Prior to starting the installation of FinOps Center, customers must understand how their company is organized by Roles and Organizational Naming.

Roles

During the installation of FinOps Center, the Role Names are created in Amazon Cognito. The functionality of the Roles is independent of the naming but will help if they are align to your organizational naming.

Default Labels for Roles

Configured During FinOps Center CloudFormation Template

Organizational Naming is aligned to how customers Chart of Accounts are constructed. Organizational Naming can be update once a year aligned to your Creating of an annual budget.

Organization Naming is set via the Budget Creation Process which occurs via a csv upload or via the Budget Screen. The Organization Naming will be visible throughout the FinOps Center application and will need to be implemented in the Amazon Q in Quicksight Topics (if changed).

Default Organization Naming

Organization Naming

When creating Budget, you will be ble to provide Orgnaization Naming in the Create Budget.

Cloud Estate Design

When preparing for your FinOps Center installation, it's important to consider the design elements related to both your Cloud Estate and the AWS account for your FinOps Center installation.

Aligned with the Multi-Account Strategy, FinOps Center is designed to facilitate the management of your AWS Cloud Estate through the Delegated Admin Account. A Delegated Admin Account may already be created and configured in your Cloud Estate as you set up various AWS Management and Security services like Security Hub and IAM Identity Center.

FinOps Center utilizes the Cost and Usage Data Export report created in the Management Account and replicated to the Delegated Admin. It was designed to work alongside the Cloud Intelligence Dashboard framework, which must be installed prior to the FinOps Center installation.

To subscribe to the FinOps Center, the subscription must be initiated and installed from the Designated Admin Account through the AWS Marketplace.

FinOps Center's Installation Components

The installation of FinOps Center requires configuring your AWS Cloud Estate within the Management Account and the Delegated Admin Account or Data Collection where the application will be installed.

Tasks in Management Account

• Create Cost and Usage Report via Data Exports - via CID Framework

• Create S3 Bucket for Cost and Usage Report - via CID Framework

• Create IAM Role for S3 Bucket Replication - via CID Framework

• S3 Management setup of Bucket Replication and Batch Operation (optional)

• Enable Delegated Admin Account (suggest configured via AWS Organizations, Security Hub, or IAM Identity Center).

Assess Requirement

1. Admin - creating IAM Role

Tasks in Designated Admin/ Date Aggregation

1. Create Target Bucket for the Cost and Usage Report via Data Exports - via CID Framework.

2. Create S3 Bucket for Bucket Replication and Frontend Application

3. Configure S3 Buckets with CloudFront

4. Launch and Configure QuickSight

5. Create IAM Profile for FinOps Center Installation

6. Subscribe and install FinOps Center Marketplace offering

7. Launch EC2 to copy FinOps Center code to S3 Bucket

8. Install FinOps Center from CloudFormation

9. Setup Amazon QuickSight and CID Framework

Access Requirement

1. Admin as the CFT create IAM roles

AWS Account w/ Delegated Admin

The New Account Onboarding Process for FinOps Center is facilitated by access to the Account Management API in the Management Account. Within an AWS Cloud Estate, one account can be configured to be Delegated Admin and is the account FinOps Center is installed.

Steps to Create Delegated Admin if not created

1. Creation of New Account - Customers are advised to create an account (if not existing already) that requires Delegated Admin privileges, particularly for services like Security Hub and Systems Manager. While the naming convention is flexible, this account is referred to as the CloudOps Account by Cloud Scal3.

2. Enablement via Security Hub- Follow the instructions provided for enabling an account to be delegated Admin via Security Hub Setup. This involves configuring the Delegated Admin Account through Security Hub.

By following these steps, the integration for Account to Budget onboarding through FinOps Center is facilitated efficiently and securely.

Delegated Admin Account via Security Hub Configuration

FinOps Center leverages the work from AWS CUDOS Framework that so customer can leverage the Various QuickSight Dashboards created by the OPTICS Team.

https://catalog.workshops.aws/awscid/en-US/dashboards/foundational/cudos-cid-kpi/deploy

Upon navigating to CloudFront, create a new distbituions.

From the Origin Domain, select the frontend bucket created for the front end applicatoin

Ensure to update the specified settings below, unless instructed otherwise, while leaving the rest as default.

Update Viewer

Web Access Firewall

6. Create Distribution (When the Distribution is Create the CloudFront Homepage will have the Updated S3 bucket policy that needs to be applied to the S3 Bucket -> copy to be applied to bucket. (Note: The distribution may take 5 minutes or so to create, work on Step 9 and 10).

7. Navigate to the Error Page Tag and Config as detailed below. (Note: If uses raise issue that when they refresh page it doesn't load its likely because the Error Page Configuration is Missing)

8. Set invalidation for the distribution

9. Navigate to the S3 Bucket for FinOps Center Application and to Permission. Edit Permission with the Policy from CloudFront

10. Navigate to Route 53 or Domain Controller and Create an A Record that is Domain Name of your distribution

Stack Configuration

FinOps Center creates IAM Roles and Policies. The Engineer deploying must have Administrative Privileges. (DO NOT INSTALL USING ROOT USER)

Upon Selecting Next you will be taken to the YAML form to complete the FinOps Center Installation.

Name Stack: No Requirements

Stack Parameter:

• Bucket to CUR - cid-(CUSTOMERACCOUNT)-data-exports

• Path to CUR Date - cur2/CUSTOMERACCOUNT/cid-cur2/data

• Athena DB Name - cid_data_export

• Athena DataCalog - AwsDataCatalog

• Athena WorkGroup - primary

Roles aligned to Busienss Requirements

Enviornment Parameters

• Static Website - S3 Bucket Name Created for Frontend Bucket

• From CloudFront - Distribution Name

• Create your First Admin User and Email

Launch through EC2

Click to Zoom

Click to Zoom

Configure Instance to your companies standards. As note previously, the EC2 instanced provisioned is used to copy files to S3 for the FinOps Center deployment. We recommend a small instance (T3 Small) be used and can be shut down once the files are copied to S3.

