The AWS Configuration View provides a unified interface to establish a secure connection between the Cavisson platform and your Amazon Web Services (AWS) environment. It enables users to configure authentication details, set up cloud billing visibility, and retrieve cost data stored in Amazon S3 buckets. This configuration helps monitor and analyze AWS expenditure directly within the platform.

Prerequisites

Access Key ID and Secret Access Key: Obtain from AWS IAM → Users → Security Credentials. Create new access key and download the CSV file.
External Amazon S3 Bucket: Bucket used to store AWS Cost and Usage Reports (CUR).
Export Path Prefix: Folder path inside S3 bucket for CUR data.
Export Name: Cost & Usage Report name configured in AWS Billing.
AWS Region: Region hosting your S3 bucket (e.g., us-east-1, ap-south-1).
Compression & File Format: GZIP – text/csv for compressed CUR exports.
S3 Bucket: Unique bucket name for storing the export.
S3 Path Prefix: Permanent folder prefix (e.g., cavisson).
IAM Policy Setup for AWS Cost Visibility

IAM → Users → Select target user
Click Add Permissions → Create Inline Policy
Switch to the JSON tab
Paste the policy below, replacing Bucket name / <Bucket name> with your S3 bucket name


{
    "Version": "2012-10-17",

    "Statement": [

        {

        "Sid": "ReportDefinition",

        "Effect": "Allow",

        "Action": [

        "cur:DescribeReportDefinitions"

        ],

        "Resource": "*"

        },

        {

        "Sid": "GetObject",

        "Effect": "Allow",

        "Action": [

        "s3:GetObject"

        ],

        "Resource": "arn:aws:s3:::Bucket name/*"

        },

        {

        "Sid": "CloudWatchListMetrics",

        "Effect": "Allow",

        "Action": [

        "cloudwatch:ListMetrics",

        "cloudwatch:GetMetricData",

        "pricing:GetProducts"

        ],

        "Resource": "*"

        },

        {

        "Sid": "BucketOperations",

        "Effect": "Allow",

        "Action": [

        "s3:ListBucket",

        "s3:GetBucketLocation"

        ],

        "Resource": "arn:aws:s3:::<Bucket name>"

        },

        {

        "Effect": "Allow",

        "Action": [

        "sts:GetCallerIdentity",

        "sts:AssumeRole"

        ],

        "Resource": "*"

        },

        {

        "Effect": "Allow",

        "Action": [

        "bcm-data-exports:ListExports",

        "bcm-data-exports:CreateExport",

        "bcm-data-exports:GetExport"

        ],

        "Resource": "*"

        },

        {

        "Effect": "Allow",

        "Action": "cur:PutReportDefinition",

        "Resource": "*"

        }

    ]

    }

Authentication Mechanism

AWS SDK Default

This method uses credentials available in the environment such as IAM roles, AWS CLI configuration, or environment variables.

Assume Role ARN (Optional): Used to grant temporary access to resources in another AWS account.
- To retrieve: Go to IAM > Roles > Select Role and copy the Role ARN from the overview page.
  Format: arn:aws:iam::ACCOUNT-ID:role/ROLE-NAME
External ID (Optional): Adds an extra layer of security for cross-account role assumption.
- To retrieve: Go to IAM > Roles > Select Role > Trust Relationships and view the External ID (if configured).
Endpoint (Optional): Specifies a custom AWS service endpoint (GovCloud, China, LocalStack).
- To retrieve: Go to AWS Documentation > General Reference > AWS Service Endpoints.
Region: Identifies the AWS region where resources and billing data are hosted.
- To retrieve: Go to the AWS Console and check the top-right region selector (e.g., us-east-1).
Namespace of Custom Metrics (Optional): Used to collect or view custom CloudWatch metrics.
- To retrieve: Go to CloudWatch > Metrics and locate the Custom Namespace.

Access and Secret Key

This option allows authentication using manually entered IAM credentials.

Access Key ID:
- To retrieve: Go to IAM > Users > Select User > Security Credentials and copy the Access Key ID.
Secret Access Key:
- To retrieve: Copy the Secret Access Key when creating a new access key or from the downloaded CSV file.
  Note: This value is shown only once.
External ID (Optional): Adds an extra layer of security for cross-account role assumption.
- To retrieve: Go to IAM > Roles > Select Role > Trust Relationships and view the External ID (if configured).
Endpoint (Optional): Specifies a custom AWS service endpoint (GovCloud, China, LocalStack).
- To retrieve: Go to AWS Documentation > General Reference > AWS Service Endpoints.
Region: Identifies the AWS region where resources and billing data are hosted.
- To retrieve: Go to the AWS Console and check the top-right region selector (e.g., us-east-1).
Namespace of Custom Metrics (Optional): Used to collect or view custom CloudWatch metrics.
- To retrieve: Go to CloudWatch > Metrics and locate the Custom Namespace.

Credential File

Authenticate using a credentials file containing the access key and secret key.

