# Customizations ## Last Updated March 2026 If you wish to provide feedback on this lab, or you have spotted an error, or have any improvement suggestion, please email: [cloud-intelligence-dashboards@amazon.com](mailto:cloud-intelligence-dashboards@amazon.com) ## Cloud Intelligence Dashboards Customizations Now that you have the Cloud Intelligence Dashboards deployed, you can follow some of these steps to customize your deployment as per your business needs. The amount of customization you can do is unlimited, so here we will attempt to show you how to get started with some common customization requests. Have an idea for another one? please send it to us at the e-mail address above. ## Customization Guides + [Create Analysis (Required)](create-analysis.md) + [Adding Cost Allocation Tags](adding-cost-allocation-tags.md) + [Filtering Visuals by Cost Allocation Tags](filtering-visuals-by-cost-allocation.md) + [Net Amortized cost](net-amortized-cost.md) + [Organization (OU) integration](organization-integration.md) + [Removing Discounts](remove-discount.md) + [Publishing as single sign-on (SSO) Application](publishing-as-sso-application.md) + [Row Level Security](row-level-security.md) + [SaaS Unit Metrics](saas-unit-metrics.md) + [Tailoring Data Collector schedules](tailor-data-collector.md) + [Data Collection without AWS Organizations](data-collection-without-org.md) + [AWS Spend in Local Currency](spend-in-local-currency.md) + [Granular Data Collection Control](granular-data-collection-control.md) # Create Analysis (Required) ## Last Updated November 2023 ## Create an Analysis It’s possible to change an existing dashboard and customize existing visuals and also add your own visuals with your own business logic. The first step in order to have an editable dashboard is to create an Analysis from the dashboard deployed in your account. This is effectively a branch from the main template and any dashboard you publish from here will be separate from your templated dashboard. ![\[How to create analysis animation\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/create_analysis.gif) ### Click here to see step by step instructions on creating an editable Analysis 1. Visit the dashboard you wish to customize in Quick Sight 1. In the top right, click the **Share** icon, then choose **Share dashboard** from the dropdown ![\[Share Dashboard on CUDOS dashboard\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/qs_share_dashboard.png) 1. Toggle **Allow "save as" ** for your own user account and click on **Confirm** in the "Enable save as" prompt 1. Click the **Go back** link in the top left ![\[Allow Save as on CUDOS dashboard\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/qs_allow_save_as.png) 1. When you’re returned to the dashboard, refresh the web page by reloading the URL or pressing the browser refresh button 1. Now you will see a new **Save** icon in the upper right corner ![\[Save icon on CUDOS dashboard\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/qs_save.png) 1. Click on **Save** icon and enter a name for Analysis, for example **CUDOS Analysis** and click on **Save** button ![\[Save Analysis prompt on CUDOS dashboard\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cudos_analysis.png) 1. Wait for a few seconds and the customizable Analysis will open in the same window. ![\[CUDOS Analysis\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cudos_analysis_view.png) ### Click here to see video instructions on creating an editable Analysis [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/YNQBBM5RQtc?rel=0/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/YNQBBM5RQtc?rel=0) Once you have a customizable Quick Sight Analysis created from the above steps, you can begin to implement the customizations outlined in this section of the workshop. Click **Next** below to see the first module on Adding Tags\$1 # Adding Cost Allocation Tags ## DEPRECATED This content is DEPRECATED. Please use [Organizational Taxonomy Guide](add-org-taxonomy.md). ## Last Updated October 2024 ## Introduction Now that you have your CID dashboards deployed, you may want to view or group some of the visuals by tags you’re using. Common use cases include seeing spend by application, identifying opportunity by cost category, or building charge-back mechanisms to business units. If you have cost allocation tags or cost categories setup in your AWS account, you will see those tags in your CUR. They show up as their own column. You can confirm that these tags are present by going to Athena and expanding your CUR table. If you scroll down, you should find your tags and cost categories. ## Prerequisites For this solution you must have the following: + Access to your AWS Organizations and ability to tag resources + Enabled cost allocation tags in Cost Explorer. + [Activating AWS cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activate-built-in-tags.html) + [Activating user cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html) ## Step by Step Guide This guide assumes you have enabled one or more [user](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html) or [AWS](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activate-built-in-tags.html) tags and waited up to 24 hours for the tags to become available in the CUR data, and for Amazon Quick Sight to refresh datasets. ### Step 1. Modify Queries in Athena You will need to modify several queries in Athena to add the tags. Queries that you can modify to enable tags are: + summary\$1view + hourly\$1view + resource\$1view Follow instructions depending on the CUR version you use: **Example** 1. Navigate in the AWS Console to the **Athena** service 1. Select the **AwsDataCatalog** in the **DataSource** drop down 1. In the **Database** drop down select the database where your CUR table is located. 1. We’ll first confirm that we see the tags in the CUR table. 1. In the tables list, locate your CUR table and click the plus sign next to the table to expand all the fields for that table. 1. Above the table list type in **resource\$1tags\$1** and the list of either AWS or user tags that were enabled in Cost Explorer are displayed. 1. After confirming that the tags you would like to add are available, clear your search and we’ll modify the first view. 1. Under Views, scroll down until you locate the **summary\$1view**. 1. Select the three dots to the right of the view and select **Show/edit query** from the context menu. ![\[Athena Query editor highlighting the summary view query and its context menu to select show edit query\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_showedit_qry.png) 1. On the line after, `, "line_item_usage_account_id" "linked_account_id"` in the query add a blank line below that. ``` CREATE OR REPLACE VIEW "summary_view" AS SELECT "year" , "month" , "bill_billing_period_start_date" "billing_period" , (CASE WHEN ("date_trunc"('month', "line_item_usage_start_date") >= ("date_trunc"('month', current_timestamp) - INTERVAL '3' MONTH)) THEN "date_trunc"('day', "line_item_usage_start_date") ELSE "date_trunc"('month', "line_item_usage_start_date") END) "usage_date" , "bill_payer_account_id" "payer_account_id" , "line_item_usage_account_id" "linked_account_id" , "bill_invoice_id" "invoice_id" , "line_item_line_item_type" "charge_type"... :: ``` 1. From the table list, expand your cur table and filter on **resource\$1tags\$1**. 1. Double-click on the first tag that you want to add. Remove the trailing comma that is added and place a comma at the beginning of that line. It will look like this: ``` CREATE OR REPLACE VIEW "summary_view" AS SELECT "year" , "month" , "bill_billing_period_start_date" "billing_period" , (CASE WHEN ("date_trunc"('month', "line_item_usage_start_date") >= ("date_trunc"('month', current_timestamp) - INTERVAL '3' MONTH)) THEN "date_trunc"('day', "line_item_usage_start_date") ELSE "date_trunc"('month', "line_item_usage_start_date") END) "usage_date" , "bill_payer_account_id" "payer_account_id" , "line_item_usage_account_id" "linked_account_id" , "resource_tags_user_cost_center" "cost_center_tag" , "bill_invoice_id" "invoice_id" , "line_item_line_item_type" "charge_type"... ``` 1. Add a **friendly name** to the field. In our example we’ll add **cost\$1center\$1tag** 1. Scroll down and add the next highest number in the **GROUP BY** clause. ``` GROUP BY 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37 ``` 1. For each additional tag that you want, create a blank line below the preceding one and repeat the same steps. 1. When you’ve completed adding all of the fields, click the **RUN** button and confirm that the query view updates successfully. ![\[Inset show the run again button of the query window and the successful result\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_runagain.png) 1. Repeat the steps above on the **hourly\$1view** and **resource\$1view** datasets. 1. Navigate in the AWS Console to the **Athena** service 1. Select the **AwsDataCatalog** in the **DataSource** drop down 1. In the **Database** drop down select the database where your CUR table is located (`data_export`). 1. We’ll first confirm that we see the tags in the CUR table. Run this query to list all available Tag keys. ``` SELECT DISTINCT key FROM cur2 CROSS JOIN UNNEST(map_keys(resource_tags)) AS t(key) ``` 1. After confirming that the tags you would like to add are available, we can start with the first view. 1. Under Views, scroll down until you locate the **summary\$1view**. 1. Select the three dots to the right of the view and select **Show/edit query** from the context menu. 1. On the line after `, "line_item_usage_account_id" "linked_account_id"` in the query add a blank line below that. ``` CREATE OR REPLACE VIEW "summary_view" AS SELECT split_part("billing_period", '-', 1) "year" , split_part("billing_period", '-', 2) "month" , "bill_billing_period_start_date" "billing_period" , (CASE WHEN ("date_trunc"('month', "line_item_usage_start_date") >= ("date_trunc"('month', current_timestamp) - INTERVAL '3' MONTH)) THEN "date_trunc"('day', "line_item_usage_start_date") ELSE "date_trunc"('month', "line_item_usage_start_date") END) "usage_date" , "bill_payer_account_id" "payer_account_id" , "line_item_usage_account_id" "linked_account_id" , resource_tags['user_cost_center'] as cost_center_tag -- <- NEW LINE ADDED , "bill_invoice_id" "invoice_id" , "line_item_line_item_type" "charge_type"... ``` 1. Add a **friendly name** to the field. In our example we’ll add **cost\$1center\$1tag** 1. Scroll down and add the next highest number in the **GROUP BY** clause. ``` GROUP BY 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37 ``` 1. For each additional tag that you want, create a blank line below the preceding one and repeat the same steps. 