> ## Documentation Index
> Fetch the complete documentation index at: https://docs.yasu.cloud/llms.txt
> Use this file to discover all available pages before exploring further.
# AWS
> Complete guide to connect your AWS account to Yasu for cost analysis and optimization
Connect your **AWS account** to Yasu using our secure CloudFormation template. This one-click deployment creates a read-only IAM role that enables Yasu to analyze your cloud costs and provide optimization recommendations.
## Prerequisites
Before connecting your AWS account, ensure you have:
* **Administrative access** to your AWS account (or permissions to create IAM roles and CloudFormation stacks)
* **Cost Explorer enabled** in your AWS account
* Access to the AWS Console
**Security First:** Yasu uses a cross-account IAM role with read-only permissions. We cannot modify or delete any of your AWS resources.
## Quick Setup via CloudFormation
The fastest way to connect your AWS account is through our pre-configured CloudFormation template.
1. Log in to your Yasu dashboard at [app.yasu.cloud](https://app.yasu.cloud)
2. Go to **Settings** → **Integrations**
3. Click **Connect AWS**
You'll be redirected to AWS CloudFormation with our template pre-loaded.
1. **Review the stack name** — A unique name is generated for you (e.g., `YasuIntegration-abc123`)
2. **Review the parameters** — These are automatically filled in:
* `YasuCustomerId` — Your unique Yasu customer ID
* `YasuExternalId` — A secure token for cross-account access
* `BucketName` — S3 bucket for Cost and Usage Reports
* `ReportName` — Name for your AWS CUR report
3. **Scroll to the bottom** and check the acknowledgment box:
> ☑️ I acknowledge that AWS CloudFormation might create IAM resources.
4. Click **Create stack**
**Do not modify the parameters** — They are pre-configured to work with your Yasu account.
The CloudFormation stack typically completes in **2-3 minutes**. You can monitor the progress in the AWS Console:
* **CREATE\_IN\_PROGRESS** — Stack is being created
* **CREATE\_COMPLETE** — Stack created successfully
Once complete, Yasu automatically detects the connection and begins syncing your data.
Return to your Yasu dashboard. You should see:
* ✅ **Connection status**: Active
* ✅ **AWS Account ID**: Your connected account
* ✅ **Data sync**: In progress
Your first cost-saving insights will appear within **5-10 minutes** after connection.
## What the CloudFormation Template Creates
Our template creates the following resources in your AWS account:
### 1. Cross-Account IAM Role
A read-only IAM role that allows Yasu to access your cost and resource data:
```
arn:aws:iam::YOUR-ACCOUNT-ID:role/YasuCostOptimizationRole
```
### 2. IAM Policies with Read-Only Permissions
The role includes two policies. The main policy (`YasuCostOptimizationPolicy`) grants read-only access across AWS services:
| Service | Permissions | Purpose |
| ----------------- | ------------------------------------------------------------- | ----------------------------------- |
| Cost Explorer | `ce:Describe*`, `ce:Get*`, `ce:List*` | Cost and usage data |
| Compute Optimizer | `compute-optimizer:Describe*`, `compute-optimizer:Get*` | Right-sizing recommendations |
| EC2 | `ec2:Describe*`, `ec2:List*` | Instance, volume, and snapshot info |
| RDS | `rds:Describe*`, `rds:List*` | Database instance details |
| EKS | `eks:Describe*`, `eks:List*` | Kubernetes cluster info |
| Lambda | `lambda:Get*`, `lambda:List*` | Function configurations |
| S3 | `s3:GetBucketLocation`, `s3:GetBucketTagging`, `s3:List*` | Storage bucket information |
| CloudWatch | `cloudwatch:Get*`, `cloudwatch:List*`, `cloudwatch:Describe*` | Utilization metrics |
| Organizations | `organizations:Describe*`, `organizations:List*` | Account structure |
| Savings Plans | `savingsplans:Describe*` | Savings plan coverage |
| Trusted Advisor | `trustedadvisor:Get*`, `trustedadvisor:List*`, `support:*` | AWS recommendations |
A second policy (`YasuCloudWatchMetricsReadOnly`) grants read access to Container Insights logs and Auto Scaling metrics.
The policies below are from template version `v0.0.1`. For the latest version, see the [CloudFormation template](https://yasu-public.s3.eu-central-1.amazonaws.com/root/yasu-cf-template-v0.0.1.json).
