Configure Cost and Usage reports
Cost and Usage Reports provide the most detailed information on your usage and bills. They can be configured to deliver 1 line per resource, for every hour of the day. They must be configured to enable you to access and analyze your usage and billing information.
If you configure multiple Cost and Usage Reports (CURs), then it is recommended to have 1 CUR per bucket. If you must have multiple CURs in a single bucket, ensure you use a different report path prefix so it is clear they are different reports.
Log in to your management account as an IAM user with the required permissions, and go to the Billing console:

Select Cost & Usage Reports from the left menu:

Click on Create report:

Enter a Report name (it can be any name, but we recommend including the management account id in the name), ensure you have selected Include resource IDs and Data refresh settings, then click on Next:

Click on Configure:

Enter a unique bucket name, and ensure the region is correct, click Next:

Read and verify the policy, this will allow AWS to deliver billing reports to the bucket. Click on I have confirmed that this policy is correct, then click Save:

Verify the settings:
- Ensure your bucket is a Valid Bucket (if not, verify the bucket policy)
- Enter a Report path prefix (it can be any word, but we recommend cur-<Your Management Account ID) without any ‘/’ characters
- Ensure the Time Granularity is Hourly
- Report Versioning is set to Overwrite existing report
- Under Enable report data integration for select Amazon Athena, and click Next:

- Review the configuration, scroll to the bottom and click on Review and Complete:

You have successfully configured a Cost and Usage Report to be delivered. It may take up to 24hrs for the first report to be delivered.
There will be S3 Costs incurred to store the CUR, however the CUR is compressed to minimize costs.
We will update the CUR bucket so that the Cost Optimization linked account can access the CURs. There are two options. Option 1 allows the Cost Optimization linked account to access the CURs, but does not copy the CUR files to the account. Option 2 uses S3 Replication to create a copy of the CUR in an S3 Bucket in your Cost Optimization Account. If you are unsure what option to use we recommend option 1.
Option 1 allows the Cost Optimization linked account to access the CURs, but does not copy the CUR files to the account. If you are unsure what option to use we recommend option 1.
Click here to continue with the option 1
Go to the S3 console, select the CUR Bucket, select Permissions:

Scroll down to the Bucket Policy section and select Edit

Add S3 read access to the Cost Optimization account by adding the following statements under the current bucket policy. Edit (Cost Optimization Member account ID) and (CUR bucket) and update the bucket policy:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::(Cost Optimization Member account ID):root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::(CUR bucket)"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::(Cost Optimization Member account ID):root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::(CUR bucket)/*"
}
Click here for a completed example policy
{
"Version": "2008-10-17",
"Id": "123",
"Statement": [
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::386209384616:root"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::(CUR Bucket)"
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::386209384616:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::(CUR Bucket)/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::(Cost Optimization Member Account ID):root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::(CUR Bucket)"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::(Cost Optimization Member Account ID):root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::(CUR Bucket)/*"
}
]
}
Scroll down to the Object Ownership section and select Edit

Select Bucket owner preferred, click Save

When CUR files are delivered they will now automatically have permissions allowing the bucket owner full control. Re-write of the object ACLs is no longer necessary.
Update existing CURs
If there are existing CURs from other reports that need permissions to be updated, you can use the following CLI - which will copy the objects over themselves and update the permissions as it copies. You can use this link to find you canonical ID’s.
aws s3 cp --recursive s3://(CUR bucket) s3://(CUR bucket) --grants read=id=(sub account canonical ID) full=id=(management account canonical ID) --storage-class STANDARD
NOTE: Congratulations - you will now have CURs delivered and accessible by your Cost Optimization account. | |
---|
Option 2: Replicate the CUR Bucket to your Cost Optimization account (Consolidate Multi-Payer CURs)
Option 2 uses S3 Replication to create a copy of the CUR in an S3 Bucket in your Cost Optimization Account. If you have multiple Management Accounts (multi-Payer) or wish you create a single CUR source for groupings of your member account CUR(s) we recommend this option.
Click here to continue with the option 2
Create your Cost Optimization account CUR Bucket
We will now create a bucket in your Cost Optimization account that will hold the replicated CUR(s)
Log into you Cost Optimization Account and navigate to Amazon S3
Select Create bucket

Add an S3 Bucket name select your preferred region and Enable Bucket versioning

Select your new S3 Bucket, select Permissions:

Scroll down to the Bucket Policy section and select Edit

Edit, apply and save the following S3 bucket policy replacing respective placeholders (ManagementAccountA), (ManagementAccountB) and (Cost Optimization Account CUR BucketName). You can add more management accounts to the policy if needed. If using only one Management account you will remove ,"(ManagementAccountB)"
{
"Version": "2008-10-17",
"Id": "PolicyForCombinedBucket",
"Statement": [
{
"Sid": "Set permissions for objects",
"Effect": "Allow",
"Principal": {
"AWS": ["(ManagementAccountA)","(ManagementAccountB)"]
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::(Cost Optimization Account CUR BucketName)/*"
},
{
"Sid": "Set permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": ["(ManagementAccountA)","(ManagementAccountB)"]
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::(Cost Optimization Account CUR BucketName)"
},
{
"Sid": "Set permissions to pass object ownership",
"Effect": "Allow",
"Principal": {
"AWS": ["(ManagementAccountA)","(ManagementAccountB)"]
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::(Cost Optimization Account CUR BucketName)/*"
}
]
}
- Log into your Management Account and navigate to Amazon S3
- Select the CUR Bucket, then select Properties:

- Scroll down to the Bucket Versioning section click Edit

- Set Bucket versioning to Enabled

- Select the Management tab, then click on Create replication rule under Replication rules/

- Create your replication rule by updating the following fields then click Save
- Add a Replication rule name of CUR-Bucket-Replication
- Select Specify a bucket in another account under Destination
- Add your Cost Optimization Account ID
- Add your Cost Optimization S3 CUR Bucket name
- Select Change object ownership to destination bucket owner
- Select Create new role under the IAM role section
- Leave rest of the settings as default

NOTE: If you have a multi-Management (multi-Payer) structure or are using multiple member CURs, repeat the replication process in each Management or member CUR account | |
---|
Update existing CURs - Optional
If you would like to sync historical objects in your Management account CUR S3 bucket to your Cost Optimization account S3 bucket, you can use the following CLI:
aws s3 sync s3://<Management_Account_CUR_Bucket_Name> s3://<Cost_Optimization_Account_CUR_Bucket_Name> --acl bucket-owner-full-control
NOTE: Congratulations - you will now have CURs delivered and accessible by your Cost Optimization account. | |
---|
Visit the Well-Architected Level 200: Cost and Usage Analysis lab to learn how to analyze your CUR in Athena and create a single Athena CUR table for multi-Management (multi-Payer) or multiple member CURs