Click to Zoom

Prior to Launch → the IAM Instance Profile much have a Role with Policy to S3 Create Bucket and S3 Write Access for FinOps Center Installation Bucket. Add your AWS Account Number to below Policies.

Navigate to IAM and follow below Steps

Step 1: Create a New Role for EC2 or Validate an Existing Role has above Policy.

Click to Zoom

JSON Policy - add account number of installed account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::cdk-hnb659fds-assets-<accountnumber>-us-east-1"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::cdk-hnb659fds-assets-<accountnumber>-us-east-1*"
      ]
    }
  ]
}

Step 2: Create a Role

Click to Zoom

Step 3: Add Policy to Role

Click to Zoom

and Create Role

Click to Zoom

Return to EC2 to Launch Instance

No Key is Required as the Instance can be delete upon Install

Launch Instance

Navigate to S3

As the EC2 starts up, a bucket will appear beginning with cdk (see below)

Once you see the cdk Bucket is created navigate back to the Marketplace Listing to Launch CloudFormation.

Launch CloudFormation

Click Next

Note: All environment installation are “ Fresh Installs”. There is no separate installation pipeline between SDLC environment.

Stack Configuration

FinOps Center creates IAM Roles and Policies. The Engineer deploying must have Administrative Privileges. (DO NOT INSTALL USING ROOT USER)

Upon Selecting Next you will be taken to the YAML form to complete the FinOps Center Installation.

Name Stack: No Requirements

Environment Parameter:

• Bucket of CUR

• Path to CUR Date - name/name/name/

• Athena DB Created by CUDOS Framework

  • CUDOS will create cid_cur name

  • Table name based on CUR creation naming

• Provide S3 Bucket for Frontend Application Install

Organization Roles

• Define your Organization Role Names

• Create your First Admin User and Email

Functional:

Release 25.2.0 is primarily around the inclusion of the Amazon Q in QuickSight Framework with UI Updates and Changes the CUDOS Framework embedding from Anonymous to User-Based.

FinOps Center Enterprise

FinOps Center FinOps-in-a-Box

FinOps Center FinOps-in-a-Box Hourly

This is the initial Release of Amazon Q in QuickSight FinOps Center Framework

Topics Created

• AWS Product

• AWS Portfolio

• AWS Department

• AWS Business Unit

• AWS Spending

• AWS Vendor

DataSet Created

• FinOps_Center_E1

• FinOps_Center_E2

• FinOps_Center_E3

• FinOps_Center_E4

• FinOps_Center_Full

• Resource View

• finopscenter_period

Amazon Q in QuickSight Backend Framework

Amazon Q in QuickSight Topics Components

(We recommend that you keep instances with previous AMI until the upgraded installation is confirmed to be working properly. If recovery is required - you can restart the EC2 instance with the prior AMI which will update the CDK bucket with that version. Follow below instruction.)

Marketplace customers will receive an email that their is a new version of the FinOps Center AMI available. The AMI will be available in their EC2 Console for launch leveraging the same IAM Profile used during initial installation. The launched instance will update the FinOps Center cdk bucket with the updates. Select the FinOpsCenterStack.template.json and update the CloudFormation Stack with the object URL.

Click to Zoom

Click to Zoom

Validate the Parameters and advance through the next few screens and hit update.

Upon Completions, Code is Updated.

The Amazon Q in QuickSight FinOps Center Framework uses the same Deployment Model as FinOps Center via the Marketplace - AMI with CloudFormation.

Once the Offering is added to your AWS Accounts you will have an AMI that needs to be launch with the IAM Profile that was used for the Product Installation.

The Solution code will be deployed via 2 CloudFormation Scripts.

The First CFT builds and deploys the backend that will extract data from your FinOps Center application's DyanamoDB tables and pushes them to S3 that are created. Glue Crawlers then create the schema to be leverage for the 2nd CFT.

Note: Prior to proceeding to the 2nd CFT Script the Glue Crawlers must successfully complete and the new S3 buckets (amazonqframework-finopscenterqdataextractionbucket & amazonqframework-finopscenterqperiodbucketb17f0b5d-) must be shared with QuickSight.

The 2nd CFT will install the Athena Queries, QuickSight Datasets, QuickSight Topics, and other configurations. For the Installation, you need the Author Pro ID that was created to provide as a parameter for the Template to complete.

The CFT will take about 3 minutes to Run but the deployment will still be running. Allow for 15 mins before returning to the Back to QuickSight Console. In Console, navigate to the Groups Tag in Management to add the Author Pro User to the Topics-Admin Group.

Navigate to the Author Pro's Console and monitor the Topics being built. Note that Topics are built once the SPICE for the Dataset has successfully been Refreshed. Depending on the amount of data in your CUR2 or Application, this can take up to 30mins. As Topics appear they will be automatically added to the application by Role. As a best practices, run an invalidation in CloudFront upon completetion of all Topics being created.

Upon complete the configuration to your AWS Environment (QuickSight) you will navigate to the Amazon Q in QuickSight Marketplace offering and subscribe to the services

Upon Subscribing the page, will refresh to add the AMI

Click the Continue to Configuration and Select the AMI

Select your Version and Region and select Continue to Launch

Launch via EC2

Add the name of the Instance, Select no Keypair

Add the Launch Profile from the FinOps Center Installation and Launch Instance

Once the AMI is launched and the code is deployed to your cdk bucket, you navigate back to the Configure Screen to install the CloudFormation Templates.