Key statements:
**YasuBillingReadOnly** — Read-only access to billing, cost, and resource data:
```json theme={null}
{
"Sid": "YasuBillingReadOnly",
"Effect": "Allow",
"Action": [
"application-autoscaling:Describe*",
"aws-portal:ViewBilling",
"aws-portal:ViewUsage",
"budgets:Describe*",
"budgets:View*",
"ce:Describe*",
"ce:Get*",
"ce:List*",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudfront:ListTagsForResource",
"compute-optimizer:Describe*",
"compute-optimizer:Get*",
"cur:Describe*",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:List*",
"ecr:Describe*",
"ecr:List*",
"eks:Describe*",
"eks:List*",
"elasticache:List*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"es:Describe*",
"es:List*",
"glacier:Describe*",
"kafka:Describe*",
"kafka:List*",
"lambda:Get*",
"lambda:List*",
"organizations:Describe*",
"organizations:List*",
"pi:Describe*",
"pi:Get*",
"pi:List*",
"pricing:*",
"rds:Describe*",
"rds:List*",
"redshift:Describe*",
"redshift:List*",
"route53:Get*",
"route53:List*",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:List*",
"sagemaker:Describe*",
"sagemaker:List*",
"savingsplans:Describe*",
"sqs:List*",
"ssm:Describe*",
"ssm:List*",
"support:*",
"tag:Get*",
"tag:GetResources",
"trustedadvisor:Get*",
"trustedadvisor:List*"
],
"Resource": "*"
}
```
**YasuContainerInsightsReadOnly** — Container Insights log access:
```json theme={null}
{
"Sid": "YasuContainerInsightsReadOnly",
"Effect": "Allow",
"Action": [
"logs:List*",
"logs:Describe*",
"logs:StartQuery",
"logs:StopQuery",
"logs:Filter*",
"logs:Get*"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/containerinsights/*"
}
```
**YasuContainerMetricsAccess** — Auto Scaling and CloudWatch metrics:
```json theme={null}
{
"Sid": "YasuContainerMetricsAccess",
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Resource": "*"
}
```
### 3. Cost and Usage Report (CUR)
An S3 bucket and CUR configuration for detailed billing data:
* **Bucket**: `yasu-cur-{unique-id}`
* **Report granularity**: Daily
* **Format**: Parquet (optimized for analysis)
## What Yasu Will Scan
Once connected, Yasu analyzes your AWS environment for optimization opportunities:
### Cost Optimization Insights
* **Idle EC2 Instances** — Running instances with low CPU/network utilization
* **Oversized Instances** — Instances that can be downsized based on usage patterns
* **Unattached EBS Volumes** — Volumes not connected to any instance
* **Old EBS Snapshots** — Snapshots older than retention policies
* **Unused Elastic IPs** — Static IPs not associated with running resources
* **Idle RDS Instances** — Databases with minimal connections or queries
* **Underutilized Lambda** — Functions with excess memory allocation
* **S3 Storage Classes** — Buckets that could benefit from lifecycle policies
### Savings Opportunities
* **Reserved Instance Coverage** — Recommendations for RI purchases
* **Savings Plans** — Compute and EC2 Savings Plan opportunities
* **Spot Instance Candidates** — Workloads suitable for Spot pricing
## Data Sync Schedule
| Data Type | Initial Sync | Ongoing Sync |
| ------------------- | --------------- | ------------- |
| Cost data | Last 12 months | Daily |
| Resource inventory | Current state | Every 6 hours |
| Utilization metrics | Last 14 days | Daily |
| Recommendations | Within 24 hours | Weekly |
## Troubleshooting
**Common causes:**
1. **Insufficient permissions** — Ensure you have `cloudformation:*`, `iam:*`, and `s3:*` permissions
2. **S3 bucket name conflict** — The bucket name must be globally unique; try again to generate a new name
3. **Service limits** — Check if you've hit IAM role limits
**Solution:** Delete the failed stack and try the connection again from Yasu.
**What to check:**
1. Verify the CloudFormation stack status is `CREATE_COMPLETE`
2. Check that the stack wasn't rolled back
3. Ensure the callback URL is accessible (no VPN/firewall blocking)
**Solution:** Wait 5 minutes, then refresh. If still pending, delete the stack and reconnect.
**What to check:**
1. **Cost Explorer is enabled** — Go to AWS Billing → Cost Explorer → Enable
2. **Sufficient history** — Cost Explorer needs \~24 hours to populate after first enable
3. **IAM permissions** — Verify the role has `ce:*` permissions
**Solution:** Enable Cost Explorer if needed, then wait 24 hours for data to populate.
**What to check:**
1. **Regional coverage** — Some resources may be in regions not yet scanned
2. **API rate limits** — Large accounts may take longer to fully scan
3. **Missing permissions** — Verify all Describe permissions are in place
**Solution:** Wait for the full sync cycle (up to 6 hours for large accounts).
## Connecting Multiple AWS Accounts
If you have multiple AWS accounts (e.g., production, staging, development), you can connect each one:
1. Go to **Settings** → **Integrations**
2. Click **Connect AWS** for each additional account
3. Deploy the CloudFormation stack in each account
**AWS Organizations:** If you use AWS Organizations, connect the management account first for organization-wide visibility.
## Next Steps
Add your Google Cloud accounts for multi-cloud visibility.
Add your Microsoft Azure accounts for multi-cloud visibility.