1. When you’ve completed adding all of the fields, click the **RUN** button and confirm that the query view updates successfully. ![\[Inset show the run again button of the query window and the successful result\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_runagain.png) 1. Repeat the steps above on the **hourly\$1view** and **resource\$1view** datasets. ### Step 2. Modify Data Set in Amazon Quick Sight Next the data set in Amazon Quick Sight needs to be updated so that you can see the added fields to use them in your Dashboards and Analyses. 1. Navigate to Amazon Quick Sight in the console. ![\[AWS Console search with results for Quick Sight\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_navqs.png) 1. Select Datasets on the left side of the page. ![\[Left navigation in Quick Sight with datasets option highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_qs_ds.png) 1. Locate **summary\$1view** in the list of datasets and click on the dataset. 1. Click on the **EDIT DATASET** button in the top right of the page. ![\[Quick Sight edit dataset button\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_editds.png) 1. Allow the fields and dataset preview windows to load. 1. Confirm that you can see the fields you’ve added in the list. This can be accomplished by entering the **friendly name** of the field in the search fields input. ![\[Close up of Quick Sight edit dataset field search and list\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_fieldsrch.png) 1. Once you have confirmed you see all your fields, click the **Save & Publish** button in the top right of the dataset editor page. ![\[Quick Sight save & publish button\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_savepublish.png) 1. A refresh of the dataset will be triggered. Monitor the status to confirm that it completed successfully. ![\[Summary view dataset summary tab showing dataset refresh status\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_ds_load.png) 1. Repeat the steps above on the **hourly\$1view** and **resource\$1view** datasets. **Note** **Troubleshooting not seeing the tags** If you do not see your custom fields, go back to Athena and confirm that the query view has run and updated successfully. Also make sure you are searching for the friendly name you gave the field in the Athena view. ### Step 3. Modify Quick Sight Analysis - CUDOS Dashboard After the dataset has been updated you can now add those fields to different visualizations. Here we will demonstrate how you can update the CUDOS dashboard to use the tags you have added. **Note** **Publishing over existing dashboard** When you make changes, if you republish to the same dashboard and deploy a new version of the dashboard your changes will be overwritten. **Note** **Deploying updates with --force** If you deploy an update to the CUDOS/CID dashboards with the `--force` option it will overwrite your Athena query view changes and published dashboard changes 1. First we’ll need to [save the dashboard as an analysis](create-analysis.md) so we can make changes. 1. Open the CUDOS dashboard and select the save icon, selecting "save as" in the drop down selection to save the dashboard as an analysis. ![\[Quick Sight save as analysis dialog\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_saveasanaly.png) 1. Open the analysis. 1. Select the tab **Executive: Billing Summary** and click into a visual you wish to group by tag. 1. In the Data column on the left, search for the **friendly name** (`cost_center_tag` in this example) for one of the tags you added. ![\[Quick Sight field list with search for cost center\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_frndname.png) 1. Drag and Drop that field into the **Group/Color for Bars** area of the **Visuals** column. You can add it as a drill down layer, or replace the original field. ![\[Quick Sight edit visualization showing custom field added to visual field well\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_addcc.png) 1. Repeat this customization for any additional visuals you wish to change. ### Step 4. (Optional) Modify TAGsplorer sheet The CUDOS dashboard has a sheet titled **TAGsplorer** which has visuals that are intended to sort data by a "primary" and "secondary" tag. These tags can be any two of the tags you would like to see in these visualizations. You must have updated your **resource\$1view** dataset to include tags using the above steps. 1. Select the **Cost Per Primary TAG Previous Month** visual. 1. In the Data column on the left, search for the **friendly name** of the tag you want to add as primary. 1. Drag and Drop that field into the **Group/Color** area of the **Visuals** column. ![\[Quick Sight tagsplorer primary tag added to visualization\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_tagsprimary.png) 1. Select the **Cost Per Secondary TAG Previous Month** visual. 1. In the Data column on the left, search for the tag you want to add as secondary. 1. Drag and Drop that field into the **Group/Color** area of the **Visuals** column. ![\[Quick Sight tagsplorer secondary tag added to visualization\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_tagssecond.png) 1. Save and publish your analysis. ## Summary We’ve shown you how you can customize your datasets, views and dashboards to have AWS and user tags that are enabled in Cost Explorer in your visualizations. # Filtering Visuals by Cost Allocation Tags ## DEPRECATED This content is DEPRECATED. Please use [Organizational Taxonomy Guide](add-org-taxonomy.md). ## Last Updated August 2023 ## Introduction Now that you’ve added your cost allocation tags, follow this video tutorial to learn how to add a control or filter across your entire dashboard so you can see everything grouped by tags. [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/7lTH-XzPfHc?rel=0/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/7lTH-XzPfHc?rel=0) ## Prerequisites For this solution you must have the following: + Ability to save and publish dashboards in Amazon Quick Sight ## Step 1 create a parameter and control 1. Select the dashboard you would like to customize and save it as an analysis. 1. In the analysis, select parameters from the left navigation. 1. Click the plus icon next to the Parameters header to create a new parameter. 1. Enter a name for the parameter and click the multiple values radio selection. **Note** The parameter name is not a viewable or friendly name for the parameter that will be displayed on the analysis or dashboard. 1. Click create. 1. Next select control to connect your parameter. 1. Enter in a display name, and ensure "Dropdown multiselect" is the style. 1. Click the "Link to a dataset field" radio selection. 1. Select the dataset from the down selection, then select a field from that dataset. 1. Finally click the add button. 1. The control will be added to your analysis. ## Step 2 bind that control to a filter Now that we’ve created the parameter and control we need to associate it with a filter in order to have an effect in our analysis visualizations. 1. Click on Filter from the left navigation. 1. Click the plus icon next to the Filters heading. 1. Search for the field that you created the parameter against. 1. Click on that field to add it as a parameter. 1. Click on that filter to edit. 1. Change the filter type to "custom filter" 1. Click the check box to use parameters. 1. A dialog to change the scope of the filter will pop up. Click yes to change the scope to all visuals that use the dataset. 1. Select the parameter you created from the drop down list of parameters and select apply. 1. You will now see that changing the selection of the control changes the associated visuals on that sheet. **Note** To apply this to all sheets in you analysis, repeat these steps on each sheet of your analysis. ## Step 3 Publish your analysis Now that you have customized your analysis, you can publish that analysis as a dashboard to share with other users to allow them to leveraged additional fields for filtering. ## Additional information + [Amazon Quick Sight parameter documentation](https://docs.aws.amazon.com/quicksight/latest/user/parameters-in-quicksight.html) + [Using dataset parameters in Amazon Quick Sight](https://docs.aws.amazon.com/quicksight/latest/user/dataset-parameters.html) # Net Amortized cost ## Last Updated October 2024 ## Author + Deepthi Nune, Sr. Technical Account Manager, AWS ## Introduction By Default CUDOS dashboard shows Amortized and Unblended cost. For customers who would like to see cost after discounts, this guide provides steps to implement possibility to switch between Amortized and Net Amortized cost. ### Step 1 of 3. Modify Views/Queries in Athena You will need to modify several views in Athena to include net amortized cost. Views that you need to modify are: + summary\$1view + hourly\$1view + resource\$1view Navigate in the AWS Console to the **Athena** service 1. Select the **AwsDataCatalog** in the **DataSource** drop down 1. In the **Database** drop down select the database where your CUR table is located. 1. Under Views, scroll down until you locate the **summary\$1view**. 