Connect to AWS

To begin using OneLens, you need to connect your AWS account by deploying two CloudFormation templates (CFTs). These templates create the IAM roles required for OneLens to access your cost and resource data.

  • The Resource CFT sets up the IAM role needed to access resource configuration and relevant CloudWatch metrics.

  • The CUR CFT creates Cost and Usage Report (CUR) along with its S3 bucket and sets up the IAM role needed to access the CUR files stored in that S3 bucket.

Important

Access Scope and Permissions

OneLens connects to your AWS account using IAM roles created through two CloudFormation templates: one for accessing your Cost and Usage Reports (CUR) and another for explicit read-only access to your resources. These roles are deployed either via Stack or StackSet, depending on your setup.

The IAM roles created by these templates are limited in scope and grant only the permissions required for OneLens to function. No modifications are made to your infrastructure. Access is read-only and fully reversible — you may delete the roles at any time to revoke access. OneLens does not collect or alter any data outside the defined access permissions.

OneLens in Your AWS Environment

OneLens Architecture Diagram

Following components are created in your AWS Environment:

  • CloudFormation Templates (CFTs):

    • One for Resource Role

    • One for CUR Role

  • StackSet / Stack Deployment:

    • Executed from the management or individual account

    • Creates IAM roles in target accounts

  • IAM Roles:

    • Provide read-only access to resources and metrics

    • Grant permission to read CUR files from your S3 bucket

OneLens AWS Environment have 3 major components:

  • Data Extraction & Transformation:

    • Data is extracted assuming the IAM role created by you over TLS 1.3.

    • Process the raw data for detailed analysis

    • This process repeats daily or based on the agreed schedule with the you.

  • Data Storage:

    • Ensures tenant-level separation (trial accounts may vary slightly).

    • Customers raw data is stored in S3 buckets which are KMS encrypted

    • Processed data is stored in PostgresSQL DB, ClickHouse and S3; all secured by standard organizational policies meeting ISO and SOC 2 compliance

AWS Environment Types

You likely operate your AWS accounts in one of two ways. The steps that you need to follow depend on which environment you’re using.

Centralized Accounts (Master-Child Setup)

If you manage multiple AWS accounts from a master or admin account (using AWS Organizations), here’s what you’ll need to deploy:

Decentralized Accounts (Individually Managed Accounts)

If an AWS account needs to be configured independently, you’ll deploy:

Onboarding Deployment Tasks

1. Deploy CUR Role Using Stack

The step-by-step guide will help you deploy the Cost and Usage Report (CUR) role in AWS using a CloudFormation Stack.

Prerequisites

1. Create a CloudFormation Stack

In the AWS Management Console, go to the CloudFormation service.

Choose Stack from the sidebar.

Click on Create Stack.

Choose the option With new Resources (standard) when prompted.

Go with Choose an Existing Template.

For the template source, select Amazon S3 URL.

In the Amazon S3 URL field, enter the following URL:

https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/cur-role.yml

Click Next to proceed.

2. Specify Stack Details

Fill in the following parameters:

  • Stack Name:

    • Enter a name for your stack. For example, OneLens-CUR-Stack, or use your naming convention.

  • S3 Bucket Name:

    • Enter the name of your CUR S3 bucket, which stores the billing reports.

  • Role Name:

    • Set your own role name following the format:

    OneLens-<10-char-alphanumeric-unique-id-2>

    where <10-char-alphanumeric-unique-id-2> is a 10-digit identifier, or

    • Contact the OneLens support team to provide the role name for your account.

Once all details are filled in, click Next to proceed.

3. Configure Stack Options

Set Tags

Click on Add New Tag.

Add a key-value pair:

  • Key: onelens:provider

  • Value: onelens

You can add any additional tags that you may use.

All other options should be left as the default settings unless you require specific changes.

Tick the checkbox to acknowledge the warning.

Once you're finished, click Next to proceed.

4. Review and Create the Stack

Review the stack configuration.

Click Submit to create the stack.

5. Stack Output

After the successful execution, the CUR Role ARN and the S3 bucket will be generated. You can view the output as follows:

2. Deploy Resource Role using Stack

Follow these steps to deploy the resource role for your OneLens integration. This guide is applicable for individual, external, or any other type of AWS account.

