AWS Integration Guide

Connect your AWS account to CloudCash securely in under 3 minutes.

Getting Started

1

Create a Cross-Account IAM Role

CloudCash uses AWS STS (AssumeRole) to scan your account securely without requiring permanent access keys. First, we need to create a role that trusts CloudCash.

  • Log into your AWS Console and navigate to IAM > Roles.
  • Click Create role and select Custom trust policy.
  • Paste the exact JSON below into the trust policy editor. This ensures only the CloudCash engine can assume this role.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::010526239862:role/service-role/CloudCash_Scanner_v1-role-h3uf9wy2"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
2

Attach Permissions (Scan & Fix)

Click Next to add permissions. Your role needs two policies attached to it: one to read your environment, and one to safely remediate waste.

  • 1. The Scanner Policy: In the permissions search box, type AmazonEC2ReadOnlyAccess and check the box next to it. This allows CloudCash to find your zombie resources.
  • 2. The Remediation Policy: Next, we need to allow the "FIX" action. Click Create policy (or Add Permissions > Create inline policy). Select the JSON tab and paste the following code. This ensures automated backups are created before any deletion happens:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowVolumeDeletion",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteVolume",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SafetyNetSnapshots",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:snapshot/*"
            ]
        }
    ]
}

Click Next, give your role a name (e.g., CloudCash_CrossAccount_Role), and click Create role.

3

Connect the ARN in CloudCash

Now that your role is created and configured, we need to tell CloudCash where to look.

  • In the AWS IAM Console, click on the role you just created and copy its Role ARN (it will look something like arn:aws:iam::123456789012:role/CloudCash_CrossAccount_Role).
  • Log into your CloudCash Dashboard.
  • Navigate to the Settings tab.
  • Paste your Role ARN into the "AWS Target Account ARN" field and click Save.

You are all set! You can now return to the Overview tab and click "Run Deep Audit".

Join 2,000+ DevOps Engineers

Get one cost-saving tip delivered to your inbox every week.