With an organization, you will need to update the existing policy to add the required permissions to provide us access to your sub-accounts. AWS provides a way to delegate roles across accounts. The process should will take few minutes per sub-account. 


Step 1: Gather AWS Accounts Id(s)


The various AWS accounts ids (master and sub-accounts) will be used future steps.


We should have provided to you all the required ids so you can directly jump to Step #2. If we haven’t done so, please reach out to us at hello@cloudforecast.io or follow the following steps:

  1. Click on your username in the top navigation bar of AWS and select “My Organization”

  2. Copy all the “Account ID”s for future use. Make sure to also note which account is flagged as the master account (★) and which one is the sub account. 

In the following steps, sub-accounts are considering all your accounts excluding Master Account.


Step 2: Setup role on your sub-account(s)

In order for the master account to access the required data from each sub-account, we will create a role that the master account could ‘assume’ (documentation) when running the report. Please keep track all the sub-account ids you will process as it will need to referred in Step #3.


Important note: The following steps will need to be repeated for each sub-account you want to set this up for. Example: If you have 3 sub-accounts, you'll need to repeat the following steps three times:

  1. Log in to AWS Management Console with your sub-account credentials

  2. Search “IAM” in under the AWS services search bar and select or visit https://console.aws.amazon.com/iam/home#/home

  3. Select “Roles” in the left panel

  4. Click “Create role”

  5. In the “Select type of trusted entity”, select the “Another AWS account” option

  6. Enter your master account id in the “Account ID” field

  7. Click “Next: Permissions” on the bottom right. (Make sure to leave “Require external ID” and “Require MFA” unchecked. The External ID is not necessary here as the master account (and not CloudForecast) will assume the role)

  8. Click “Create policy” then the “JSON” tab (*Important notice: This will open a new tab so make sure to keep it open as we will get back to.)

  9. Copy and paste the following policy into the JSON tab editor. 

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
    "organizations:ListAccounts",
                    "cloudwatch:GetMetricStatistics",
                    "dynamodb:DescribeTable",
                    "dynamodb:ListTables",
                    "elasticache:DescribeCacheClusters",
                    "elasticache:DescribeReservedCacheNodes",
                    "ec2:DescribeInstances",
                    "ec2:DescribeReservedInstances",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeAddresses",
                    "rds:DescribeDBInstances",
                    "rds:DescribeReservedDBInstances",
                    "redshift:DescribeClusters",
                    "redshift:DescribeReservedNodes",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "ce:*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }


  10. Click “Review Policy”

  11. Enter “CloudForecastSavingReport” in the “Name” field. Please ensure this is 100% accurate otherwise your Cost Savings Report will not work properly.

  12. Press the blue “Create Policy” button on the bottom right to create the policy. 

  13. Go back to your original tab from step 8, and press the refresh button.

  14. Search for “CloudForecastSavingReport“ in the search box to ensure policy has been created and then check the checkbox next to the policy name. 

  15. Press “Next: Review” on the bottom right.

  16. Enter “CloudForecastSavingReport“ in the “Role name*”

  17. Press “Create role” on the bottom right

  18. You are done for this sub-account!  Please ensure you are keeping track of the sub-account ids. 

  19. Celebrate! 


Step 3: Update your policy in your master account

  1. Log in to AWS Management Console with your sub-account credentials

  2. Search “IAM” in under the AWS services search bar and select or visit https://console.aws.amazon.com/iam/home#/home

  3. Select “Policies” in the left panel

  4. Use the “Search” bar to find the policy attached to the account provided during the initial CloudForecast setup (could be billing or cloudforecast) and click on the name.

  5. Select “Edit Policy” and click on the JSON tab (If you are running any services on your master account, add the following section in the Statement array of your policy. This should be pasted right after the open bracket “[“ :)

    {
        "Effect": "Allow",
        "Action": [
            "organizations:ListAccounts",
            "cloudwatch:GetMetricStatistics",
            "dynamodb:DescribeTable",
            "dynamodb:ListTables",
            "elasticache:DescribeCacheClusters",
            "elasticache:DescribeReservedCacheNodes",
            "ec2:DescribeInstances",
            "ec2:DescribeReservedInstances",
            "ec2:DescribeVolumes",
            "ec2:DescribeAddresses",
            "rds:DescribeDBInstances",
            "rds:DescribeReservedDBInstances",
            "redshift:DescribeClusters",
            "redshift:DescribeReservedNodes",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeTargetGroups",
            "ce:*"
        ],
        "Resource": [
            "*"
        ]
    },


  6. Using all the sub-account ids gathered in Step #2, copy and paste the following section for each sub-account in the same statement array (make sure to replace SUBACCOUNT_ID): 
        {
          "Effect": "Allow",
          "Action": [
            "sts:AssumeRole"
          ],
          "Resource": "arn:aws:iam::SUBACCOUNT_ID:role/CloudForecastSavingReport"
        },


  7. By now your policy should look similar than our example. Press “Review Policy” followed by “Save changes”

  8. You are done! Congratulations! Please reach out to us at hello@cloudforecast.io so we can confirm your setup and run your report.