
              
              <p style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #333333;">If you have any questions or need assistance, please visit <a href="https://www.finopscenter.com/support" style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #00838f;">www.finopscenter.com/support</a>.</p>
              
              <p style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #333333;">Thank you,<br>The FinOps Center Team</p>
            </td>
          </tr>
          
          <!-- Footer -->
          <tr>
            <td class="footer">
              <p style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #666666;">&copy; 2025 Cloud Scal3 Inc. All rights reserved.</p>
              <p style="font-family: 'Lato', 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #666666;">This is an automated email. Please do not reply to this message.</p>
            </td>
          </tr>
        </table>
      </td>
    </tr>
  </table>
</body>
</html>

Note: href needs to be changed to application url

In version 26.4.0, the Athena query layer received a major overhaul. The shared cost allocation views were rewritten to fix a duplication issue where shared costs were being multiplied across element4_id values in cartesian product joins. Both the claimed and shared resource base views were rebuilt with new columns including account_name (joined from account_mapping), aws_product, five discount columns (distributor_discount, private_rate_discount, bundled_discount, edp_discount, spp_discount), net_cost, and interval_start/interval_end date fields. AI-specific columns were added for Bedrock cost tracking: ai_provider, is_ai_usage, ai_operation_type, and token usage fields. All views now support cross-year data spanning 2024, 2025, and 2026.

There are some conditions that cause cartesian product effect in your joins. Those conditions are when multiple product users are mapped to the same product or element 4.

In Athena, run an Update to the Claimed and Shared Resource Query.

Claimed Resource Query

CREATE OR REPLACE VIEW "finopscenter_claimed_resource_view_e1" AS 
SELECT
  base.*
, um."username" "user"
FROM
  ((FinOpsCenter_claimed_resource_base_view base
INNER JOIN "finopscenterq_db"."account_mapping" am ON (base.accountid = am.accountid))
INNER JOIN (
   SELECT
     username
   , element1id
   , year
   , element2id
   , element3id
   , element4map
   FROM
     (
      SELECT
        username
      , element1id
      , year
      , element2id
      , element3id
      , element4map
      , ROW_NUMBER() OVER (PARTITION BY element1id, year ORDER BY username ASC) rn
      FROM
        "finopscenterq_db"."user_mapping"
      WHERE ((element2id IS NULL) AND (element3id IS NULL) AND (element4map IS NULL))
   ) 
   WHERE (rn = 1)
)  um ON ((am."element1id" = um."element1id") AND (am."year" = um."year")))
WHERE ((base.element1_id = am.element1id) AND (base.year = am.year) AND (am.year = um.year))

Resource View

Updated Views Summary

The following 14 views were created or updated in 26.4.0. Base views: finopscenter_claimed_resource_base_view and finopscenter_shared_resource_base_view. Claimed element views: finopscenter_claimed_resource_view_e1 through e4. Shared element views: finopscenter_shared_resource_view_e1 through e4. Resource views (UNION ALL of claimed + shared): finopscenter_resource_view_e1 through e4. The e4-level resource views include the five discount columns in both the claimed and shared SELECT statements.