Providing read access for Anodot using a cross-account AWS role

Anodot can access the files on your S3 / CUR bucket only after you explicitly allow it. To provide read access to Anodot and to create a cross-account AWS role to provide Anodot with access to the AWS files, refer to the sections below (note that when creating the cross-account AWS role, you should replace the references where relevant to S3 / CUR.

IMPORTANT: New S3 / CUR data sources should use the role-based access method described below. The previous method of updating the bucket policy (see here for CUR, and here for S3) is currently supported for existing data sources, but is no longer available for new sources. Contact us to ensure safe migration of existing sources without losing data.

Creating the read access policy

The following policy example shows how to provide read access to the cross-account AWS role. 

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"CURReadFiles",
         "Effect":"Allow",
         "Action":[
                 "s3:Get*",
                 "s3:List*"
         ],
         "Resource":[
             "arn:aws:s3:::<CUR BUCKET>",
             "arn:aws:s3:::<CUR BUCKET>/*"
         ]
      }
   ]
}

Creating a cross-account AWS role and data source in Anodot

The following procedure describes how to create the S3 / CUR source in Anodot and the AWS role. The process requires you to switch between Anodot and AWS, as indicated below (steps in AWS are italicized).

  1. In the Navigation Panel, go to Integrations > Catalog.
  2. Use the Search box to locate the S3 / CUR data source.
  3. Click Start on the S3 / CUR tile.
  4. In the displayed AWS dialog, enter the bucket name and folder path (optional).
  5. Copy the unique Anodot ID to the clipboard by clicking the copy icon.
    AWS-anodotID.jpg
  6. In AWS, create a cross-account role.
  7. Use the policy you previously created (see Creating the read access policy above) as the role’s policy.
  8. Click Another AWS account and use the Anodot account ID as the third party account ID: 340481513670

    AWS-cross-account-role.jpg

  9. Paste the Anodot ID you copied in Step 3 to the “External ID” field in the role definition.
  10. Save the cross-account role, and copy the role ARN to the clipboard.
  11. Paste the AWS role ARN into the Role ARN field in the AWS dialog.

    AWScostmonitoring.jpg

  12. Click CONTINUE to connect to the bucket and save the S3 / CUR data source.