# Connect to AWS
To begin using OneLens, you need to connect your AWS account by deploying **two** [**CloudFormation templates (CFTs)**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html). These templates create the IAM roles required for OneLens to access your cost and resource data.
* The **Resource CFT** sets up the IAM role needed to access resource configuration and relevant CloudWatch metrics.
* The **CUR CFT** creates [Cost and Usage Report (CUR)](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html) along with its [S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and sets up the IAM role needed to access the CUR files stored in that S3 bucket.
{% hint style="warning" %}
#### Important
You **must deploy both CloudFormation templates (CFTs)** to successfully connect OneLens to your AWS environment.
You can review the contents of each CloudFormation template from here.
* [For Resource CFT](https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/resource-role-v1-we.yaml)
* [For CUR CFT](https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/cur-role-v1-we.yml)
{% endhint %}
{% hint style="info" %}
### Access Scope and Permissions
OneLens connects to your AWS account using IAM roles created through two CloudFormation templates: one for accessing your Cost and Usage Reports (CUR) and another for explicit read-only access to your resources. These roles are deployed either via Stack or StackSet, depending on your setup.
The IAM roles created by these templates are limited in scope and grant only the permissions required for OneLens to function. No modifications are made to your infrastructure. Access is **read-only** and fully **reversible** — you may delete the roles at any time to revoke access. OneLens does not collect or alter any data outside the defined access permissions.
{% endhint %}
## OneLens in Your AWS Environment
OneLens Architecture Diagram
#### **Following components are created in your AWS Environment:**
* **CloudFormation Templates (CFTs):**
* One for Resource Role
* One for CUR Role
* **StackSet / Stack Deployment:**
* Executed from the management or individual account
* Creates IAM roles in target accounts
* **IAM Roles:**
* Provide read-only access to resources and metrics
* Grant permission to read CUR files from your S3 bucket
#### **OneLens AWS Environment have 2 major components:**
* **Data Extraction & Transformation**:
* Data is extracted assuming the IAM role created by you over TLS 1.3.
* Process the raw data for detailed analysis
* This process repeats daily or based on the agreed schedule with the you.
* **Data Storage**:
* Ensures tenant-level separation (trial accounts may vary slightly).
* Customers raw data is stored in GCS buckets which are KMS encrypted
* Processed data is stored in PostgresSQL DB, ClickHouse and GCS; all secured by standard organizational policies meeting ISO and SOC 2 compliance
## AWS Environment Types
You likely operate your AWS accounts in one of two ways. The steps that you need to follow depend on which environment you’re using.
### Centralized Accounts (Master-Child Setup)
If you manage multiple AWS accounts from a master or admin account (using AWS Organizations), here’s what you’ll need to deploy:
* [CUR Template using Stack](#deploy-cur-role-using-stack) – Run this in the master/admin account. Ensure that the Stack is created in **us-east-1** region.
* [Resource Template using Stack](#deploy-resource-role-using-stack) – Run this in the master/admin account.
* [Resource Template using StackSet](#deploy-resource-role-using-stackset) – Run this from the master/admin account to all child accounts for resource **read-only** access.
{% hint style="success" %}
## **NOTE**
You do not need to deploy the CUR role in any child accounts. Since the master/payer account contains the **consolidated billing CUR**, OneLens fetches all required cost data directly from that account.
{% endhint %}
### Decentralized Accounts (Individually Managed Accounts)
If an AWS account needs to be configured independently, you’ll deploy:
* [CUR Template using Stack](#deploy-cur-role-using-stack) – In each account CUR needs to be configured individually. Ensure that the Stack is created in **us-east-1** region.
* [Resource Template using Stack](#deploy-resource-role-using-stack) – In each account Resource role needs to be configured individually.
## **Onboarding Deployment Tasks**
### 1. Deploy CUR Role Using Stack
The step-by-step guide will help you deploy the Cost and Usage Report (CUR) role in AWS using a CloudFormation Stack.
{% hint style="success" %}
### Prerequisites
Before proceeding, ensure that the AWS region you select is **us-east-1**. The AWS billing service, which processes CUR, is internally hosted in this region by AWS, so the deployment of this role needs to be in the same region.