The First CFT to launch is the Amazon Q in QuickSight FinOps Center Backend Framework.

Continue to Launch Stack

Prior to Launch the 2nd Stack -> navigate to Glue and Validate that the Crawlers have run successfully.

Launch the 2nd Stack - Amazon Q in QuickSight FinOps Center Q Topics

On the 2nd Screen after launching you need to add the Author Pro that you setups within your QuickSight Environment

The installation of the scripts will take approximately 10 mins but the Lambda function that create the Athena Queries/Views, QuickSight Datasets, SPICE loading, and Topics can take upto 30 minutes.

The initial Admin user will receive the initial email to begin to onboard users to FinOps Center.

The Recommended approach is to Create an Initial Financial Admin users and one Product Owner to assist with populating the installation with data.

From the Business Requirements, the Financial Admin can create the Organization Naming from configuring the Budget Screen or via CSV Upload.

Additional Post Installation Steps include updating the application with your company's logo and customizing the Amazon Cognito Welcome Email.

Once the Initial User Admin receives the Cognito Email they can create the initial Financial Admin User. Prior to creating user, its best practice to configure the Welcome Email in Cognito.

Add Users

Users Lists

Update User Role

Import via Cognito Console

As an alternative to adding Users via the FinOps Center Application, Admins can log into the Delegated Admin/Data Collection Account and navigate to Cognito->FinOpsCenterPool

Create Import Job

In the provided csv, complete rows:

• L for Customer Role of User

• N for Email address of User

• O for Email Validation to True

• V for the Username for FinOps Center

Upon completion of the FinOps Center installation, log into the AWS Account of the applicatoin and navigate to the Amazon Cognito Service and the FinOpsCenterPool

In the left hand navigation, click on the Manage Template and sellect Invitation Message then Edit.

Add Welcome to FinOps Center in the Subject

The Recommended HTML

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link rel="preconnect" href="https://fonts.googleapis.com" />
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
    <link
      href="https://fonts.googleapis.com/css2?family=Lato&display=swap"
      rel="stylesheet"
    />
    <title>Welcome</title>
    <style>
      body {
        font-family: "Lato", sans-serif;
        background-color: #eef2f7;
        font-size: 14px;
        color: #333;
      }

      .card {
        background-color: #fff;
        max-width: 600px;
        width: 90%;
        margin: 0 auto;
        margin-top: 100px;
      }

      .card__header {
        background-color: #d4e5ff;
        padding: 20px;
        text-align: center;
      }

      .card__body {
        padding: 20px;
      }

      .logo {
        width: 150px;
      }

      .btn {
        padding: 0.5rem 1.5rem;
        font-weight: 600;
        color: #fff;
        background-color: #92c73b;
        text-decoration: none;
        margin: 0 auto;
        display: inline-block;
      }

      h4 {
        font-size: 16px;
        color: #000;
      }
    </style>
  </head>
  <body>
    <div class="card">
      <div class="card__header">
        <img
          src="https://finopscenterlogobin.s3.amazonaws.com/FinOpsCenter_VerticalLogo_Main.png"
          alt="FinOps Center Logo"
          class="logo"
          style="width: 150px"
        />
      </div>
      <div class="card__body">
        <h4>Welcome to Finops Center</h4>
        <p>Your username is {username} and temporary password is {####}.</p>
        <p>
          Please click on the button below for access after initially resetting
          your password.
        </p>

        <div style="text-align: center; margin: 40px 0">
          <a href="https://www.finopscenter.com/" target="_blank" class="btn"
            >Go FinOps Center Website</a
          >
        </div>

        <p style="text-align: center">
          For additional information on FinOps Center please visit
          <a href="https://docs.finopscenter.com/" target="_blank"
            >https://docs.finopscenter.com/</a
          >
          or open a ticket at
          <a href="http://www.fionpscenter.com/support" target="_blank"
            >www.fionpscenter.com/support.</a
          >
        </p>
      </div>
    </div>
  </body>
</html>

Note: href needs to be changed to application url

Customers can update the header and login logo in the FinOps Center implementation

Customers' logo needs to have the file name customer-logo and format svg. (if you have image in different format they must be converted to svg.)

The logo gets uploaded in the s3 bucket of the frontend application in the root directory.

Finops Center provides your companies Core Cloud Financial Processes.

• Financial Budget Onboarding/Modifying

• Business User Onboarding

• Financial Budget Mapping to User

• Financial Budget to Cloud Allocation

  • AWS Account to Budget

  • Resource to Workload to Budget

  • Release Resource

  • Rollup Allocation/Visibility

• Estimate to Budget

• Budget Scheduling

  • Create Schedule

  • Approve/Reject Schedule

  • Request Reschedule

  • Approve Reschedule

  • Rollup Budgets

• Period Spending Approval

• AWS Credit Allocation

• Close Month

  • AR File

  • FP&A

FinOps Center manages Financial Budgets that have been approved by customer's Core Financial Budgeting process. The Financial Budgets can be onboarded to FinOps Center via the Application UI or by uploading a CSV files.

FinOps Center Roles - Financial Admin & Vendor Manager (Default Roles)

Navigate to the Vendor Manager

Via Site

Define Organizational Naming for the Year

Add Line Item

Via CSV

The Financial Budget/Chart of Account Files is a comma delimited file (csv). The hierarchy of file goes from left to right with the top or your organization being the left column to the lowest product/project in the 4th column. The First Row of the file will drive the labels of the application.

Sample File:

https://cdn.document360.io/9c6c5de5-e82a-4925-8765-7cad54ea8876/Images/Documentation/FinOpsBudgetSample_2024_true_2024-01-01_false_Budget_v1(1).csv

File Name

The Chart of Account File should be generated from your Core Accounting System that reflects your Hierarchy and Approved Budget Spending for AWS.Budgets (via file format) can be updated based on Customer requirements.

