Connect to AWS
To begin using OneLens, you need to connect your AWS account by deploying two CloudFormation templates (CFTs). These templates create the IAM roles required for OneLens to access your cost and resource data.
The Resource CFT sets up the IAM role needed to access resource configuration and relevant CloudWatch metrics.
The CUR CFT creates Cost and Usage Report (CUR) along with its S3 bucket and sets up the IAM role needed to access the CUR files stored in that S3 bucket.
Important
You must deploy both CloudFormation templates (CFTs) to successfully connect OneLens to your AWS environment.
You can review the contents of each CloudFormation template from here.
Access Scope and Permissions
OneLens connects to your AWS account using IAM roles created through two CloudFormation templates: one for accessing your Cost and Usage Reports (CUR) and another for explicit read-only access to your resources. These roles are deployed either via Stack or StackSet, depending on your setup.
The IAM roles created by these templates are limited in scope and grant only the permissions required for OneLens to function. No modifications are made to your infrastructure. Access is read-only and fully reversible — you may delete the roles at any time to revoke access. OneLens does not collect or alter any data outside the defined access permissions.
OneLens in Your AWS Environment

Following components are created in your AWS Environment:
CloudFormation Templates (CFTs):
One for Resource Role
One for CUR Role
StackSet / Stack Deployment:
Executed from the management or individual account
Creates IAM roles in target accounts
IAM Roles:
Provide read-only access to resources and metrics
Grant permission to read CUR files from your S3 bucket
OneLens AWS Environment have 3 major components:
Data Extraction & Transformation:
Data is extracted assuming the IAM role created by you over TLS 1.3.
Process the raw data for detailed analysis
This process repeats daily or based on the agreed schedule with the you.
Data Storage:
Ensures tenant-level separation (trial accounts may vary slightly).
Customers raw data is stored in S3 buckets which are KMS encrypted
Processed data is stored in PostgresSQL DB, ClickHouse and S3; all secured by standard organizational policies meeting ISO and SOC 2 compliance
AWS Environment Types
You likely operate your AWS accounts in one of two ways. The steps that you need to follow depend on which environment you’re using.
Centralized Accounts (Master-Child Setup)
If you manage multiple AWS accounts from a master or admin account (using AWS Organizations), here’s what you’ll need to deploy:
CUR Template using Stack – Run this in the master/admin account. Ensure that the Stack is created in us-east-1 region.
Resource Template using Stack – Run this in the master/admin account.
Resource Template using StackSet – Run this from the master/admin account to all child accounts for resource read-only access.
Decentralized Accounts (Individually Managed Accounts)
If an AWS account needs to be configured independently, you’ll deploy:
CUR Template using Stack – In each account CUR needs to be configured individually. Ensure that the Stack is created in us-east-1 region.
Resource Template using Stack – In each account Resource role needs to be configured individually.
Onboarding Deployment Tasks
1. Deploy CUR Role Using Stack
The step-by-step guide will help you deploy the Cost and Usage Report (CUR) role in AWS using a CloudFormation Stack.
Prerequisites
Before proceeding, ensure that the AWS region you select is us-east-1. The AWS billing service, which processes CUR, is internally hosted in this region by AWS, so the deployment of this role needs to be in the same region.
1. Create a CloudFormation Stack
In the AWS Management Console, go to the CloudFormation service.
Choose Stack from the sidebar.
Click on Create Stack.
Choose the option With new Resources (standard) when prompted.

Go with Choose an Existing Template.
For the template source, select Amazon S3 URL.
In the Amazon S3 URL field, enter the following URL:
https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/cur-role.yml

Click Next to proceed.
2. Specify Stack Details
Fill in the following parameters:
Stack Name:
Enter a name for your stack. For example,
OneLens-CUR-Stack
, or use your naming convention.
S3 Bucket Name:
Enter the name of your CUR S3 bucket, which stores the billing reports.
Role Name:
Set your own role name following the format:
OneLens-<10-char-alphanumeric-unique-id-2>
where <10-char-alphanumeric-unique-id-2> is a 10-digit identifier, or
Contact the OneLens support team to provide the role name for your account.

Once all details are filled in, click Next to proceed.
3. Configure Stack Options
Set Tags
Click on Add New Tag.
Add a key-value pair:
Key:
onelens:provider
Value:
onelens

You can add any additional tags that you may use.
All other options should be left as the default settings unless you require specific changes.
A warning will appear indicating that the template will create a ManagedPolicy. This is normal since the template is designed to create a role with Managed Policies to grant access to OneLens.

Tick the checkbox to acknowledge the warning.
Once you're finished, click Next to proceed.
4. Review and Create the Stack
Review the stack configuration.

