Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.yasu.cloud/llms.txt

Use this file to discover all available pages before exploring further.

Connect your AWS account to Yasu using our secure CloudFormation template. This one-click deployment creates a read-only IAM role that enables Yasu to analyze your cloud costs and provide optimization recommendations.

Prerequisites

Before connecting your AWS account, ensure you have:
  • Administrative access to your AWS account (or permissions to create IAM roles and CloudFormation stacks)
  • Cost Explorer enabled in your AWS account
  • Access to the AWS Console
Security First: Yasu uses a cross-account IAM role with read-only permissions. We cannot modify or delete any of your AWS resources.

Quick Setup via CloudFormation

The fastest way to connect your AWS account is through our pre-configured CloudFormation template.
1

Navigate to Integrations

  1. Log in to your Yasu dashboard at app.yasu.cloud
  2. Go to SettingsIntegrations
  3. Click Connect AWS
2

Deploy the CloudFormation Stack

You’ll be redirected to AWS CloudFormation with our template pre-loaded.
  1. Review the stack name — A unique name is generated for you (e.g., YasuIntegration-abc123)
  2. Review the parameters — These are automatically filled in:
    • YasuCustomerId — Your unique Yasu customer ID
    • YasuExternalId — A secure token for cross-account access
    • BucketName — S3 bucket for Cost and Usage Reports
    • ReportName — Name for your AWS CUR report
  3. Scroll to the bottom and check the acknowledgment box:
    ☑️ I acknowledge that AWS CloudFormation might create IAM resources.
  4. Click Create stack
Do not modify the parameters — They are pre-configured to work with your Yasu account.
3

Wait for Stack Creation

The CloudFormation stack typically completes in 2-3 minutes. You can monitor the progress in the AWS Console:
  • CREATE_IN_PROGRESS — Stack is being created
  • CREATE_COMPLETE — Stack created successfully
Once complete, Yasu automatically detects the connection and begins syncing your data.
4

Verify Connection in Yasu

Return to your Yasu dashboard. You should see:
  • Connection status: Active
  • AWS Account ID: Your connected account
  • Data sync: In progress
Your first cost-saving insights will appear within 5-10 minutes after connection.

What the CloudFormation Template Creates

Our template creates the following resources in your AWS account:

1. Cross-Account IAM Role

A read-only IAM role that allows Yasu to access your cost and resource data: 
arn:aws:iam::YOUR-ACCOUNT-ID:role/YasuCostOptimizationRole

2. IAM Policies with Read-Only Permissions

The role includes two policies. The main policy (YasuCostOptimizationPolicy) grants read-only access across AWS services:
ServicePermissionsPurpose
Cost Explorerce:Describe*, ce:Get*, ce:List*Cost and usage data
Compute Optimizercompute-optimizer:Describe*, compute-optimizer:Get*Right-sizing recommendations
EC2ec2:Describe*, ec2:List*Instance, volume, and snapshot info
RDSrds:Describe*, rds:List*Database instance details
EKSeks:Describe*, eks:List*Kubernetes cluster info
Lambdalambda:Get*, lambda:List*Function configurations
S3s3:GetBucketLocation, s3:GetBucketTagging, s3:List*Storage bucket information
CloudWatchcloudwatch:Get*, cloudwatch:List*, cloudwatch:Describe*Utilization metrics
Organizationsorganizations:Describe*, organizations:List*Account structure
Savings Planssavingsplans:Describe*Savings plan coverage
Trusted Advisortrustedadvisor:Get*, trustedadvisor:List*, support:*AWS recommendations
A second policy (YasuCloudWatchMetricsReadOnly) grants read access to Container Insights logs and Auto Scaling metrics.
The policies below are from template version v0.0.1. For the latest version, see the CloudFormation template.Key statements:YasuBillingReadOnly — Read-only access to billing, cost, and resource data:
{
  "Sid": "YasuBillingReadOnly",
  "Effect": "Allow",
  "Action": [
    "application-autoscaling:Describe*",
    "aws-portal:ViewBilling",
    "aws-portal:ViewUsage",
    "budgets:Describe*",
    "budgets:View*",
    "ce:Describe*",
    "ce:Get*",
    "ce:List*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
    "cloudwatch:Describe*",
    "cloudfront:GetDistribution",
    "cloudfront:GetDistributionConfig",
    "cloudfront:ListDistributions",
    "cloudfront:ListTagsForResource",
    "compute-optimizer:Describe*",
    "compute-optimizer:Get*",
    "cur:Describe*",
    "directconnect:Describe*",
    "ec2:Describe*",
    "ec2:List*",
    "ecr:Describe*",
    "ecr:List*",
    "eks:Describe*",
    "eks:List*",
    "elasticache:List*",
    "elasticfilesystem:Describe*",
    "elasticloadbalancing:Describe*",
    "es:Describe*",
    "es:List*",
    "glacier:Describe*",
    "kafka:Describe*",
    "kafka:List*",
    "lambda:Get*",
    "lambda:List*",
    "organizations:Describe*",
    "organizations:List*",
    "pi:Describe*",
    "pi:Get*",
    "pi:List*",
    "pricing:*",
    "rds:Describe*",
    "rds:List*",
    "redshift:Describe*",
    "redshift:List*",
    "route53:Get*",
    "route53:List*",
    "s3:GetBucketLocation",
    "s3:GetBucketTagging",
    "s3:List*",
    "sagemaker:Describe*",
    "sagemaker:List*",
    "savingsplans:Describe*",
    "sqs:List*",
    "ssm:Describe*",
    "ssm:List*",
    "support:*",
    "tag:Get*",
    "tag:GetResources",
    "trustedadvisor:Get*",
    "trustedadvisor:List*"
  ],
  "Resource": "*"
}
YasuContainerInsightsReadOnly — Container Insights log access:
{
  "Sid": "YasuContainerInsightsReadOnly",
  "Effect": "Allow",
  "Action": [
    "logs:List*",
    "logs:Describe*",
    "logs:StartQuery",
    "logs:StopQuery",
    "logs:Filter*",
    "logs:Get*"
  ],
  "Resource": "arn:aws:logs:*:*:log-group:/aws/containerinsights/*"
}
YasuContainerMetricsAccess — Auto Scaling and CloudWatch metrics:
{
  "Sid": "YasuContainerMetricsAccess",
  "Effect": "Allow",
  "Action": [
    "autoscaling:Describe*",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*"
  ],
  "Resource": "*"
}

