Upon considering to install the Amazon Q in QuickSight FinOps Center Framework please be aware of the following:
Lambda code hosted in your S3 buckets are not ingested nor scanned by AWS Marketplace. This creates an external dependency. Applications that require external dependencies on deployment must follow product usage policies which includes proper disclosure. In the Release Notes of each FinOps Center Release include the results of the AWS CodeGuru Scan.
FinOpsCenterQGlueCrawlerRole295A8956 : add a warning in your deployment guide, product access instructions, or clusters and resources long descriptions that customers should consider deploying into new AWS accounts because the permissions allow your application access to read, edit, and/or delete existing AWS resources in the AWS account.
Other IAM roles: The purpose of each of these resources must be included in the product description or usage instructions. IAM Roles are listed with purpose at
The Role * leverages the Glue Services Role that enables the solution to Access additional resources than the scope of Amazon Q in QuickSight FinOps Center. If this is an issue, consider deploying in stand alone AWS Account.
AWS Marketplace Scans the AMIs that Cloud Scal3 Provides but not the Code Artifacts that are used during the installation. Please view the results of our internal code scanning with AWS CodeGenius with the version Release Notes that you are installing.
Agent Bill Amazon Q in QuickSight for FinOps Center is installed with currated Topics that can be customized to your organizational naming convention.
Each Topics need to be Modified to your Organization.
Additional Hints to provide the best expereince for your Users
Select Non Additive for the Monthly Periods
Agent Bill loads data to Quick Sight via Athena for each role. Depending on the number of refreshes that customer configure, there will be at least 6 queries each day of large datasets. Query results bucket should have a lifecycle rule that deletes bucket results every 30 days to avoid undue costs.
Agent Bill Amazon Q for QuickSight For FinOps Center brings the power of Amazon Q to your FinOps Users.
To be able to be installed, Customers need to have one of the FinOps Center versions installed, have FinOps Center Minimal Setup Complete (See Below), and have Amazon Q in QuickSiight enabled in there environment with at least 1 Author Pro Enabled with Embedding of your FinOps Center application configured.
FinOps Center Minimal Setup for the Amazon Q in QuickSight Framework:
One Product Owner Onboarded
One Budget Onboarded and Mapped to Product Owner
One AWS Account Mapped to Budget
One Workload Created to the Mapped AWS Account
One Resource Claimed to the Workload
All FinOps Center underlying compute (including Amazon Q in QuickSight) is the responsibility of Customers.
Pricing for Amazon Q in QuickSight - A $250/month per account Amazon Q enablement fee applies for accounts with at least one Pro user or with at least one Amazon Q Topic.
Click to Zoom Click to Zoom
To Install Agent Bill Amazon Q in QuickSight for FinOps Center customer must Add 1 Author Pro User to their QuickSight Environment.
Embedding must be enabled with the url of the FinOps Center Application.
The CFT for the Backend Framework Setup and the creation of the QuickSight components create IAM in the AWS Account that it is installed.
Below is the list of the Roles and their Purpose:
Lambda to update config in s3 bucket
Lambda to setup quicksight assets
Lambda to execute named queries on athena
Lambda to check quicksight dataset refresh status
Lambda to create and database on athena which connects to s3
Lambda to create datastores, datasets, themes on quicksight
Lambda to create datastores, datasets, themes on quicksight
Lambda to create topics on quicksight
IAM Execution role to Extract Data from DynamoDB Tables
Lambda to write data into s3 bucket
Lambda to read data from dynamodb tables
Lambda to setup glue crawlers