Credential File: Upload a .csv or .ini file containing AWS credentials.
- To retrieve: Go to IAM > Users > Security Credentials > Create Access Key and download the CSV file, or manually create an INI file.
Upload Option:
- To retrieve: Use the file browser in the interface to upload the credentials file from your local system.
External ID (Optional): Adds an extra layer of security for cross-account role assumption.
- To retrieve: Go to IAM > Roles > Select Role > Trust Relationships and view the External ID (if configured).
Endpoint (Optional): Specifies a custom AWS service endpoint (GovCloud, China, LocalStack).
- To retrieve: Go to AWS Documentation > General Reference > AWS Service Endpoints.
Region: Identifies the AWS region where resources and billing data are hosted.
- To retrieve: Go to the AWS Console and check the top-right region selector (e.g., us-east-1).
Namespace of Custom Metrics (Optional): Used to collect or view custom CloudWatch metrics.
- To retrieve: Go to CloudWatch > Metrics and locate the Custom Namespace.

Cloud Cost Visibility Configuration

Once the authentication is successful, configure the S3 export location from where billing data will be retrieved.

Export Name: Cost & Usage Report name.
Retrieve: AWS Console → Billing → Cost & Uasge Analysis → Data Exports → Copy Export Name
Export Amazon Bucket Name: S3 bucket storing CUR files.
Retrieve: AWS Console → Biling → Cost & uasge analysis → Data Exports → Copy S3 bucket Name (Right side of the specific export name)
Export Path Prefix: Folder prefix for CUR data.
Retrieve: AWS console → Biling → Cost & usage analysis → Data Exports → select S3 bucket (Right side of the specific export name) → copy the path prefix

Note: Ensure the report has hourly granularity and CSV format (GZIP compression allowed).

Test and Save: Validates credentials and S3 export settings, then saves on success.

Reset: Clears all fields for fresh entry.

Configure Cavisson — Discover Resources Policy

Before establishing the connection, include the Discover Resources policy so Cavisson can parse EC2 resource data. Use the JSON below in the "Type or paste a JSON policy document" step.

Steps 1–5 (quick checklist)

Open the AWS Management Console and go to IAM > Policies.
Click Create policy and switch to the JSON tab.
Type or paste the policy JSON shown below.
Click Review policy, give it a name (e.g. CavissonDiscoverResources) and description, then Create policy.
Attach the policy to the IAM role or user that Cavisson will use (IAM > Users or Roles > Attach policies).

Policy JSON


    {

        "Version": "2012-10-17",

        "Statement": [

            {

            "Sid": "OptScaleOperations",

            "Effect": "Allow",

            "Action": [

            "s3:GetBucketPublicAccessBlock",

            "s3:GetBucketPolicyStatus",

            "s3:GetBucketTagging",

            "iam:GetAccessKeyLastUsed",

            "cloudwatch:GetMetricStatistics",

            "s3:GetBucketAcl",

            "ec2:Describe*",

            "s3:ListAllMyBuckets",

            "iam:ListUsers",

            "s3:GetBucketLocation",

            "iam:GetLoginProfile",

            "cur:DescribeReportDefinitions",

            "iam:ListAccessKeys",

            "elasticloadbalancing:Describe*"

            ],

            "Resource": "*"

            }

        ]

    }

Query / Examples

AWS CLI — create policy


aws iam create-policy --policy-name CavissonDiscoverResources --policy-document file://policy.json


    
# To create the policy.json file, paste the JSON above into a file named policy.json

AWS CLI — attach policy to role


aws iam attach-role-policy --role-name CavissonRole --policy-arn arn:aws:iam::123456789012:policy/CavissonDiscoverResources



# replace ACCOUNT_ID and role name as needed

Notes

Use the JSON block above directly in the AWS Console "JSON" tab when creating a new policy.
Make sure to restrict the policy to the minimum necessary resources in production (replace "Resource": "*" where possible).

For Kubernetes data: Verify Split Cost Allocation

To check if you have successfully enabled Pod/Namespace "Split" Cost, you need to verify two specific settings in the AWS Billing Console.

Check the "Global Switch" (Cost Management Preferences)
This is the master switch. If this is unchecked, no report will ever see Pod data.
- Go to the Billing and Cost Management Console.
- In the left navigation pane, click Cost Management preferences.
- Scroll down to the section Split cost allocation data.
- Verify: Ensure the checkbox for Amazon Elastic Kubernetes Service (Amazon EKS) is checked and set to Active.
  (If it is unchecked: Check it now and select "Resource requests" — this is the standard, free option).
Check Your Report Definition
Even if the switch above is On, your specific report (CUR) must be configured to include that data in the file it generates.
- Click on the Report name you are using.
- Look under Report content or Report details.
- Verify: You should see "Split cost allocation data" listed as Included (or the box checked).
The "Final Proof" (Check the File)
If you want to be 100% sure the data is flowing:
- Download your latest Report (CSV file) from your S3 bucket.
- Open it and search for a column named lineItem/LineItemType.
- Filter that column for the value SplitUsage.

If you see SplitUsage rows: It is working! These rows represent your Pods.
If you only see Usage: It is NOT working yet (or the data hasn't processed, which takes 24 hours).