Customer_2025_true_2025-11-01_false_Budget_v1.csv

I am a CCoE User and I want to create a New Budget for All Project for the New Budget Year.

I am a CcoE User and I want to up to update a Product’s Annual Budget on 7-01-XX

I am a CCoE User and I want to add a New Product and it’s budget

Chart of Account Integration

Admin users upload the Chart of Account File in the Configuration Page. The Chart of Account File is uploaded in the *.sorfile s3 Bucket and processed by Lambda into DynamoDB.

Invoice Integration

CCoE and Business Unit Users will be able to download csv to their desktops for integration into Core Financial and/or FP&A Solutions.

FinOps Center Users are onboarded to the application by Admin Users. All users are stored in Amazon Cognito that accepts mass uploads. (contact support for assistance).

The Admin Configuration Screen is accessible to the Admin User that is created during the installation of FinOps Center. Additional Admin Users can be created like any other role

Admin users are responsible for adding users with their roles. Those Roles can be updated. Each users requires an unique email address. (+email are Supported)

FinOps Center maps Users to their Financial Budget/Scope. A key feature of FinOps Center is "Rollup" of Spending and Budget within the hierarchy.

As depicted below, the Roles rollup spending from the members of their Financial Scope.

From the Drop Down, A user will be added to the Financial Scope aligned to the Role they were onboarded to when they were added to FinOps Center.

Users can have multiple scopes within their hierarchy but must have the same "Parent". In the examples below Department can have multiple departments within Enterprise but not in different Business Units.

Business Unit Role

Department Role

Portfolio Owner

Product Owner

All users mapping can be remapped(adding or subtracting) by selecting the user from the list ->

and adding the new mapping

FinOps Center is designed to have 2 tiers of allocation to a Financial Budget.

1. Account Allocation: Aligned to the multi-account framework, AWS Account Billing is split by percentage allocation to a budget. The Allocation begins to either the Vending date of the Account or the 1st of the Previous Month. Allocation can be updated to the beinning of Period (aka weekly). All resources will be allocated to that budget at the % rate.

2. Workload Allocation: Product Owners create estimates for Workload. Workload can then "Claim" resources to them by Admin, Financial Admins, or the Product owners that will then have 100% allocation to that budget as of the next day from Claiming.

As detailed below - Spending is then discounted (if applicable) and reduced by available Credits at the budget level.

All AWS Accounts are at minimum allocated to 1 Financial Budget and define as an Account Type (Production, Pre-Production, Shared, Development or Sandbox). To complete mapping the total allocation must be 100%.

Accounts can be mapped to multiple budgets but need to have total allocation of 100%.

Allocation can be updated to a new start date and allocation

Select Remap to update account allocation and start date

New allocation will history of allocations with current in green highlight. Effective dates of allocation are in Effective Column with the timestamp of updates in lower left of table.

Workload allocation begins with the Product Owner creating an estimate for their workloads. Within Space, Product Owners will navigate to a Budget within their Scope and Select the AWS Account where the workload will be created.

Workload need to be named, have an AWS Pricing Calculator, and a Launch Date(Month). If there is a targeted Teardown for the workload enter the End Month. By default, Estimates will end a year of year.

Once Estimates are created Product Owners, Financial Admins, or Admins can Claim Resources to the Workload within the Resource Tab.

On load, Resource that are Open to be Claimed will be visible in the table. Users can use the search to identify by Service Name, Resource Name, or Tag.

Claiming Resources can be done across multiple Workload or Multiple Resources can be Bulk Claimed.

Multi-Workload

Bulk Claim

To view Claimed Resources, Select the Claimed Resource Checkbox. The Status visual provides information on which Budget it belongs , the date of action, and the User that made the action.

For Claimed Resources within the Budget Scope, the Resource(s) can be Released back to the available pool to be Claimed by another Workload or to Account Allocation.

Roles and Users have Allocation/Visibility within their Financial Scope. The allocation is across all Tabs and within their Amazon Q Topics.

On the Summary Page, the Account Allocation for the User are shown Across Current, Expiring, New, Past, and Future.

For Financial Admin, Admin, Vendor Management, Business Unit Owner, Department Owner, and Portfolio Owners Accounts/Workload needs have a Workload Created by the Product Owner for it to be visible.

Budget Pages, Reporting, and Amazon Q Visibility will be defined on their Functional Page Documentation.

Product Owners own creating Workload Estimate in FinOps Center leveraging a AWS Pricing Calculating Link.

Any entity (internal user, AWS, AWS Partner) can create an estimate for a Workload via the AWS Calculator - https://calculator.aws/. Each Workload Estimate should be for the Workload in that AWS Account. Once the Estimate is created, the Product Owner will add the Link to the Estimate with the Monthly Estimate.

Once the Estimate is created, the Product Owner will add the Link to the Estimate with the Monthly Estimate and Save

Workload Estimates flow to the Budget Schedule to be included in Monthly Budget Schedule.

Product Owners need to own their Monthly budgets that are scheduled from their Annual Approved AWS Budgets. Working with their Portfolio Management, their Monthly Budgets will be Accepted so that all Users understanding spending within the expected Spending Run Rate.

Monthly Budgets, can be updated via the Rescheduling Process.

Product Owners will navigate to their Budget Page and select the Product Budget that they want to schedule.

Within the Budget, Complete Schedule

Once Schedule is Completed, Product Owner Submit for Approvals and see the Budget Status as Pending.

A submitted Budget will then be sent to the Portfolio User to Approve or Reject.

From their Summary Page they will see they have a Budget Task to take action.

From the Budget Page, the Portfolio Owner will be guided to the Budget Requiring Action.