1. Select the three dots to the right of the view and select **Show/edit query** from the context menu. ![\[Athena Query editor highlighting the summary view query and its context menu to select show edit query\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_showedit_qry.png) 1. Find the line which ends with "amortized\$1cost" and add the below snippet ``` , SUM(CASE WHEN "line_item_line_item_type" = 'SavingsPlanRecurringFee' THEN (("savings_plan_total_commitment_to_date" - "savings_plan_used_commitment") * COALESCE((COALESCE("savings_plan_net_amortized_upfront_commitment_for_billing_period" , "savings_plan_amortized_upfront_commitment_for_billing_period") / NULLIF("savings_plan_amortized_upfront_commitment_for_billing_period" , 0)), 1)) WHEN "line_item_line_item_type" = 'RIFee' THEN COALESCE("reservation_net_unused_amortized_upfront_fee_for_billing_period" + "reservation_net_unused_recurring_fee", "reservation_unused_amortized_upfront_fee_for_billing_period" + "reservation_unused_recurring_fee") WHEN "line_item_line_item_type" = 'SavingsPlanCoveredUsage' THEN COALESCE("savings_plan_net_savings_plan_effective_cost", "savings_plan_savings_plan_effective_cost") WHEN "line_item_line_item_type" = 'DiscountedUsage' THEN COALESCE("reservation_net_effective_cost", "reservation_effective_cost") WHEN "line_item_line_item_type" = 'Fee' AND COALESCE("reservation_reservation_a_r_n", '') = '' THEN COALESCE("line_item_net_unblended_cost", "line_item_unblended_cost") WHEN "line_item_line_item_type" IN ('Usage', 'Tax', 'Credit', 'Refund') THEN COALESCE("line_item_net_unblended_cost", "line_item_unblended_cost") ELSE 0 END) "net_amortized_cost" ``` 1. click the **Run again** button and confirm that the query view updates successfully. ![\[Inset show the run again button of the query window and the successful result\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_runagain.png) 1. Under Views, locate **resource\$1view**, Select the three dots to the right of the view and select **Show/edit query** from the context menu. 1. Find the line which ends with "unblended\$1cost" , add the below snippet ``` , "sum"("line_item_net_unblended_cost") "net_amortized_cost" , "sum"("reservation_net_effective_cost") "reservation_net_effective_cost" , "sum"("savings_plan_net_savings_plan_effective_cost") "savings_plan_net_effective_cost" ``` 1. click the **Run again** button and confirm that the query view updates successfully. 1. Under Views, locate **hourly\$1view**, Select the three dots to the right of the view and select **Show/edit query** from the context menu. 1. Find the line which ends with "unblended\$1cost" , add the below snippet ``` , "sum"("line_item_net_unblended_cost") "net_amortized_cost" , "sum"("reservation_net_effective_cost") "reservation_net_effective_cost" , "sum"("savings_plan_net_savings_plan_effective_cost") "savings_plan_net_effective_cost" ``` 1. click the **Run again** button and confirm that the query view updates successfully. ### Step 2 of 3. Modify/Refresh DataSet in Amazon Quick Sight Next the data set in Amazon Quick Sight needs to be refreshed in order to see the added fields and use them in your analysis and dashboard. 1. Navigate to Amazon Quick Sight in the console. ![\[AWS Console search with results for Quick Sight\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_navqs.png) 1. Select Datasets on the left side of the page. ![\[Left navigation in Quick Sight with datasets option highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_qs_ds.png) 1. Locate **summary\$1view** in the list of datasets and click on the dataset. 1. Click on Edit Dataset under the **summary** tab in the top right of the page. ![\[Quick Sight edit dataset button\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_editds.png) 1. Allow the dataset preview windows to load. 1. Click on **Save & Publish** button in the top right of the page. this will trigger a refresh of the dataset and import net\$1amortized field ![\[Save and Publish the dataset to trigger full refresh and import new columns\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_dataset_save_publish.png) 1. Repeat the steps to refresh **resource\$1view** and **hourly\$1view** dataset as well. ### Step 3 of 3. Create/Modify CUDOS Dashboard Analysis After the dataset has been updated you can now add the net\$1amortized cost to different visualizations. Here we will demonstrate how you can update the CUDOS dashboard to use the net\$1amortized cost along with amortized\$1cost **Note** If you deploy an update to the CUDOS/CID dashboards with the `--recursive` option it will overwrite your Athena query view changes and published dashboard changes 1. First, we’ll need to [save the dashboard as an analysis](create-analysis.md) so we can make changes. 1. Open the CUDOS dashboard and select the save icon, selecting "save as" in the drop-down selection to save the dashboard as an analysis. ![\[Save Dashboard as an analysis\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_save_analysis.png) 1. open the saved analysis. ### Step 3a. Create a parameter and control We will create a new parameter and control/filter so we can switch between unblended cost and net\$1amortized cost for all the visuals 1. Click on Insert → Add Parameter from the top left menu bar ![\[Top Menu Bar to insert paramater\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_top_menu_insert.png) 1. Enter a name: CostType for the parameter and enter the static default value : net amortized cost 1. Click create ![\[Create new parameter\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_createparameter.png) 1. In the parameter added window, select Control to create a new control and connect to the parameter. ![\[options for added parameter\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_parameteradded.png) 1. Enter in a display name : Cost Type, and ensure "Dropdown" is the style. 1. Define specific values as displayed below ![\[Add control for the parameter\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_AddControl.png) 1. Finally click the add button. 1. The control will be added to the sheet in your analysis. ![\[CostType Control\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_control_options.png) **Note** The control has to be re-added to each sheet in the analysis ### Step 3b. Bind this control to calculated fields in datasets Now that we’ve created the parameter and control we need to associate it with few calculated fields in order to have an effect in our analysis visualizations. 1. Click on Dataset from the left navigation and select the dataset **hourly\$1view** ![\[Select Hourly view dataset\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_hourlyview_dataset.png) 1. Find the calculated column **amortized cost** and edit the calculated field as shown below and click on save ``` ifelse( ({charge_type} = 'SavingsPlanCoveredUsage' and ${CostType} = 'amortized cost'), {savings_plan_effective_cost}, ({charge_type} = 'SavingsPlanCoveredUsage' and ${CostType} = 'net amortized cost' ), {savings_plan_net_effective_cost}, ({charge_type} = 'DiscountedUsage' and ${CostType} = 'amortized cost'), {reservation_effective_cost}, ({charge_type} = 'DiscountedUsage' and ${CostType} = 'net amortized cost'), {reservation_net_effective_cost}, ({charge_type} = 'Usage' and ${CostType} = 'amortized cost'), {unblended_cost}, ({charge_type} = 'Usage' and ${CostType} = 'net amortized cost'), {net_amortized_cost}, 0 ) ``` ![\[Edit calculated filed in hourly view\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_hourly_view_amortized_cost.png) 1. Now select the dataset **resource\$1view** and find the calculated field **amortized cost**. Make changes as shown below and save ``` ifelse( ({charge_type} = 'SavingsPlanCoveredUsage' and ${CostType} = 'amortized cost'), {savings_plan_effective_cost}, ({charge_type} = 'SavingsPlanCoveredUsage' and ${CostType} = 'net amortized cost' ), {savings_plan_net_effective_cost}, ({charge_type} = 'DiscountedUsage' and ${CostType} = 'amortized cost'), {reservation_effective_cost}, ({charge_type} = 'DiscountedUsage' and ${CostType} = 'net amortized cost'), {reservation_net_effective_cost}, ({charge_type} = 'Usage' and ${CostType} = 'amortized cost'), {unblended_cost}, ({charge_type} = 'Usage' and ${CostType} = 'net amortized cost'), {net_amortized_cost}, 0 ) ``` ![\[Edit calculated filed in hourly view\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_hourly_view_amortized_cost.png) 1. Find the calculated field **Workspace Total Resource Cost**, edit as shown below and click on Save ``` sumOver(sum(Cost), [{Workspace ID}]) ``` ![\[Edit calculated filed in hourly view\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_resource_view_workspace_total_resource_cost.png) 1. Find the calculated field **Workspace Average Cost**, edit as shown below and click on Save ``` sum(Cost)/distinct_count({Workspace ID}) ``` ![\[Edit calculated filed in hourly view\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_resource_view_workspace_average_cost.png) 1. Now Select the dataset **summary\$1view** and find the calculated filed **Cost\$1Amortized** . edit the calculated field as shown below and click on save ``` ifelse( ${CostType}= 'amortized cost',{amortized_cost}, ${CostType}= 'net amortized cost', {net_amortized_cost}, NULL) ``` ![\[Edit calculated filed in hourly view\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/net_Summary_view_cost_amortized.png) 1. Publish the modified analysis as a new dashboard which now has option to switch between both unblended and net\$1amortized cost. # Organization (OU) integration This content is DEPRECATED. Please use [Organizational Taxonomy Guide](add-org-taxonomy.md). ## Introduction Attribution of cost and operational data to Business Units, Divisions, Project or Teams is important phase. This can attribute ownership of assets and actions and follow up in scale. If you use AWS Organizations, and your Organizational Units are align with your actual organizational structure, you probably would like to incorporate Organizational Units(OU) information into your Cloud Intelligence Dashboards, creating filters, views and visualizations of cost and usage based on your AWS Organizations structure. This customization will guide you through this process. Using this guide you will be able to extend your various CID dashboards with AWS organization, such as: + OU Names (can be from multiple levels of OU structure) + OU and Account Tags - These tags that are applied on AWS Account or AWS Organization OU. Please note these are not the same Cost Allocation Tags that can work on resource level. + Hierarchical Tags - The tags that can be defined on OU level and propagate to account level (More specific tags override less specific). + Management Account names (or nicknames). ![\[Architecture\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/ou-integration-architecture.png) You also can leverage the OU information for your Row Level Security. ## Prerequisites For this solution you must have the following: + Deployed the [Data Collection Stack](data-collection.md) with the **AWS Organizations** module deployed. + Permissions to create and update Athena views. + Permissions to update Quick Sight Cloud Intelligence dashboard (CID) datasets ## Step by Step Guide This guide assumes you have enabled the [Data Collection Stack](data-collection.md) with the **AWS Organizations** module deployed. There are two methods of incorporating organization data into your CID dashboards. The first covers creating a dedicated view and add the data into Quick Sight. The other covers updating the `account_map` that is already used in most of CID datasets. Method 2 is the recommended way to make this change. Regardless of the path of customization, the last section provides how to customize the dashboards in 3 ways: filters, controls and views. ## Method 1 - Updating Quick Sight dataset schema ### Step 1. Create View in Athena You will need to create a new view `organization_map`. #### Click here to expand step by step instructions 1. Open the console and navigate to Athena. 