{% endhint %}
{% stepper %}
{% step %}
#### Create a CloudFormation Stack
In the AWS Management Console, go to the **CloudFormation** service.
Choose **Stack** from the sidebar.
Click on **Create Stack**.
Choose the option **With new Resources (standard)** when prompted.
Go with **Choose an Existing Template**.
For the template source, select **Amazon S3 URL**.
In the **Amazon S3 URL** field, enter the following URL:
```
https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/cur-role-v1-we.yml
```
Click **Next** to proceed.
{% endstep %}
{% step %}
#### Specify Stack Details
Fill in the following parameters:
* **Stack Name**:
* Enter a name for your stack. For example, `OneLens-CUR-Stack`, or use your naming convention.
* **S3 Bucket Name**:
* Enter the name of your CUR S3 bucket, which stores the billing reports.
* **Role Name**:
* Set your own role name following the format:
`OneLens-<10-char-alphanumeric-unique-id-2>`
where **<10-char-alphanumeric-unique-id-2>** is a 10-digit identifier, or
* Contact the OneLens support team to provide the role name for your account
Once all details are filled in, click **Next** to proceed.
{% endstep %}
{% step %}
#### Configure Stack Options
**Set Tags**
Click on **Add New Tag**.
Add a key-value pair:
* **Key**: `onelens:provider`
* **Value**: `onelens`
You can add any additional tags that you may use.
All other options should be left as the default settings unless you require specific changes.
{% hint style="warning" %}
A warning will appear indicating that the template will create a **ManagedPolicy**. This is normal since the template is designed to create a role with Managed Policies to grant access to OneLens.
{% endhint %}
Tick the checkbox to acknowledge the warning.
Once you're finished, click **Next** to proceed.
{% endstep %}
{% step %}
#### Review and Create the Stack
**Review** the stack configuration.
Click **Submit** to create the stack.
{% endstep %}
{% step %}
#### Stack Output
After the successful execution, the CUR Role ARN and the S3 bucket will be generated. You can view the output as follows:
{% endstep %}
{% endstepper %}
### 2. Deploy Resource Role using Stack
Follow these steps to deploy the resource role for your OneLens integration. This guide is applicable for individual, external, or any other type of AWS account.
{% stepper %}
{% step %}
#### Create a CloudFormation Stack
In the AWS Management Console, go to the **CloudFormation** service.
Click on **Create Stack**.
Choose the option **With new Resources (standard)** when prompted.
Go with **Choose an Existing Template**.
For the template source, select **Amazon S3 URL**.
In the **Amazon S3 URL** field, enter the following URL:
```
https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/resource-role-v1-we.yaml
```
Click **Next** to proceed.
{% endstep %}
{% step %}
#### Specify Stack Details
In this step, you'll provide the necessary details for your stack. Fill in the following parameters:
* **Stack Name**:
* Enter a name for your stack. For example, `OneLens-Resource-Stack`, or use your naming convention.
* **Role Name**:
* Set your own role name following the format:
`OneLens-<10-char-alphanumeric-unique-id>`
where **<10-char-alphanumeric-unique-id>** is a 10-digit identifier, or
* Contact the OneLens support team to provide the role name for your account
Once all details are filled in, click **Next** to proceed.
{% endstep %}
{% step %}
#### Configure Stack Options
**Set Tags**
Click on **Add New Tag**.
Add a key-value pair:
* **Key**: `onelens: provider`
* **Value**: `onelens`
You can add any additional tags that you may use.
All other options should be left as the default settings unless you require specific changes.
{% hint style="warning" %}
A warning will appear indicating that the template will create a **ManagedPolicy**. This is normal since the template is designed to create a role with Managed Policies to grant access to OneLens.
{% endhint %}
Tick the checkbox to acknowledge the warning.
Once you're finished, click **Next** to proceed.
{% endstep %}
{% step %}
#### Review and Create the Stack
**Review** the stack configuration.
Click **Submit** to create the stack.