Porfolio Owner select and Take Action to Approve/Reject Budget Schedule

Upon Approval, the Budget Card will show approved for both Product and Portfolio User.

As new Workload are added to Budgets, Monthly Schedules will need to be updated through a 2 Step Process.

First there is a Request to Reschedule the Budget by the Product Owner.

Finops Center budgets Rollup through Roles and User Based on their Financial Scope.

For Budgets to be shown with Variance they must have Status Approved.

Financial Admin and Vendor Manager Roles have access to all spending data. Within Budgets Tables, their visuals are layered and can be navigated down to the Monthly Schedule per Budget.

The Page can be toggled Monthly vs Annual with all visuals updating on selection. The Heat Map Chart on the left scales to the contribution of total spending across the financial scope with the color representing spending to budget. If area is Gray, that individual budget is not approved.

Below the Top Visual are the individual Business Units Spending. To drill down on a Business Unit Select the Details of the Departments

Each Department is visible within the Business Unit with the ability to view Portfolios within that Department

Each Portfolio shows all of the Product Budget with the corresponding Monthly Schedule including the cumulative Workload Estimates.

Business Unit Roles have access to all spending data within the Business Unit(S) the have Financial Scope. Within Budgets Tables, their visuals are layered and can be navigated down to the Monthly Schedule per Budget.

The Page can be toggled Monthly vs Annual with all visuals updating on selection. The Heat Map Chart on the left scales to the contribution of total spending across the financial scope with the color representing spending to budget. If area is Gray, that individual budget is not approved.

As of FinOps Center 25.2.0, FinOps Center has 7 roles with specific Daily, Weekly, and Monthly Activies.

Financial Admins are the primary managers of the AWS Cloud Estate.

View

Application

• All Financial Scope

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Vendor, AWS Spending

• CUDOS

Daily Activities

• Adding/modifying Budgets

• Adding/modifying Users to Budgets

• Adding/modifying AWS Account Allocation to Budgets

• Adding AWS Credits to Budgets

• Claiming/Unclaiming Resources to Workloads

• Adding QuickSight Dashbaords/Topics

• Monitoring Spending to Budgets

Weekly Activities

• Monitoring Spend Approvals

Monthly

• Close Month

• Download/Upload AP and FP&A Files

Vendor Manager Role deals around Buying and Discounts Activities.

View

Application

• All Financial Scope

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Vendor, AWS Spending

• CUDOS

Daily Activities

• Adding/Modifying Discounts

• Adding/Modifying Budgets

Weekly Activities

• Monitoring Spend Approvals

Financial Admins are the primary managers of the AWS Cloud Estate.

View

Application

• None

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Vendor, AWS Spending

• CUDOS

Daily Activities

• Add/Manage Users

• Add initial AWS Account Allocation to Budgets

• Claiming/Unclaiming Resources to Workloads

• Adding QuickSight Dashbaords/Topics

Weekly Activities

• Monitoring Spend Approvals

Monthly

• Close Month

• Download/Upload AP and FP&A Files

Business Unit Owners can manage one or multiple BUs.

View

Application

• Financial Scope in Business Unit(s)

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Spending - Business Unit

Daily Activities

• Monitoring Spending to Budgets

Weekly Activities

• Monitoring Spend Approvals

Monthly

• Download FP&A Files for Business

Department Owners can manage one or multiple Departmentss.

View

Application

• Financial Scope of Department(s)

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Spending - Department

Daily Activities

• Monitoring Spending to Budgets

Weekly Activities

• Monitoring Spend Approvals

Portfolio Owners can manage one or multiple Portfolios.

View

Application

• All Financial Scope within Portfolios

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Spending - Portfolio

Daily Activities

• Approve/Reject Budget Schedules

Weekly Activities

• Approve/Reject Spend Cards Submissions

Product Owners can manage one or multiple Products.

View

Application

• All Financial Scope within Portfolios

Amazon Q in QuickSight Topics / CUDOS Access

• Topics: AWS Spending - Product

Daily Activities

• Create/Modify Budget

• Create Workload

• Claim/Unclaim Resources

Weekly Activities

• Approve/Reject Spend Cards

Amazon Q in QuickSight FinOps Center Framework provide Curated Topics for the different Personas/Roles with FinOps Center by their Financial Scope.

The Framework provides both the framework to extract data from customer's FinOps Center application and integrates it with the AWS Cost and Usage Data.

Prerequisites for Amazon Q in QuickSight FinOps Center Framework

The Amazon Q for QuickSight FinOps Center Framework brings the power of Amazon Q to your FinOps Users.

To be able to be installed, Customers need to have one of the FinOps Center versions installed, have FinOps Center Minimal Setup Complete (See Below), and have Amazon Q in QuickSiight enabled in there environment with at least 1 Author Pro Enabled with Embedding of your FinOps Center application configured.

FinOps Center Minimal Setup for the Amazon Q in QuickSight Framework:

1. One Product Owner Onboarded

2. One Budget Onboarded and Mapped to Product Owner

3. One AWS Account Mapped to Budget

4. One Workload Created to the Mapped AWS Account

5. One Resource Claimed to the Workload

All FinOps Center underlying compute (including Amazon Q in QuickSight) is the responsibility of Customers.

Pricing for Amazon Q in QuickSight - A $250/month per account Amazon Q enablement fee applies for accounts with at least one Pro user or with at least one Amazon Q Topic.

Click to Zoom Click to Zoom

To Install the Amazon Q in QuickSight FinOps Center Framework customer must Add 1 Author Pro User to their QuickSight Environment.

Embedding must be enabled with the url of the FinOps Center Application.

Upon considering to install the Amazon Q in QuickSight FinOps Center Framework please be aware of the following:

1. Lambda code hosted in your S3 buckets are not ingested nor scanned by AWS Marketplace. This creates an external dependency. Applications that require external dependencies on deployment must follow product usage policies which includes proper disclosure. In the Release Notes of each FinOps Center Release include the results of the AWS CodeGuru Scan.