1. Select the AwsDataCatalog data source and `cid_data` database (Please note that in older versions of [Data Collection Stack](data-collection.md) the name of data base was `optimization_data` and you will need to adapt SQL accordingly). 1. Confirm that you have the table, organization\$1data and there is data in that table. 1. Create the following view: ``` CREATE OR REPLACE VIEW "organization_map" AS SELECT "id" "account_id" , "name" "account_name" , "parent" "OU" , "parentid" "OU_ID" , "payer_id" "payer_org_account_id" , "managementaccountid" "management_account_id" FROM cid_data.organization_data ``` 1. After creating the view, execute a query against the view and confirm you are getting the correct data: ``` SELECT * FROM "organization_map" limit 10; ``` 1. Move to the next step. ### Step 2. Modify Data Set in Amazon Quick Sight Next the data set in Amazon Quick Sight needs to be updated so that you can see the added fields to use them in your Dashboards and Analyses. #### Click here to expand step by step instructions 1. Navigate to Quick Sight in the console. 1. Select Datasets, and then select `summary_view` from the list of datasets. ![\[Quick Sight dataset screen with the datasets navigation item and summary view dataset highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-01.png) 1. Click on EDIT DATASET. ![\[Summary view summary page with edit dataset button highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-02.png) 1. Click on Add data. ![\[Quick Sight edit dataset page with add data button highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-03.png) 1. Make the following selections: + Select DataSource from the first drop down. + Next select the same DataSource that issued for `summary_view`. + Leave the Catalog as AwsDataCatalog. + Select cid\$1data as the database. ![\[Add data dialog with all selections displayed\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-04.png) + Search for the view `organization_map`, check the box. 1. Click Select. 1. Select the join between **summary\$1view** and **organization\$1map**. 1. Ensure the join type is set to left. ![\[Join configuration dialog showing the join clause details\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-05.png) 1. Set the join clause to be; *linked\$1account\$1id = account\$1id*. 1. Click Apply. 1. Save and Publish the dataset. ![\[Quick Sight dataset designer showing the summary view dataset with the save and publish button highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-06.png) 1. Now you can do the same for all other datasets (hourly\$1view, resource\$1view and others). 1. Once the dataset finishes loading successfully, you will then be able to incorporate payer account name in your dashboards, analysis to visuals, controls or filters. ## Method 2- Incorporating organization data into account\$1map ### Step 1. Modify View in Athena This method demonstrates how to modify the account map view query to include the data from the organization data directly. This requires you to replace the account map view. **Note** When updating any view that is part of the cloud intelligence or data collection deployments you should create a copy of the original view so that you can rollback a change. This view could be overwritten by a future deployment or forced update of these views. You should have a backup copy of your customizations of view to be able to place them back if this happens. #### Click here to expand step by step instructions 1. Navigate to Athena and the cur database. 1. Locate the `account_map` and click on the vertical ellipses next to the view and select *Show/edit query* from the context menu. 1. First, make a copy of the view as backup, naming the new view something like *account\$1map\$1original*. 1. Select the entire view and replace it with this query: ``` CREATE OR REPLACE VIEW "account_map" AS SELECT DISTINCT id account_id , name account_name , managementaccountid parent_account_id , email account_email_id , parent "ou" FROM "cid_data"."organization_data" ``` Please explore `organization_data` table for more options that you can use in the view above. 1. Click *Run* to execute the query and create the view. 1. Next, switch to Quick Sight, locate the `summary_view` dataset and edit that dataset. 1. Confirm you see the *OU* field in your schema. 1. Save and publish that dataset to have the schema updated and data reloaded. 1. Repeat these previous steps in Quick Sight for each dataset that has `account_map`. Ex: `hourly_view` and `resource_view` 1. Then follow the section on dashboard customization to complete the customizations. ## Managing complex organization Some organization can have a complex multi level structure. In these cases we recommend adding multiple OU levels or leveraging [AWS Organization Tags](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html). You can define a set of Tags. Ex: `MyEnterprise`, `MyBusinessLine` and `MyBusinessUnit`. You can set these tags on any level of OU and then redefine on lower level if needed. This gives you the flexibility and control in defining org structure. Tags can be also redefined on the level of Account. Here is an advanced example that leverage OU Tags as well as mapping for Management Account Names that you can adjust to needs of your Organization. ### Click here to explore more advanced example of account\$1map 1. Navigate to Athena and the cur database (default: `cid_cur`). 1. Locate the `account_map` and click on the vertical ellipses (`⋮`) next to the view and select *Show/edit query* from the context menu. 1. First, make a copy of the view as backup, naming the new view something like *account\$1map\$1original*. 1. Select the entire view and replace it with this query adjusted to your needs: ``` CREATE OR REPLACE VIEW "account_map" AS SELECT DISTINCT id account_id , name account_name , email account_email_id , ManagementAccountId parent_account_id , "parent" "OU" -- The Name of the lowest level OU of the Account -- A simple mapping of Management Account Ids to user-friendly names , CASE ManagementAccountId WHEN '111111111111' THEN 'My Management Org' WHEN '222222222222' THEN 'My Test Org' ELSE ManagementAccountId END parent_account_name -- Full path separated with '>' , HierarchyPath as ou_hierarchy -- Levels of OU hierarchy , TRY(hierarchy[1].name) ou_l1 , TRY(hierarchy[2].name) ou_l2 , TRY(hierarchy[3].name) ou_l3 , TRY(hierarchy[4].name) ou_l4 , TRY(hierarchy[5].name) ou_l5 -- Hierarchical Tags , TRY(FILTER(HierarchyTags, (x) -> (x.key = 'MyEnterprise'))[1].value) as ou_tag_enterprise , TRY(FILTER(HierarchyTags, (x) -> (x.key = 'MyBusinessLine'))[1].value) as ou_tag_business_line , TRY(FILTER(HierarchyTags, (x) -> (x.key = 'MyBusinessUnit'))[1].value) as ou_tag_business_unit FROM "cid_data"."organization_data" ``` 1. Click `Run` to execute the query and create the view. 1. Next, switch to Quick Sight, locate the `summary_view` dataset and edit that dataset. 1. Save and publish that dataset to have the schema updated and data reloaded. 1. Repeat these previous steps in Quick Sight for each dataset that has `account_map`. Ex: `hourly_view` and `resource_view` 1. Then follow the section on dashboard customization to complete the customizations. ## Dashboard Customization **Note** By design your customized dashboards will not be overwritten by new releases of CUDOS dashboards. Best practice is to clearly name your customized dashboards a clear and unique name separate from the dashboards we deploy. ### Step 1. Modify Quick Sight Analysis - CUDOS Dashboard After the dataset has been updated you can now add those fields to different visualizations. Here we will demonstrate how you can update the CUDOS dashboard to use the organization information in a visualization. We’ll save the dashboard as an analysis to make an update to "Invoiced Spend by Payer Account" visual on the "Executive: Billing Summary" sheet to instead reflect the same information by organization. #### Click here to expand step by step instructions 1. Open up Quick Sight. 1. Navigate Dashboards and select the CUDOS dashboard. 1. Save the dashboard as a new analysis named "cudos-out-customization". ![\[Quick Sight save as dialog\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-07.png) 1. In that analysis, select the "Invoiced Spend by Payer Account" visual on the "Executive: Billing Summary" sheet. 1. Locate the "ou" field that was added in the field list for the *summary\$1view* dataset. ![\[Quick Sight analysis showing the field list\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-08.png) 1. Select that field. 1. Drag and drop that field in Visual details under the GROUP/COLOR FOR BARS section. Make sure the field is at the top of the fields listed there. ![\[Group by fields list with ou field at the top and all other fields indented below it\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-09.png) 1. You will see the visual "Invoiced Spend by Payer Account" update to reflect the invoiced spend by organization instead of payer. ![\[Invoiced spend visualization showing the group by data with ou\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-10.png) 1. Lets update the title of this visual. Double-click on the title of the visual. 1. Select the "\$1\$1BillingSummaryGroupBy\$1" parameter and delete it. Replace it with *organization*. ![\[Title edit dialog showing the completed title change\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-11.png) 1. Click Save. 1. You will now see the visual updated to reflect the title and data grouped by organization. ![\[Invoice spend by organization bar chart visualization\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-12.png) 1. Continue with customizations of other visuals with organization as you need. 1. Publish the dashboard when you are done\$1 ### Step 2. (Optional) Add to CUDOS controls The CUDOS dashboard comes with several controls across the sheet by default. You can add more controls to allow you to filter all the visuals on a sheet at once. Here we’ll show you how to add organization as a control. #### Click here to expand step by step instructions 1. Open up Quick Sight. 