1. Create a CloudFormation Stack

In the AWS Management Console, go to the CloudFormation service.

Click on Create Stack.

Choose the option With new Resources (standard) when prompted.

Go with Choose an Existing Template.

For the template source, select Amazon S3 URL.

In the Amazon S3 URL field, enter the following URL:

https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/resource-role.yaml?v=1

Click Next to proceed.

2. Specify Stack Details

In this step, you'll provide the necessary details for your stack. Fill in the following parameters:

  • Stack Name:

    • Enter a name for your stack. For example, OneLens-Resource-Stack, or use your naming convention.

  • Role Name:

    • Set your own role name following the format:

      OneLens-<10-char-alphanumeric-unique-id>

      where <10-char-alphanumeric-unique-id> is a 10-digit identifier, or

    • Contact the OneLens support team to provide the role name for your account.

Once all details are filled in, click Next to proceed.

3. Configure Stack Options

Set Tags

Click on Add New Tag.

Add a key-value pair:

  • Key: onelens: provider

  • Value: onelens

You can add any additional tags that you may use.

All other options should be left as the default settings unless you require specific changes.

Tick the checkbox to acknowledge the warning.

Once you're finished, click Next to proceed.

4. Review and Create the Stack

Review the stack configuration.

Click Submit to create the stack.

5. Stack Output

After the successful execution, the Resource Role ARN will be generated. You can view the output as follows:

3. Deploy Resource Role using StackSet (in Master account only)

Here is how you can deploy CloudFormation Stacks across multiple AWS child accounts from a central location. The StackSet deployment process avoids the need to log into each account individually.

Prerequisites

1. Log in to the Administrator/Management Account

Log in to the appropriate AWS account based on your organization’s structure. This could be your Administrator or Management account, depending on your setup.

2. Create a StackSet

Go to the AWS Management Console and search for CloudFormation.

In the CloudFormation console, select StackSets from the left-hand menu.

Click on Create StackSet.

Select "Template is ready" as the template type.

For the template source, choose Amazon S3 URL.

Enter the following S3 URL:

https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/resource-role.yaml?v=1

Click Next.

3. Specify Stack Details

Enter a stack name following your organization’s naming conventions. Our recommendation is OneLens-Stack or something descriptive.

In the RoleName field, you can either:

  • Set your own role name following the format:

OneLens-<10-char-alphanumeric-unique-id>

where <10-char-alphanumeric-unique-id> is a 10-digit identifier, or

  • Contact the OneLens support team to provide the role name for your account.

Once these details are filled in, click Next.

4. Configure StackSet Options

Click on Add New Tag to add tags that help identify this stack. Add the following key-value pair:

  • Key: onelens: provider

  • Value: onelens

You can add any additional tags that your organization may use. Everything else should be left as default.

Tick the checkbox to acknowledge the warning.

Once you've reviewed this step, click Next.

5. Set Deployment Options

Specify Accounts or Organizational Units

In the Accounts section, specify which AWS accounts or organizational units should be targeted for this stack deployment.

Choose Regions

Select the AWS region where you would like to deploy the stack. You can deploy to any region as internally IAM is a global service.

Click Next to proceed.

6. Review and Create

Review the configuration, including the stack name, role name, tags, deployment options, and selected accounts/regions.

Click Submit to create the StackSet.

7. Verify StackSet

After submitting the StackSet, go to the Operations tab in the StackSets console to monitor the status of the deployment.

Once the StackSet execution is complete, check the Detailed Status for each child account.

The status should show as SUCCEEDED for all successfully deployed stacks.

Important Note:

StackSets deploy the stack to child accounts within your organization, not the account where the StackSet is created. You need to execute a resource CFT stack in the same account, follow the instructions for Deploy Resource Role via Stack.

Required Information to Finalize Onboarding

Please share the following information over email at [email protected]:

  • Master Account ID or list of individually integrated account IDs

  • Resource Role ARN generated as output of Stack

  • CUR Role ARN generated as output of Stack

  • S3 Bucket Name where your CUR files are stored

  • Stack Role Names and their unique identifiers (only if role names were customized by you during deployment)

Additional Setup (Optional)

OneLens provides additional insights to your Kubernetes clusters. In order to enable same folllow the instructions provided here.

Last updated