Click Submit to create the stack.
5. Stack Output
After the successful execution, the CUR Role ARN and the S3 bucket will be generated. You can view the output as follows:

2. Deploy Resource Role using Stack
Follow these steps to deploy the resource role for your OneLens integration. This guide is applicable for individual, external, or any other type of AWS account.
1. Create a CloudFormation Stack
In the AWS Management Console, go to the CloudFormation service.
Click on Create Stack.
Choose the option With new Resources (standard) when prompted.

Go with Choose an Existing Template.
For the template source, select Amazon S3 URL.
In the Amazon S3 URL field, enter the following URL:
https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/resource-role.yaml?v=1
Click Next to proceed.
2. Specify Stack Details
In this step, you'll provide the necessary details for your stack. Fill in the following parameters:
Stack Name:
Enter a name for your stack. For example,
OneLens-Resource-Stack
, or use your naming convention.
Role Name:
Set your own role name following the format:
OneLens-<10-char-alphanumeric-unique-id>
where <10-char-alphanumeric-unique-id> is a 10-digit identifier, or
Contact the OneLens support team to provide the role name for your account.

Once all details are filled in, click Next to proceed.
3. Configure Stack Options
Set Tags
Click on Add New Tag.
Add a key-value pair:
Key: onelens: provider
Value: onelens

You can add any additional tags that you may use.
All other options should be left as the default settings unless you require specific changes.
A warning will appear indicating that the template will create a ManagedPolicy. This is normal since the template is designed to create a role with Managed Policies to grant access to OneLens.

Tick the checkbox to acknowledge the warning.
Once you're finished, click Next to proceed.
4. Review and Create the Stack
Review the stack configuration.

Click Submit to create the stack.
5. Stack Output
After the successful execution, the Resource Role ARN will be generated. You can view the output as follows:

3. Deploy Resource Role using StackSet (in Master account only)
Here is how you can deploy CloudFormation Stacks across multiple AWS child accounts from a central location. The StackSet deployment process avoids the need to log into each account individually.
Prerequisites
Administrator/Management Account Access: You must have access to the Administrator or Management account.
1. Log in to the Administrator/Management Account
Log in to the appropriate AWS account based on your organization’s structure. This could be your Administrator or Management account, depending on your setup.
2. Create a StackSet
Go to the AWS Management Console and search for CloudFormation.
In the CloudFormation console, select StackSets from the left-hand menu.
Click on Create StackSet.

Select "Template is ready" as the template type.
For the template source, choose Amazon S3 URL.
Enter the following S3 URL:
https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/resource-role.yaml?v=1

Click Next.
3. Specify Stack Details
Enter a stack name following your organization’s naming conventions. Our recommendation is OneLens-Stack or something descriptive.
In the RoleName field, you can either:
Set your own role name following the format:
OneLens-<10-char-alphanumeric-unique-id>
where <10-char-alphanumeric-unique-id> is a 10-digit identifier, or
Contact the OneLens support team to provide the role name for your account.

Once these details are filled in, click Next.
4. Configure StackSet Options
Click on Add New Tag to add tags that help identify this stack. Add the following key-value pair:
Key: onelens: provider
Value: onelens

You can add any additional tags that your organization may use. Everything else should be left as default.
A warning will appear indicating that the template will create a ManagedPolicy. This is normal since the template is designed to create a role with Managed Policies to grant access to OneLens.

Tick the checkbox to acknowledge the warning.
Once you've reviewed this step, click Next.
5. Set Deployment Options
Specify Accounts or Organizational Units
In the Accounts section, specify which AWS accounts or organizational units should be targeted for this stack deployment.
Choose Regions
Select the AWS region where you would like to deploy the stack. You can deploy to any region as internally IAM is a global service.

Most settings can be left at their default values unless you require custom configurations. Feel free to adjust based on your preferences.
Click Next to proceed.
6. Review and Create
Review the configuration, including the stack name, role name, tags, deployment options, and selected accounts/regions.

Click Submit to create the StackSet.
7. Verify StackSet
After submitting the StackSet, go to the Operations tab in the StackSets console to monitor the status of the deployment.
Once the StackSet execution is complete, check the Detailed Status for each child account.
The status should show as SUCCEEDED for all successfully deployed stacks.
Important Note:
StackSets deploy the stack to child accounts within your organization, not the account where the StackSet is created. You need to execute a resource CFT stack in the same account, follow the instructions for Deploy Resource Role via Stack.
Required Information to Finalize Onboarding
Please share the following information over email at [email protected]:
Master Account ID or list of individually integrated account IDs
Resource Role ARN generated as output of Stack
CUR Role ARN generated as output of Stack
S3 Bucket Name where your CUR files are stored
Stack Role Names and their unique identifiers (only if role names were customized by you during deployment)
Additional Setup (Optional)
OneLens provides additional insights to your Kubernetes clusters. In order to enable same folllow the instructions provided here.
Last updated