1. Navigate Dashboards and select the CUDOS dashboard. 1. Save the dashboard as a new analysis named "cudos-out-customization". ![\[Quick Sight save as dialog\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-07.png) 1. Click on *Insert* from the analysis menu and select *Add Parameter*. ![\[Quick Sight insert menu dropdown showing add parameter\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-13.png) 1. Enter *organization* for the name, leave other settings to their default. ![\[Create new parameter dialog\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-14.png) 1. Click Create. 1. Click on *Control*. ![\[Parameter created dialog with control selection highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-15.png) 1. Make the following selections for the control configuration: + Name: **Organization** + Style: **Dropdown** + Values: **Link to dataset field** + Dataset: **summary\$1view** + Field: **ou** 1. Click *Add*. 1. You will see the *Organization* control added to the controls of the sheet. ![\[Display of the controls on the sheet\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-16.png) 1. We need one more step for the control to work on the page. 1. Select a visual from the sheet and click on the `filters` icon from the analysis menu. 1. Click the \$1 ADD\$1 button under the **Filters** heading, search for the *ou* field to add it to the filters. ![\[Add filters drop down with ou highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-17.png) 1. Click on the *ou* filter to edit it and make the following selections: + Filter type: **Custom filter** + Filter condition: **equals** + Use Parameters: **checked** + Parameter: **organization** 1. Click *APPLY*. ![\[Edit filter dialog with ou and other selections made\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-18.png) 1. When you make a selection with the *Organization* control, all the visuals on the sheet should be updated to be filtered by that organization unit. 1. To add this control to other sheets in the analysis, follow these steps: 1. Select the sheet you want to add the control. 1. Click the parameters icon from the toolbar. 1. Search for `organization` in the parameters search. 1. Select the vertical ellipses (`⋮`) next to the parameter. 1. Select `Add control` from the context menu. 1. Set the values like previously: 1. Name: **Organization** 1. Style: **Dropdown** 1. Values: **Link to dataset field** 1. Dataset: **summary\$1view** 1. Field: **ou** 1. Click *Add*. 1. Select a visual from the sheet and click on the *filters* icon from the analysis menu. 1. Click the ` ADD` button under the **Filters** heading, search for the *ou* field to add it to the filters. 1. Click on the `ou` filter to edit it and make the following selections: 1. Filter type: **Custom filter** 1. Filter condition: **equals** 1. Use Parameters: **checked** 1. Parameter: **organization** 1. Click `APPLY`. 1. Repeat these steps for each sheet you want to see this control. 1. You’ve now customized the dashboard to add a control that filters all applicable visuals on a sheet. You can now publish your dashboard. ### Step 3. (Optional) Modify OPTICS Explorer sheet The CUDOS dashboard has a sheet titled **OPTICS Explorer** which places controls on the sheet with a number of common visualizations to allow you to freely explore your CUR data or investigate different aspects of your data quickly. You can add *Organization* or any other control you would like, such as *tags* to add more flexibility to filter data on this sheet. After adding the control, it will be in as a drop down at the top of the sheet. Follow these steps to move the control to the sheet. #### Click here to expand step by step instructions 1. Follow the steps in the optional step for adding controls 1. Expand the control menu at the top of the sheet. 1. Select the `Organization` control. 1. Select the 3 vertical ellipses for the control. 1. Select `Move to sheet`. ![\[Context dialog showing move to sheet option\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-19.png) 1. This will place the control at the very bottom of the sheet. 1. Select the control and drag the control up with the other controls. 1. You can edit the size the control and other controls to fit them in with the other controls. ![\[OPTICS explorer sheet showing controls adjusted to include the organization control\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/out-integration/ou-integration-20.png) ## Summary We’ve shown you how you can customize your datasets, views and dashboards to include AWS Organization data. # Removing Discounts ## Last Updated August 2024 ## Author + Deepthi Nune, Sr. Technical Account Manager, AWS ## Introduction In this customization playbook we will describe how you can remove all Discounts information from Cloud Intelligence Dashboards (in this example CUDOS). This can be helpful if you do not want to expose Discount information to dashboard users, including Authors of customized dashboards in Amazon Quick Sight. ## Prerequisites For this solution you must have the following: + Ability to view and edit queries in Athena ### Step 1 of 2. Modify Queries in Athena You will need to modify several queries in Athena to remove discounts. Queries that you can modify to remove specific charge type are: + summary\$1view + resource\$1view Navigate in the AWS Console to the **Athena** service 1. Select the **AwsDataCatalog** in the **DataSource** drop down. 1. In the **Database** drop down select the database where your CUR table is located. 1. Under Views, scroll down until you locate the **summary\$1view**. 1. Select the three dots to the right of the view and select **Show/edit query** from the context menu. ![\[Athena Query editor highlighting the summary view query and its context menu to select show edit query\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_showedit_qry.png) 1. Modify the "Where" condition and include the two new "And" lines. In this example we also remove Refund, Credit and Tax along with Discounts ``` WHERE (("bill_billing_period_start_date" >= ("date_trunc"('month', current_timestamp) - INTERVAL '7' MONTH)) AND (CAST("concat"("year", '-', "month", '-01') AS date) >= ("date_trunc"('month', current_date) - INTERVAL '7' MONTH))) AND line_item_line_item_type NOT LIKE '%Discount' -- New Line: remove all kind of discounts AND line_item_line_item_type NOT IN ('Refund', 'Credit' , 'Tax') -- New Line: (optional) If Refund, Tax, Credit etc., also need to be removed ``` 1. When you’ve completed adding all of the fields, click the **RUN** button and confirm that the query view updates successfully. ![\[Inset show the run again button of the query window and the successful result\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_runagain.png) 1. Repeat the steps above on the **resource\$1view** dataset. ### Step 2 of 2. Update DataSet in Amazon Quick Sight Next the data set in Amazon Quick Sight needs to be refreshed in order to view the changes immediately. 1. Navigate to Amazon Quick Sight in the console. ![\[AWS Console search with results for Quick Sight\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_navqs.png) 1. Select Datasets on the left side of the page. ![\[Left navigation in Quick Sight with datasets option highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/cust_qs_ds.png) 1. Locate **summary\$1view** in the list of datasets and click on the dataset. 1. Click on the **Refresh** tab in the top left of the page. 1. Click on **Refresh Now** button in the top right of the page. 1. Repeat the steps to refresh **resource\$1view** dataset as well. ## Test Now you can open CUDOS dashboard and check if the information about Discounts is not present. # Publishing as single sign-on (SSO) Application ## Last Updated January 2024 ## Authors + Veaceslav Mindru, Sr. Technical Account Manager, AWS + Stephanie Gooch, Sr. Commercial Architect, AWS OPTICS + Sumit Dhuwalia, Technical Account Manager, AWS ## Introduction Cloud Intelligence Dashboards (CID) help you visualize and understand AWS cost and usage data for your entire organization using Amazon Quick Sight. These dashboards can be used by different user personas within your organization such as Product owners, Finance, and FinOps, amongst others. To centrally manage user authentication/authorization and also provide a seamless user-experience via SSO, we recommend signing up for Quick Sight in your target Data Collection account using AWS IAM Identity Center as the authentication method. **Important** This guide requires to configuring Quick Sight access through IAM Identity Center. Currently it is not possible to enable IAM Identity Center support for existing Quick Sight installation. For existing Quick Sight that do not have this option enabled please use the [legacy guide](sso-application-legacy.md) ## Prerequisites For this solution, you must have the following: + AWS Organizations and IAM Identity Center enabled + For instructions on setting up IAM Identity Center, please follow the documentation [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) + Data Collection AWS account should be part of the same AWS Organizations as IAM Identity Center ## Step 1: Create User Groups The different user personas accessing CID may have different Quick Sight access requirements, with some needing reader vs others needing author access. You would also need to assign admins for your Quick Sight account. **Note:** This step needs to be performed within the management account of your AWS Organizations or a delegated administrator account for IAM Identity Center within your AWS Organizations. Create the following groups either within IAM Identity Center (if you’re managing identities here) or within your existing identity provider such as Okta, Azure Active Directory (Azure AD), or others that you may have configured with IAM Identity Center. For instructions on how to add users and groups within IAM Identity Center based on your identity source, please follow the documentation [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/set-up-single-sign-on-access-to-accounts.html) Create