# AWS Integration FAQ

## What do I need before I can connect OneLens to AWS?

You need two things in place before starting:

* An active AWS account with permissions to create CloudFormation Stacks and StackSets.
* An S3 bucket that stores your Cost and Usage Report (CUR). If you haven't set one up yet, see [Setting Up Cost Reports Manually](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connect-to-aws/setting-up-cost-reports-manually).

{% hint style="info" %}
Both the Resource Role CFT and the CUR Role CFT must be deployed for OneLens to function correctly. Deploying only one will result in incomplete data ingestion.
{% endhint %}

## Does OneLens modify any of my AWS resources?

**No.** OneLens uses read-only IAM roles created by the CloudFormation templates. It only collects resource metadata, CloudWatch metrics, and Cost and Usage Report (CUR) data. No changes are made to your infrastructure at any point.

The roles are also fully reversible - you can delete them at any time to revoke OneLens access to your account.

Our Scheduler setup involves some permissions that can modify resources, but this is optional and not included in the default setup.

## Why must the CUR Stack be deployed in us-east-1?

AWS Billing services, which generate and host the Cost and Usage Report, are internally hosted in the us-east-1 region. The CloudFormation stack that creates the CUR access role must be deployed in the same region to function correctly.

The Resource Role stack, on the other hand, can be deployed in any region since IAM is a global AWS service.

{% hint style="danger" %}
If you accidentally deploy the CUR Stack in a region other than us-east-1, delete it and redeploy in the correct region before proceeding.
{% endhint %}

## What is the difference between a Stack and a StackSet?

Both deploy CloudFormation templates, but they serve different purposes:

* Stack: Deploys resources into a single AWS account. Used for the CUR Role (master account only) and the Resource Role (individual accounts).
* StackSet: Deploys resources across multiple AWS accounts from a central management account. Used to push the Resource Role into all child accounts simultaneously.

If you manage accounts centrally via AWS Organizations, use the StackSet approach for the Resource Role in child accounts. You still need to run a Stack in the management account itself.

## Do I need to deploy the CUR Role in my child accounts?

No. You only need to deploy the CUR Role in your master/payer account. AWS Consolidated Billing means the master account holds all cost data for every linked account, so OneLens only needs CUR access from that one account.

{% hint style="warning" %}
If you have decentralised accounts (not part of AWS Organizations), you will need to deploy the CUR Role separately in each account you want to connect.
{% endhint %}

## What does the Role Name format mean, and do I have to follow it?

The recommended format for role names is:

```
OneLens-<10-char-alphanumeric-unique-id>
```

The unique identifier helps OneLens associate each role with the correct account during onboarding. You can either:

* Define your own name following this format, or
* Contact the OneLens support team at <support@astuto.ai> and they will provide the exact role name for your account.

## I see a ManagedPolicy warning during Stack creation. Should I be concerned?

No, this is expected. The CloudFormation templates are designed to create IAM roles with Managed Policies that grant OneLens its scoped, read-only access. AWS surfaces this warning any time a template creates an IAM policy.

Simply tick the acknowledgement checkbox and continue. The permissions are strictly limited to what OneLens needs - no broad or administrative access is granted.

{% hint style="info" %}
You can review the full contents of each CloudFormation template before deploying by opening the S3 URL in your browser.
{% endhint %}

## What information do I need to send to OneLens after deployment?

Once both CFTs are deployed successfully, email the following details to <support@astuto.ai>:

* Master Account ID or the list of individually integrated account IDs
* Resource Role ARN (from the Stack Output tab)
* CUR Role ARN (from the Stack Output tab)
* S3 Bucket Name where your CUR files are stored
* Stack Role Names and unique identifiers (only if you customised the role names during deployment)

{% hint style="success" %}
The Role ARNs are visible under the Outputs tab of each completed CloudFormation Stack in the AWS console.
{% endhint %}

## How long does it take for data to appear in OneLens after connecting?

Once OneLens receives your account details and configures the connection, the initial data ingestion begins. Depending on the size of your CUR and the number of resources, the first data may take a few hours to appear in the dashboards.

After the initial load, OneLens processes data daily (or on the agreed schedule), so your insights stay up to date automatically.

## Can I revoke OneLens access to my AWS account?

Yes. To revoke access, simply delete the IAM roles created by the CloudFormation Stacks from your AWS account. You can do this by deleting the stacks themselves from the CloudFormation console, which will automatically remove all associated resources.

Once deleted, OneLens will no longer be able to access your account data.

{% hint style="warning" %}
Deleting the stacks is irreversible. If you want to reconnect OneLens later, you will need to redeploy the CFTs and go through the onboarding process again.
{% endhint %}

## What happens if my StackSet deployment shows a FAILED status for some accounts?

A failed StackSet deployment usually means one of the following:

* The target account does not have the required permissions to create IAM roles.
* The management account does not have StackSet administration permissions enabled.
* There is a naming conflict with an existing role in the target account.

Check the Detailed Status in the StackSet Operations tab for the specific error message. Fix the underlying issue and re-deploy or update the StackSet for the affected accounts.

{% hint style="info" %}
Accounts with a SUCCEEDED status are connected and working even if other accounts in the same StackSet failed. You do not need to re-run the entire StackSet.
{% endhint %}

## Can I connect Kubernetes clusters alongside my AWS accounts?

Yes. After connecting your AWS account, you can optionally integrate your EKS or AKS Kubernetes clusters for deeper cost and usage insights. This gives you pod-level visibility alongside your standard cloud cost data.

See the [Kubernetes Integration](https://docs.onelens.cloud/integrations/kubernetes) section for setup instructions, and [Enable Split Cost Allocation for EKS](https://docs.onelens.cloud/integrations/kubernetes/enable-split-cost-allocation-for-eks) if you want workload-level cost attribution in your Cost and Usage Report.