2. FinOpsCenterQGlueCrawlerRole295A8956 : add a warning in your deployment guide, product access instructions, or clusters and resources long descriptions that customers should consider deploying into new AWS accounts because the permissions allow your application access to read, edit, and/or delete existing AWS resources in the AWS account.

3. Other IAM roles: The purpose of each of these resources must be included in the product description or usage instructions. IAM Roles are listed with purpose at https://docs.finopscenter.com/amazon-q-in-quicksight-finops-center-framework/amazon-q-in-quicksight-finops-center-framework-roles-and-purpuse/version/3?kb_language=en_US

4. The Role AmazonQFramework-FinOpsCenterQGlueCrawlerRole* leverages the Glue Services Role that enables the solution to Access additional resources than the scope of Amazon Q in QuickSight FinOps Center. If this is an issue, consider deploying in stand alone AWS Account.

5. AWS Marketplace Scans the AMIs that Cloud Scal3 Provides but not the Code Artifacts that are used during the installation. Please view the results of our internal code scanning with AWS CodeGenius with the version Release Notes that you are installing.

The CFT for the Backend Framework Setup and the creation of the QuickSight components create IAM in the AWS Account that it is installed.

Below is the list of the Roles and their Purpose:

During the installation of FinOps Center, the following roles are created in customers accounts:

• US East (Ohio) (us-east-2)

• US East (N. Virginia) (us-east-1)

• US West (Oregon) (us-west-2)

• Asia Pacific (Mumbai) (ap-south-1)

• Asia Pacific (Seoul) (ap-northeast-2)

• Asia Pacific (Singapore) (ap-southeast-1)

• Asia Pacific (Sydney) (ap-southeast-2)

• Asia Pacific (Tokyo) (ap-northeast-1)

• Canada (Central) (ca-central-1)

• Europe (Frankfurt) (eu-central-1)

• Europe (Ireland) (eu-west-1)

• Europe (London) (eu-west-2)

• Europe (Paris) (eu-west-3)

• Europe (Stockholm) (eu-north-1)

• South America (São Paulo) (sa-east-1)

FinOps Center is 100% Cloud-Native leveraging a number of AWS Services. The Full Architecture runs Across Multiple AWS Account Aligned to the Multi-Acccount Strategy.

In the Master Payer Account - FinOps Center leverages the Cost & Usage Report (CUR) for Billing information. The CUR is stored in a s3 Bucket in the Master Payer Account. Customers leverage AWS Bucket Replication (and Batch Operations) to move the CUR Objects to the S3 bucketing in the FinOps Center Installed Account.

One of the limitations of the CUR is the delay in Accounts showing up on the file. During the Account Vending Process, this delay will add work to align AWS Accounts to Financial Budgets. To facilitate this end-to-end process, FinOps Center (in the Delegated Admin / CloudOps Account) queries the Organization/Account Management API to immediately make Accounts onboarded even prior to the Account having billing.

FinOps Center stores data in DynamoDB and aligns to general practices of using DynamoDB for Storage and Security.

As with all data storied in DynamoDB, customers can chose to encrypt the data at rest with the default AWS Owned , AWS Managed, or Customer Managed Keys

Underlying Services Security, Monitoring, and Backup

Last Updated: October 24, 2024

At Cloud Scal3 Inc. (“we,” “us,” or “our”), we value your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard the information you provide when visiting our website, [www.cloudscal3.com](http://www.cloudscal3.com), and www.finopcenter.com or interacting with us.

1. Information We Collect

We may collect and process the following types of personal data:

- Contact Information: This includes your name, email address, phone number, and any other contact details you provide. - Usage Data: Information about how you interact with our website, such as IP address, browser type, time zone, referring/exit pages, and clickstream data. - Marketing Data: Information about your preferences and interests, which may include responses to marketing campaigns or surveys you participate in. - Cookies and Tracking Technologies: We use cookies and similar tracking technologies to enhance your experience, understand your preferences, and deliver targeted advertisements.

2. How We Use Your Information

We use the information we collect in the following ways:

- To Improve Our Website: We analyze data to understand how visitors use our site, ensuring it is easy to navigate and tailored to user needs. - To Communicate with You: We may use your contact information to send you promotional content, newsletters, updates, or respond to your inquiries. - For Marketing Purposes: We use your information to provide personalized advertisements and special offers based on your interests, either through our website or third-party marketing partners. - To Comply with Legal Obligations: We may process your data to comply with legal requirements or respond to legal requests.

3. Sharing Your Information

We do not sell your personal data. However, we may share your information with:

- Service Providers: Third-party vendors who assist us in providing website functionality, marketing services, analytics, and other business operations. - Advertising Partners: Marketing agencies and advertisers to help deliver tailored content and ads that may interest you. - Legal Authorities: When necessary to comply with legal obligations, prevent fraud, or protect the rights of Cloud Scal3 Inc. and others.

4. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy, or as required by law. You may request deletion of your data by contacting us at [insert contact email].

5. Your Privacy Choices

You have the following rights regarding your personal data:

- Opt-Out: You can opt out of receiving marketing communications by following the unsubscribe instructions in the emails we send or contacting us directly. - Access and Correction: You may request access to, correction of, or deletion of your personal data by contacting us. - Cookie Preferences: You can manage your cookie settings through your browser or our cookie consent tool.

6. Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, loss, misuse, or alteration.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post any updates on this page and notify you of significant changes through our website or other communication channels.

8. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Cloud Scal3 Inc. Email: support@cloudscal3.com

Last Updated: October 24,2024

Cloud Scal3 Inc. ("we," "us," or "our") uses cookies and similar tracking technologies to enhance your experience and analyze how our websites, [www.cloudscal3.com](http://www.cloudscal3.com) and [www.finopscenter.com](http://www.finopscenter.com), are used. This Cookie Policy outlines how we use these technologies for marketing purposes.

1. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us remember your preferences, understand how you interact with our websites, and provide tailored content, including personalized marketing messages.

2. Types of Cookies We Use

We use the following types of cookies on our websites:

- Essential Cookies: These cookies are necessary for the operation of our websites and enable features like secure login and form submissions. They cannot be disabled. - Analytical/Performance Cookies: These cookies help us understand how visitors use our websites, which pages are popular, and how we can improve site performance.

- Marketing/Advertising Cookies: These cookies track your online activity to deliver personalized ads relevant to your interests. We use these cookies to analyze user behavior and ensure our marketing efforts are effective.

- Third-Party Cookies: In some cases, we use third-party service providers (e.g., advertising networks, analytics services) that set cookies on our behalf to deliver tailored advertisements and analyze website traffic.

3. How We Use Cookies for Marketing

We use cookies to:

- Understand User Preferences: We track how you interact with our websites to understand your preferences and deliver personalized marketing content. - Display Targeted Ads: We use marketing cookies to deliver relevant ads on our websites and other platforms based on your interests and browsing behavior. - Measure Campaign Effectiveness: Cookies help us analyze the performance of marketing campaigns to optimize our advertising efforts.

4. Managing Your Cookie Preferences

You have the right to manage or disable cookies. Here’s how:

- Cookie Consent Tool: You can manage your preferences through the cookie consent tool that appears on our websites when you first visit or by clicking on the “Cookie Settings” link available on our website footer. - Browser Settings: You can adjust your browser settings to refuse cookies or delete existing cookies. However, this may affect the functionality of our websites. - Opt-Out of Targeted Advertising: You can opt out of personalized advertising by adjusting your preferences on advertising platforms or using industry opt-out tools like the [Network Advertising Initiative](https://www.networkadvertising.org/) or [Digital Advertising Alliance](https://youradchoices.com/).

5. Data Protection and Privacy

Cookies may collect personal data, such as IP addresses or unique identifiers, to tailor marketing efforts. For more details on how we handle personal data, please refer to our [Privacy Policy](#).

6. Changes to This Cookie Policy

We may update this Cookie Policy periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes through our websites or other communication channels.

7. Contact Us

If you have any questions about this Cookie Policy or how we use cookies, please contact us:

Cloud Scal3 Inc. Email: support@cloudscal3.com

FinOps Center is licensed under the terms and conditions of the AWS Marketplace Standard Contract

https://s3.amazonaws.com/aws-mp-standard-contracts/Standard-Contact-for-AWS-Marketplace-2022-07-14.pdf

FinOps Center leverages native services encryption of data at rest and in transit.

All FinOps Center data is stored in S3 or DynamoDB when at rest. When users are accessing the application CloudFront provides the SSL connection for the frontend application.

1. React Frontend (S3 Hosting)

Data at Rest:

• S3 Server-Side Encryption (SSE):

  • SSE-S3: Encrypts objects using AES-256, managed by S3.

  • SSE-KMS: Uses AWS Key Management Service (KMS) for encryption keys, giving more control over key policies and auditability.

  • SSE-C: Customer-provided encryption keys, if you prefer to manage keys outside AWS.

• Client-Side Encryption: Use AWS SDK for encryption before uploading objects to S3. You manage keys and encrypt data client-side.

Data in Transit:

• Use HTTPS (TLS 1.2 or higher) for all communications to and from S3.

• Enforce HTTPS using S3 bucket policies or CloudFront distribution.

2. QuickSight Dashboards

Data at Rest:

• QuickSight encrypts your data at rest using AWS KMS by default.

• For additional control, configure your own KMS Customer Managed Key (CMK) for QuickSight to use.

Data in Transit:

• All communication between QuickSight, S3, and other AWS services is protected using TLS 1.2.

Embedded Dashboards:

• Use secure HTTPS connections for embedding dashboards within your React frontend.

• FinOps Center Custom IAM policies and Row-Level Security (RLS) to ensure users only see authorized data.

3. Lambda Functions (Business Logic)

Data at Rest:

• By default, AWS Lambda encrypts deployment packages and environment variables at rest using AWS-managed keys.

• For additional control, use KMS for:

  • Encrypting environment variables (configure KMS keys in Lambda function settings).

  • Encrypting sensitive application secrets (e.g., credentials, tokens) stored in AWS Secrets Manager or SSM Parameter Store.

Data in Transit:

• All data passed to and from Lambda is encrypted using TLS 1.2.

• Use HTTPS endpoints for API Gateway and other services invoked by Lambda.

4. DynamoDB (Application Data)

Data at Rest:

• Default Encryption with AWS KMS: All DynamoDB tables are encrypted at rest using AES-256.

• Use Customer Managed KMS Keys (CMK) for:

  • More control over the encryption keys.

  • Auditability and fine-grained key management.

Data in Transit:

• All DynamoDB connections use TLS 1.2 to secure data in transit.

• Enforce the use of HTTPS for all interactions with DynamoDB.

5. Cross-Service Encryption Management

• Use AWS Key Management Service (KMS) to unify encryption management across services like S3, Lambda, DynamoDB, and QuickSight.

• Monitor key usage with AWS CloudTrail for auditing encryption activities.

Summary Table of Encryption Options

Tools for Monitoring and Auditing Encryption

• AWS CloudTrail: Track key usage, access logs, and API calls.

• AWS CloudWatch: Monitor encryption-related metrics.

• AWS Config: Ensure encryption configurations remain compliant with best practices.