the following user groups and assign appropriate users to these groups: 1. **qs-cid-readers**: Users assigned to this group would have reader role within Quick Sight 1. **qs-cid-authors**: Users assigned to this group would have author role within Quick Sight 1. **qs-admins**: Users assigned to this group would have admin role within Quick Sight Post this step, your IAM Identity Center should look similar to below: ![\[IAM Identity Center with user groups\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/ssoapp/iam_idc_groups.png) ## Step 2: Sign-up for Quick Sight **Note:** This step needs to be performed within the target Data Collection AWS account which should be part of the same AWS Organizations as IAM Identity Center. Please follow the gif below for an overview of the process and also note the following:   + Quick Sight region should be the same region where your IAM Identity Center is configured + Quick Sight account name you choose should be unique (see [here](https://docs.aws.amazon.com/quicksight/latest/user/signing-up.html) for details) + Search for and select the relevant user groups you created in Step 1 above ![\[Quick Sight Sign-up process using IAM Identity Center\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/ssoapp/qs-signup.gif) ## Step 3: Validate SSO flow **Method 1**: From AWS IAM Identity Center Access portal + Go to your AWS access portal URL available within IAM Identity Center + Enter user credentials on your identity provider portal + Click on Quick Sight tile on the AWS access portal to sign into Quick Sight ![\[Quick Sight Sign-up process using IAM Identity Center\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/ssoapp/user-portal.gif) **Method 2**: From Quick Sight portal + Go to Quick Sight portal URL: https://quicksight.aws.amazon.com/ + Enter your Quick Sight account name + Enter user credentials on your identity provider portal from where you would be redirected into Quick Sight ![\[Quick Sight Sign-up process using IAM Identity Center\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/ssoapp/qs-portal.gif) For a more in-depth walkthrough of setting up AWS IAM Identity Center, please follow the blog [Simplify business intelligence identity management with Amazon Quick Sight and AWS IAM Identity Center](https://aws.amazon.com/blogs/business-intelligence/simplify-business-intelligence-identity-management-with-amazon-quicksight-and-aws-iam-identity-center/) # SSO Application (Legacy Guide) ## Last Updated January 2024 ## Authors + Veaceslav Mindru, Sr. Technical Account Manager, AWS + Stephanie Gooch, Sr. Commercial Architect, AWS OPTICS ## Introduction Cloud Intelligence Dashboards (CID) helps you to visualize and understand AWS cost and usage data in your organization by exploring interactive dashboards. To simplify access for users you can now set up an SSO application for them to enter into. We recommend combining this with the Row Level Security customization to ensure they see the data they really matters to them. **Important** This is a legacy guide, for a new fresh setup of Quick Sight we recomend to setup Quick Sight with IAM Identity Center integration. Please follow [Publishing as single sign-on (SSO) Application](publishing-as-sso-application.md) guide ## Prerequisite For this solution you must have the following: + Access to your AWS Organizations and ability to tag resources + An [AWS Cost and Usage Reports](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html) (CUR) or if from the multiple payers these must be replicated into a bucket, more info [here](https://wellarchitectedlabs.com/cost/100_labs/100_1_aws_account_setup/3_cur/#option-2-replicate-the-cur-bucket-to-your-cost-optimization-account-consolidate-multi-payer-curs) + A CID deployed over this CUR data, checkout the new single deployment method [here](deployment-in-global-regions.md). + A list of users and what level of access they require. This can be member accounts, organizational units (OU) or payers. + Enable IAM Identity Center ## Step 1: Quick Sight Check 1. Login into your Cost Account where your CID is deployed and go into Amazon Quick Sight ![\[Images/sso_sso_quicksight.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_quicksight.png?classes=lab_picture_small) 1. Select your CID and open it ![\[Images/sso_qs_dashboard.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_qs_dashboard.png?classes=lab_picture_small) 1. On the top right click on the Share icon then Share Dashboard ![\[Images/sso_qs_share_button.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_qs_share_button.png?classes=lab_picture_small) 1. Share your CID Dashboard in Amazon Quick Sight with all users by clicking on the toggle **Everyone in this account** ![\[Images/sso_qs_share.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_qs_share.png?classes=lab_picture_small) 1. Copy the Dashboard URL to somewhere local as we will use this later ![\[Images/sso_cudos_url.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_cudos_url.png?classes=lab_pictures_small) ## Step 2: Create Users and Group 1. Open the **IAM Identity Centre**. Click on **Groups** on the left then **Create group** 1. Under Group name, give the name **CID** then click **Create group** ![\[Images/sso_user_group.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_user_group.png?classes=lab_picture_small) 1. Click on **Users** then **Add user** ![\[Images/sso_user_users.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_user_users.png?classes=lab_picture_small) 1. Fill out the details using the same email that will be used for Amazon Quick Sight. Click **Next**. ![\[Images/sso_user_user_email.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_user_user_email.png?classes=lab_picture_small) 1. Click on the box next to the **CID** group you made earlier. Then Click **Next**. ![\[Images/sso_user_add_to_group.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_user_add_to_group.png?classes=lab_picture_small) 1. Scroll down and click **Add user** ## Step 3: IAM Identity Centre 1. Open the **IAM Identity Centre** and select **Applications** on the left and Click **Add application** ![\[Images/sso_iic_add_app.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_add_app.png?classes=lab_picture_small) 1. Search in Preintegrated applications for **Amazon Quick Sight** then click **Next** ![\[Images/sso_iic_qs.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_qs.png?classes=lab_picture_small) 1. Type a Display name **Billing Dashboard**. Under **IAM Identity Center metadata** Download IAM Identity Center **SAML metadata file**. ![\[Images/sso_iic_config.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_config.png?classes=lab_picture_small) 1. Under **Application properties** paste your CID Link under Relay state. Click **Submit** ![\[Images/sso_iic_qs_url.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_qs_url.png?classes=lab_picture_small) 1. Click into your application and slick **Assign Users** ![\[Images/sso_iic_assign.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_assign.png?classes=lab_picture_small) 1. Click on the **Groups** tab and select the CID group then click the **Assign Users** button ![\[Images/sso_iic_group.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_group.png?classes=lab_picture_small) ## Step 4: Provider Note: This step is done in the target account where the CID lives, this may differ from the SSO account. 1. Open IAM, on the left click **Identity providers** then click the **Add provider** button ![\[Images/sso_iam_provider.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_provider.png?classes=lab_picture_small) 1. Under Provider type choose **SAML**, give it the name **Quick SightProvider** then upload the SAML file you downloaded earlier using the **Choose file** button. Click **Add provider** ![\[Images/sso_iam_provider_saml.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_provider_saml.png?classes=lab_picture_small) 1. Click into your new provider ![\[Images/sso_iam_provider_qs.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_provider_qs.png?classes=lab_picture_small) 1. Click the button **Assign role** and choose **Create a new role** and click Next ![\[Images/sso_iam_provider_create_role.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_provider_create_role.png?classes=lab_picture_small) 1. Ensure SAML 2.0 federation is clicked at the top then click the **Allow programmatic and AWS Management Console access** radio button and click **Next: Permissions** ![\[Images/sso_iam_role_saml.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_role_saml.png?classes=lab_picture_small) 1. Click **Create policy** ![\[Images/sso_iam_policy.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_policy.png?classes=lab_picture_small) 1. Select the JSON tab and paste in the below code replacing your `ACCOUNT_ID` with your `CID Quick Sight` account `ID`. Click Next. ``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:CreateReader" ], "Effect": "Allow", "Resource": [ "*" ] } ] } ``` ![\[Images/sso_policy_json.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_policy_json.png?classes=lab_picture_small) 1. Click through **Next** 1. For Name call it **Quick SightSAMLPolicy** then click **Create Policy** ![\[Images/sso_iam_policy_name.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_policy_name.png?classes=lab_picture_small) 1. Go back to previous IAM tab to attach permissions, refresh the list then search for **Quick SightSAMLPolicy** and click the tick box. Click **Next** ![\[Images/sso_iam_add_policy.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_add_policy.png?classes=lab_picture_small) 1. Provide a Role name as **Quick SightSAMLRole** and click Create role ![\[Images/sso_iam_role_name.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_role_name.png?classes=lab_picture_small) 1. Search for your new role and click into it. Select the **Trust relationships** tab and click **Edit trust policy** ![\[Images/sso_iam_tr.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_tr.png?classes=lab_picture_small) 1. Replace the json with the below, replacing your `ACCOUNT_ID` with your `CID Quick Sight` account `ID`. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::ACCOUNT_ID:saml-provider/Quick SightProvider" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } }, { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::ACCOUNT_ID:saml-provider/Quick SightProvider" }, "Action": "sts:TagSession", "Condition": { "StringLike": { "aws:RequestTag/Email": "*" } } } ] } ``` ![\[Images/sso_iam_tp_edit.