3. Cost and Usage Report (CUR)

An S3 bucket and CUR configuration for detailed billing data:
  • Bucket: yasu-cur-{unique-id}
  • Report granularity: Daily
  • Format: Parquet (optimized for analysis)

What Yasu Will Scan

Once connected, Yasu analyzes your AWS environment for optimization opportunities:

Cost Optimization Insights

  • Idle EC2 Instances — Running instances with low CPU/network utilization
  • Oversized Instances — Instances that can be downsized based on usage patterns
  • Unattached EBS Volumes — Volumes not connected to any instance
  • Old EBS Snapshots — Snapshots older than retention policies
  • Unused Elastic IPs — Static IPs not associated with running resources
  • Idle RDS Instances — Databases with minimal connections or queries
  • Underutilized Lambda — Functions with excess memory allocation
  • S3 Storage Classes — Buckets that could benefit from lifecycle policies

Savings Opportunities

  • Reserved Instance Coverage — Recommendations for RI purchases
  • Savings Plans — Compute and EC2 Savings Plan opportunities
  • Spot Instance Candidates — Workloads suitable for Spot pricing

Data Sync Schedule

Data TypeInitial SyncOngoing Sync
Cost dataLast 12 monthsDaily
Resource inventoryCurrent stateEvery 6 hours
Utilization metricsLast 14 daysDaily
RecommendationsWithin 24 hoursWeekly

Troubleshooting

Common causes:
  1. Insufficient permissions — Ensure you have cloudformation:*, iam:*, and s3:* permissions
  2. S3 bucket name conflict — The bucket name must be globally unique; try again to generate a new name
  3. Service limits — Check if you’ve hit IAM role limits
Solution: Delete the failed stack and try the connection again from Yasu.
What to check:
  1. Verify the CloudFormation stack status is CREATE_COMPLETE
  2. Check that the stack wasn’t rolled back
  3. Ensure the callback URL is accessible (no VPN/firewall blocking)
Solution: Wait 5 minutes, then refresh. If still pending, delete the stack and reconnect.
What to check:
  1. Cost Explorer is enabled — Go to AWS Billing → Cost Explorer → Enable
  2. Sufficient history — Cost Explorer needs ~24 hours to populate after first enable
  3. IAM permissions — Verify the role has ce:* permissions
Solution: Enable Cost Explorer if needed, then wait 24 hours for data to populate.
What to check:
  1. Regional coverage — Some resources may be in regions not yet scanned
  2. API rate limits — Large accounts may take longer to fully scan
  3. Missing permissions — Verify all Describe permissions are in place
Solution: Wait for the full sync cycle (up to 6 hours for large accounts).

Connecting Multiple AWS Accounts

If you have multiple AWS accounts (e.g., production, staging, development), you can connect each one:
  1. Go to SettingsIntegrations
  2. Click Connect AWS for each additional account
  3. Deploy the CloudFormation stack in each account
AWS Organizations: If you use AWS Organizations, connect the management account first for organization-wide visibility.

Next Steps

Connect GCP

Add your Google Cloud accounts for multi-cloud visibility.

Connect Azure

Add your Microsoft Azure accounts for multi-cloud visibility.