Map AWS Accounts to Financial Budgets prior to adding users

Communicate to users that they will receive emails inviting them to FinOps Center but that they should wait a day to enter the application or they may not have their experience loaded

Add Users via the Admin Screen not the Cognito Interface

Map Users to their Financial Scope once the Accounts have been mapped to their Budgets

Configure initial Amazon QuickSight Dashboard to all Roles

Upload Customer logo prior to adding users

Update the Cognito Email Invites Prior to sending invites

Once the Customer Logo has been upload - create a new invalidation in CloudFront.

Validate that CloudFront is Configured Correctly.

FinOps Center stores data in DynamoDB and aligns to general practices of using DynamoDB for Storage and Security.

As with all data storied in DynamoDB, customers can chose to encrypt the data at rest with the default AWS Owned , AWS Managed, or Customer Managed Keys

FinOps Center has a low burden on Technical Operations Teams once the pre-requisite AWS components are configured and the Application is deployed.

Skills of the Technical operations Team:

• AWS Engineering with specific understanding of the S3 Bucket Replication, CloudFormation, VPC Configuration, and Web Application Management leveraging CloudFront.

• AWS Data Engineering with understanding of DynamoDB Backups to S3

• Account Vending Process with Tools like Control Tower

Operational Checklist to Validate Functional Application

1. Validate that Cost and Usage Report has replicated to the Cloud Operations Account Bucket.

2. Compare loading of the Application Updated (Note: The application time stamp should be approximately 1 hr after the Bucket timestamp. This is due to the allowance of “eventual consistency” of bucket replication).

The Finance and Business Teams are the primary users of FinOps Center and will need to be enabled in operations of the applications. In the Finance and Business Teams, there should be members that are comfortable in the development of QuickSight Dashboards and how to share information to the Technical Operations Team to make a Dashboard available to different Roles.

The Finance and Business Team are the key to driving spend accountability with FinOps Center. They must daily monitor spending, card approval, and account mapping to validate that users are acting on the data.

All Cloud Scal3 products are sold exclusively via the AWS Marketplace.

AWS Marketplace: Cloud Scal3 Inc.

Any customerized offering or pricing is handled via the Standard Private Offers processes within Marketplace.

FinOps Center is a web application that may experience typical issues from users around login issues or page loading (especially updates). Additionally, during the initial 24hrs of installing FinOps Center the application may be awaiting data population from the Cost & Usage Report (CUR).

If users are having issues with their initial logging into FinOps Center it could be an issue with the Cognito temporary password. It is common that the remedy is to delete the users from the Cognito User Pool and Re-Create them in the FinOps Center Configuration.

During initial configuration of the application the AWS CUR Data is not loading you may need to wait until the next cycle to run. Have a member of your technical team navigate to the S3 bucket in the FinOps Center installed account and view when the last CUR was created keeping in mind that the CUR creation time is UCT. If a CUR cycle has run after the time of the upload of the Chart/Budget File, contact support.

If users are having issues accessing the Amazon Q in QuickSight Topices

To recovery FinOps Center the application and the database need to be restored to the last know functioning state.

If their is an issue with the application after patching the environment with a new release, return to the ami of the prior release and launch instance. The cdk bucket will load with the previous release. Return to the CloudFormation and Update the stack with the previous releases JSON Object.

FinOps Center stores all of its data in DynamoDB. During the installation, the DynamoDB tables are enabled with Point-in-time Recovery. If any tables needs to be recovered, an engineer can log into the console, navigate to the DynamoDB service, and restore any table to the time of last operation.

RTO Target

FinOps Center RTO is plus 2 hours from your original installation time. This is based on a scenerio where your AWS Account has been compromised and you need to restore the DynamoDB tables from an S3 backup in a new CloudOps Designated Admin Account.

RPO Target

FinOps Center RPO is close to zero as the Cost and Usage Report will be created in the MaterPayer Accounts. Any budget mapping can be be restored from backup but it would cause any data lose.

FinOps Center and Add-ons Support is available to all Subscribers of our Marketplace Products via our Website support.finopscenter.com with an SLA of 24 Hrs within the Business Week.

Premier Support is available for our Enteprise Products that provides a dedicated Customer Support Engineer. With Premier Support, your case will be worked on within 2 Business Hours Monday - Friday.

Delegated Admin Account via Security Hub Configuration

Integrating Security Hub with AWS Organizations - AWS Security HubAWS Security Hub

AWS Multi-Account Framework

Organizing Your AWS Environment Using Multiple Accounts - Organizing Your AWS Environment Using Multiple AccountsOrganizing Your AWS Environment Using Multiple Accounts

AWS Control Tower with Multi-Account Strategy

AWS multi-account strategy for your AWS Control Tower landing zone - AWS Control TowerAWS Control Tower

AWS Cloud Financial Management

Cloud Cost Management - AWS Cloud Financial Management - AWSAmazon Web Services, Inc.

AWS Service Limits

Cognito Quotas

Quotas in Amazon Cognito - Amazon CognitoAmazon Cognito

DynamoDB

Service, account, and table quotas in Amazon DynamoDB - Amazon DynamoDBAmazon DynamoDB

Lambda

Lambda quotas - AWS LambdaAWS Lambda

Security, Monitoring, and Backup

DynamoDB

Encryption

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

Monitoring

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/monitoring.html

Backup

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/BackupRestore.html

Lambda

Security

https://docs.aws.amazon.com/lambda/latest/dg/lambda-security.html

Monitoring

https://docs.aws.amazon.com/lambda/latest/dg/lambda-monitoring.html

VPC Endpoints

https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html

IAM Best Practice

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

Amazon Q in QuickSight Community

Amazon QuickSight CommunityAmazon QuickSight Community

Cloud Intelligence Dashboard Framework

Workshop Studio