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iam_tp_edit.png?classes=lab_picture_small) ## Update Attribute Mappings 1. Return to your **IAM Identity Center** and find your Amazon Quick Sight application for CID and click into it. ![\[Images/sso_iic_app.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_app.png?classes=lab_picture_small) 1. Click the **Actions** button and select **Edit attribute mapping** ![\[Images/sso_iic_edit_mapping.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_edit_mapping.png?classes=lab_picture_small) 1. Add two new mappings by clicking on **Add new attribute mapping**, replacing your `ACCOUNT_ID` with your `CID Quick Sight` account `ID`. + ADD **Attribute:** `https://aws.amazon.com/SAML/Attributes/Role` **Value:** `arn:aws:iam::111122223333:role/Quick SightSAMLRole, arn:aws:iam::111122223333:saml-provider/Quick SightProvider` + ADD: **Attribute:** `https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email` **Value** `${user:email}` ![\[Images/sso_iic_mapping_update.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_iic_mapping_update.png?classes=lab_picture_small) 1. After this step is done, a new ICON will appear in SSO, give it 5 minutes to start ![\[Images/sso_screenshot.png\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/sso_legacy/sso_screenshot.png?classes=lab_picture_small) # Row Level Security ## Introduction Cloud Intelligence Dashboards (CID) provide comprehensive visualization and analysis of AWS cost, usage, and operational data across your organization. For enterprise customers implementing CID at organizational scale, maintaining the principle of least privilege is essential. Organizations need to ensure users can only access data from AWS accounts they are authorized to view. Amazon Quick Suite [Row Level Security](https://docs.aws.amazon.com/quickSight/latest/user/restrict-access-to-a-data-set-using-row-level-security.html) (RLS) addresses this requirement by enabling fine-grained access control at the data level. ![\[RLS Overview\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/rls2/rls-overview.png) This page covers a ready to use CID RLS solution, that you can install and easily configure for your needs. It also enables a wide range of customizations and integrations that you can build on top to adjust to your organization needs. In the default configuration this solution allows: + Easily attribute permissions to Quick Suite users and groups. + Use Account level granularity as well as setting permissions on the level of AWS Organization Unit. + Easily manage full visibility of permissions for users and groups (typically useful for FinOps and Security teams). The solution also provides an RLS Dashboard that helps Amazon Quick Suite Administrators easily evaluate and troubleshoot users permissions. ## RLS Dataset The RLS Dataset is a specialized dataset in Quick Suite that controls data access based on user permissions. Users connect to dashboard as usual but if Dashboard Datasets are configured with RLS, RLS Dataset defines what data users will see on the dashboard. ![\[RLS Overview\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/rls2/rls-dataset.png) RLS Dataset contains User and Group mapping to fields that are common in all datasets of the dashboard. In case of CID, by default we use `account_id` and `payer_id` as the common fields to establish Row Level permissions boundaries. You can fine tune this solution to use Tags or other fields but we recommend starting with the default. For CID dashboards, RLS dataset requires four essential fields: + **UserName**: The Quick Suite user identifier (must match exactly) + **GroupName**: The Quick Suite group identifier + **account\$1id**: Comma-separated list of AWS accounts the user/group can access + **payer\$1account\$1id**: Comma-separated list of billing accounts (management accounts) CID provides ready to use RLS Dataset as a part of the RLS Dashboard, that helps you manage and control your RLS Dataset. ### Access Control Rules It is important to understand the RLS Dataset and how it works for different cases. + **No access**: Users not listed in the dataset will see empty dashboards + **Full access**: Users with empty `account_id` and `payer_account_id` fields have full data access (recommended for Security, FinOps and Platform teams) + **Organization access**: Users with empty `account_id` but populated `payer_account_id` have access to all accounts in the specified AWS Organization You can create the RLS dataset manually in Quick Suite or use the automated solution provided in this guide. Once created, use the CID-CMD tool to [apply RLS](#how-to-apply-rls) to all datasets of a specific dashboard. ## Source of RLS Data The RLS dataset maps users and groups to the AWS accounts they can access. This mapping information must be stored in a system that enables easy tracking and adjustment. CID supports three options: 1. **AWS Organization Tags (Recommended)**: Stores access information in OU and Account Tags within your AWS Organization’s Management Account. Leverages existing AWS organizational structures but requires Management Account access. CID implements an “Hierarchical Tag” concept where Tags defined at higher levels of the OU hierarchy can be overridden by more specific Tag values at lower levels. This hierarchical approach enables flexible group ownership definition at high organizational levels while allowing for necessary exceptions that adapt to an existing organizational complexity. 1. **Amazon Athena Inline Tables**: Create and edit tables directly within Athena as a low-effort option with significant flexibility. Does not require Management Account access. 1. **CSV Files on Amazon S3**: Simple file-based mapping that doesn’t require Management Account access. Files can be generated as exports from existing Configuration Management Databases (CMDB) and identity providers. ## Architecture ![\[RLS Architecture\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/rls2/rls-archi.png) The RLS implementation follows this workflow: 1. **(Optional) Tag Configuration**: Organization Admin sets OU or Account Tags in AWS Console with the following Tag keys: 1. `cid_users`: Colon-separated (`:`) list of user emails (must match Quick Suite exactly) 1. `cid_groups`: Colon-separated (`:`) list of Quick Suite groups with access 1. Users and groups with Management Account access inherit access to all organization accounts 1. **(Optional) Organization Data Collection**: Lambda function in Data Collection Stack assumes a role in Management Account, retrieves account and OU information, and stores it in S3 1. **QuickSight Data Collection**: Lambda function collects user information from Amazon Quick Suite in the local account and stores it in the same S3 bucket 1. **RLS Dataset Formation**: Glue Tables and Athena Views create the RLS dataset based on AWS Organization Tags and Quick Suite data 1. **RLS Application**: CID Admin applies RLS to all datasets using the CID-CMD tool 1. **Access Control**: Users see only data from accounts configured for their Quick Suite group or user 1. **(Optional) Admin Override**: CID Admin can manage full admin lists or override mapping using Athena Inline Tables ## How It Works Under the Hood CID constructs an RLS dataset from several sources. ### Click to learn more about how it works ![\[RLS Details\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/rls2/rls-views-details.png) 1. **full\$1access\$1users** - is a view or a table that contains a list of emails of users who are supposed to have a full unrestricted access to protected datasets. This view can be edited in Athena directly (https://docs.aws.amazon.com/athena/latest/ug/views-managing.html) as [linline table](https://prestodb.io/docs/current/sql/values.htm) or it can be replaced with the tables that comes from other sources (your identity management or a simple csv file on Amazon S3). We do not recommend using individual users for this and rather prioritize user management with groups, but it can be handy on the initial setup phase. Please make sure you put exactly the same email as you have in Quick Suite. 1. **full\$1access\$1groups** - is a view or a table that contains a list of Quick Suite Groups with users who will to have a full unrestricted access to protected datasets. This view can be edited in Athena directly (https://docs.aws.amazon.com/athena/latest/ug/views-managing.html) as [linline table](https://prestodb.io/docs/current/sql/values.htm) or it can be replaced with the tables that comes from other sources (your identity management or a simple csv file on Amazon S3). 1. **account\$1access** - a view or a table that has the following fields: 1. `account_id` - AWS Account Id (12 digits) 1. `payer_account_id` - an AWS Management Account Id. Users and groups that have access to the `account_id` == `payer_id` will have access to all accounts under the AWS Organization with this management account id. The tool supports multiple AWS Organizations. 