{% endstep %}
{% step %}
#### Stack Output
After the successful execution, the Resource Role ARN will be generated. You can view the output as follows:
{% endstep %}
{% endstepper %}
### 3. Deploy Resource Role using StackSet (in Master account only)
Here is how you can deploy CloudFormation Stacks across multiple AWS child accounts from a central location. The StackSet deployment process avoids the need to log into each account individually.
{% hint style="success" %}
### Prerequisites
* **Administrator/Management Account Access**: You must have access to the Administrator or Management account.
{% endhint %}
{% stepper %}
{% step %}
#### Log in to the Administrator/Management Account
Log in to the appropriate AWS account based on your organization’s structure. This could be your Administrator or Management account, depending on your setup.
{% endstep %}
{% step %}
#### Create a StackSet
Go to the AWS Management Console and search for **CloudFormation**.
In the CloudFormation console, select **StackSets** from the left-hand menu.
Click on **Create StackSet**.
Select **"Template is ready"** as the template type.
For the **template source**, choose **Amazon S3 URL**.
Enter the following S3 URL:
```
https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/resource-role-v1-we.yaml
```
Click **Next**.
{% endstep %}
{% step %}
#### Specify Stack Details
Enter a **stack name** following your organization’s naming conventions. Our recommendation is OneLens-Stack or something descriptive.
In the **RoleName** field, you can either:
* Set your own role name following the format:
`OneLens-<10-char-alphanumeric-unique-id>`
where **<10-char-alphanumeric-unique-id>** is a 10-digit identifier, or
* Contact the OneLens support team to provide the role name for your account
Once these details are filled in, click **Next**.
{% endstep %}
{% step %}
#### Configure StackSet Options
Click on **Add New Tag** to add tags that help identify this stack. Add the following key-value pair:
* **Key:** `onelens: provider`
* **Value:** `onelens`
You can add any additional tags that your organization may use. Everything else should be left as default.
{% hint style="warning" %}
A warning will appear indicating that the template will create a **ManagedPolicy**. This is normal since the template is designed to create a role with Managed Policies to grant access to OneLens.
{% endhint %}
Tick the checkbox to acknowledge the warning.
Once you've reviewed this step, click **Next**.
{% endstep %}
{% step %}
#### Set Deployment Options
**Specify Accounts or Organizational Units**
In the **Accounts** section, specify which AWS accounts or organizational units should be targeted for this stack deployment.
**Choose Regions**
Select the AWS region where you would like to deploy the stack. You can deploy to any region as internally IAM is a global service.
{% hint style="warning" %}
Most settings can be left at their default values unless you require custom configurations. Feel free to adjust based on your preferences.
{% endhint %}
Click **Next** to proceed.
{% endstep %}
{% step %}
#### Review and Create
Review the configuration, including the stack name, role name, tags, deployment options, and selected accounts/regions.
Click **Submit** to create the StackSet.
{% endstep %}
{% step %}
#### Verify StackSet
After submitting the StackSet, go to the **Operations** tab in the StackSets console to monitor the status of the deployment.
Once the StackSet execution is complete, check the **Detailed Status** for each child account.
The status should show as **SUCCEEDED** for all successfully deployed stacks.
{% hint style="warning" %}
## **IMPORTANT**
StackSets deploy the stack to child accounts within your organization, not the account where the StackSet is created. You need to execute a resource CFT stack in the same account, follow the instructions for [**Deploy Resource Role via Stack**](#id-2.-deploy-resource-role-using-stack)**.**
{% endhint %}
{% endstep %}
{% endstepper %}
## **Required Information to Finalize Onboarding**
Please share the following information over email at :
* **Master Account ID** or **list of individually integrated account IDs**
* **Resource Role ARN** generated as output of Stack
* **CUR Role ARN** generated as output of Stack
* **S3 Bucket Name** where your CUR files are stored
* **Stack Role Names and their unique identifiers** (only if role names were customized by you during deployment)
## Additional Setup (Optional)
OneLens provides additional insights to your Kubernetes clusters. In order to enable same folllow the instructions provided [here](https://docs.onelens.cloud/integrations/kubernetes/enable-split-cost-allocation-for-eks).
.png?alt=media&token=fbdc6994-1035-47bb-8076-10b65890268b)
.png?alt=media&token=396e437f-e818-40e4-8c5d-135b2a031726)