1. `emails` - a list of emails of users who will have access to the account information (note that it is not a comma separated list but it must be Athena type `ARRAY`) 1. `groups` - a list of Quick Suite Groups who will have access to the account information (note that it is not a comma separated list but it must be Athena type `ARRAY`) 1. **permission view** - is a union of several sub tables based on **full\$1access\$1users**, **full\$1access\$1groups** and **account\$1access**. It results to a following fields: 1. `email` - email of users 1. `group` - a Quick Suite Group 1. `payer_account_id` - a comma separated list of accounts 1. `account_id` - a comma separated list of accounts 1. **quickSight\$1users** table contains emails and UserName of QS User. 1. **rls\$1view** is the final form and represents the same fields as **permission view** but instead of user email it will have the QS User Names needed for RLS Dataset. **Note** if both `payer_account_id` and `account_id` are empty then the user or the group in this line will have a full access if only `payer_account_id` is provided but `account_id` is empty, the user or the group will have access to all account in the AWS Organization of the given payer Account If user/group is not present in the table, no access will be granted - user will see an empty dashboard ## Deployment ## Prerequisites Before implementing RLS, ensure you have: 1. **(Recommended) QuickSight Configuration**: [Identity Source/SSO](sso-application-legacy.md) configured for your Quick Suite environment 1. **CID Foundation**: [Foundational dashboards](cudos-cid-kpi.md) already installed 1. **Account Access**: Admin access to the Data Collection/Dashboard Account 1. **Management Account Access** (Optional): Required only for AWS Organization Tags option. Alternative options available if not accessible 1. **Data Collection Stack** (Recommended): Preferably installed, but minimal setup instructions provided if needed ## Step 1: Define Your RLS Data Source and Deploy Choose one of the three options described [above](#source-of-rls-data) to define your RLS data source: ### Option 1: Using AWS Organization Tags in Management Account(s) If you have already [CID Data Collection Stack](data-collection.md) you can just check if Quick Suite (IncludeQuickSightModule parameter) and OrganizationData (IncludeOrgDataModule parameter) modules are activated, and continue to the next step. Here we will use the minimal setup for managing access from AWS Organization OU and Account Tags. 1. Login to Management Account(s) and install the Permission Stack by clicking Launch Stack below [https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-read-permissions.yaml&stackName=CidDataCollectionReadPermissionsStack¶m_DataCollectionAccountID=REPLACE%20WITH%20DATA%20COLLECTION%20ACCOUNT%20ID%20OR%20EMPTY¶m_AllowModuleReadInMgmt=no¶m_OrganizationalUnitID=REPLACE%20WITH%20ORGANIZATIONAL%20UNIT%20ID%20OR%20EMPTY¶m_IncludeBackupModule=no¶m_IncludeBudgetsModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeRightsizingModule=no¶m_IncludeTAModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeCostOptimizationHubModule=no¶m_IncludeLicenseManagerModule=no](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-read-permissions.yaml&stackName=CidDataCollectionReadPermissionsStack¶m_DataCollectionAccountID=REPLACE%20WITH%20DATA%20COLLECTION%20ACCOUNT%20ID%20OR%20EMPTY¶m_AllowModuleReadInMgmt=no¶m_OrganizationalUnitID=REPLACE%20WITH%20ORGANIZATIONAL%20UNIT%20ID%20OR%20EMPTY¶m_IncludeBackupModule=no¶m_IncludeBudgetsModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeRightsizingModule=no¶m_IncludeTAModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeCostOptimizationHubModule=no¶m_IncludeLicenseManagerModule=no) 1. Login to Data Collection/Dashboard Account and install the Data Collection Stack by clicking Launch Stack below. Put Management Account Ids parameter as a comma separated list of your Management Accounts. Make sure you’ve set to 'yes' Quick Suite (IncludeQuickSightModule parameter) and OrganizationData (IncludeOrgDataModule parameter) modules. [https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-collection.yaml&stackName=CidDataCollectionStack¶m_ManagementAccountID=REPLACE%20WITH%20MANAGEMENT%20ACCOUNT%20ID¶m_IncludeTAModule=no¶m_IncludeRightsizingModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeOrgDataModule=yes¶m_IncludeBudgetsModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeQuickSightModule=yes](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-collection.yaml&stackName=CidDataCollectionStack¶m_ManagementAccountID=REPLACE%20WITH%20MANAGEMENT%20ACCOUNT%20ID¶m_IncludeTAModule=no¶m_IncludeRightsizingModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeOrgDataModule=yes¶m_IncludeBudgetsModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeQuickSightModule=yes) 1. Once installed, you can go to AWS Organization in the Management Account and configure tags as follows: 1. `cid_groups` as colon-separated (`:`) Quick Suite Groups. 1. and/or `cid_users` as colon-separated (`:`) emails of individual users 1. After update you can launch execution of the data collection by triggering `CID-DC-organizations-StateMachine` and `CID-DC-quicksight-StateMachine` [StepFunctions](https://console.aws.amazon.com/states/home). 1. You can validate data using the following query: ``` SELECT * FROM "optimization_data"."organization_data" SELECT * FROM "optimization_data"."quicksight_user_data" SELECT * FROM "optimization_data"."quicksight_group_data" -- can be empty if you don't have Quick Suite groups SELECT * FROM "optimization_data"."quicksight_groupmembership_data" -- can be empty if you don't have Quick Suite groups ``` ### Option 2: Using Amazon Athena Inline Tables The Data Collection is needed to collect data from local Quick Suite account and store on the local S3 bucket. 1. Login to Data Collection/Dashboard Account and install the Data Collection Stack by clicking Launch Stack below. If you have already [CID Data Collection Stack](data-collection.md) you can just check if Quick Suite and OrgData modules are activated, and continue to the next item. [https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-collection.yaml&stackName=CidDataCollectionStack¶m_ManagementAccountID=¶m_IncludeTAModule=no¶m_IncludeRightsizingModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeOrgDataModule=no¶m_IncludeBudgetsModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeQuickSightModule=yes](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-collection.yaml&stackName=CidDataCollectionStack¶m_ManagementAccountID=¶m_IncludeTAModule=no¶m_IncludeRightsizingModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeOrgDataModule=no¶m_IncludeBudgetsModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeQuickSightModule=yes) 1. Create an inline Athena Table that simulates Data Collection organization\$1data, but can be edited directly in Athena to manage access. ``` CREATE OR REPLACE VIEW "optimization_data"."organization_data" AS WITH accounts AS ( SELECT * FROM ( VALUES ROW ('1111111111111111', '1111111111111111', ARRAY['user11@e.mail', 'user12@e.mail'], ARRAY['group11', 'group12']) , ROW ('2222222222222222', '1111111111111111', ARRAY['user21@e.mail', 'user22@e.mail'], ARRAY['group21', 'group22']) , ROW ('3333333333333333', '1111111111111111', ARRAY['user31@e.mail', 'user32@e.mail'], ARRAY['group31', 'group32']) ) ignored_table_name ("account_id", "payer_account_id", "emails", "groups") ) SELECT account_id as Id, payer_account_id as ManagementAccountId, ARRAY[ CAST(ROW('cid_users', array_join("emails", ':')) AS ROW(key VARCHAR, value VARCHAR)), CAST(ROW('cid_groups', array_join("groups", ':')) AS ROW(key VARCHAR, value VARCHAR)) ] as HierarchyTags FROM accounts ``` ### Option 3: Use CSV file on Amazon S3 1. Login to Data Collection/Dashboard Account and install the Data Collection Stack by clicking Launch Stack below [https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-collection.yaml&stackName=CidDataCollectionStack¶m_ManagementAccountID=¶m_IncludeTAModule=no¶m_IncludeRightsizingModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeOrgDataModule=no¶m_IncludeBudgetsModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeQuickSightModule=yes](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-data-collection.yaml&stackName=CidDataCollectionStack¶m_ManagementAccountID=¶m_IncludeTAModule=no¶m_IncludeRightsizingModule=no¶m_IncludeCostAnomalyModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeComputeOptimizerModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeOrgDataModule=no¶m_IncludeBudgetsModule=no¶m_IncludeTransitGatewayModule=no¶m_IncludeHealthEventsModule=no¶m_IncludeQuickSightModule=yes) 1. Create a CSV file (ex: `file.csv`): ``` account_id, payer_account_id, emails, groups 1111111111111111, 1111111111111111, user11@e.mail:user12@e.mail, group11:group12 2222222222222222, 1111111111111111, user21@e.mail:user12@e.mail, 3333333333333333, 1111111111111111,, group31:group32 ``` 1. Upload CSV file to an Amazon S3 Bucket. Please use an existing Bucket that Quick Suite already has access to. Example: `cid-{account-id}-data-exports` or `cid-data-{account-id}`. You can use either the web interface or the command line: ``` account_id=$(aws sts get-caller-identity --query "Account" --output text) aws s3 cp ./file.csv s3://cid-data-${account_id}/my_accounts/file.csv ``` 1. Login to AWS Console, select Athena Service and Create a Table: ``` CREATE EXTERNAL TABLE optimization_data.my_accounts ( "account_id" string, "payer_account_id" string, "emails" string, "groups" string ) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.OpenCSVSerde' WITH SERDEPROPERTIES ( 'separatorChar' = ',', 'quoteChar' = '"', 'escapeChar' = '\\' ) STORED AS TEXTFILE LOCATION 's3://cid-data-${account_id}/my_accounts/' -- REPLACE ${account_id} WITH YOUR ACCOUNT ID TBLPROPERTIES ( 'has_encrypted_data'='false', 'skip.header.line.count'='1' ); ``` 1. Verify the table ``` SELECT * FROM "optimization_data"."my_accounts" ``` 1. Create a view that simulates organization\$1data table ``` CREATE OR REPLACE VIEW "optimization_data"."organization_data" AS SELECT account_id as Id, payer_account_id as ManagementAccountId, ARRAY[ CAST(ROW('cid_users', "emails") AS ROW(key VARCHAR, value VARCHAR)), CAST(ROW('cid_groups', "groups") AS ROW(key VARCHAR, value VARCHAR)) ] as HierarchyTags FROM "optimization_data"."my_accounts" ``` ## Step 2: Install RLS Dashboard and Verify Configuration ### Expand 1. **Access Terminal**: Login to Amazon CloudShell or use your local terminal 1. **Install CID-CMD Tool**: ``` pip3 install -U cid-cmd ``` 1. **Deploy RLS Dashboard**: ``` cid-cmd deploy --dashboard-id cid-rls ``` 1. **Verify Dashboard**: Check the dashboard in Quick Suite. Ensure the dataset updates and displays data (may take several minutes after deployment) 1. **Configure Admin Access**: Edit Athena views **full\$1access\$1users** and **full\$1access\$1groups** replace placeholders with your admin users and groups for full dashboard access. After modifying data, refresh the `rls_dataset` dataset. ## Step 3: Apply RLS to Dashboards ### Expand 1. **Access Terminal**: Login to Amazon CloudShell or use your local terminal 1. **Install CID-CMD Tool** (if not already installed): ``` pip3 install -U cid-cmd ``` 1. **Enable RLS**: Update dashboard with RLS enabled. The tool will guide you through selecting the dashboard and RLS dataset, then update all associated datasets: ``` cid-cmd update --force --recursive --rls ENABLED ``` 1. **RLS Management Options**: + Disable RLS: `--rls DISABLED` + Remove RLS: `--rls CLEAR` ## FAQ / Operations Guide ### How can I verify the access rights? + **Review RLS Dataset**: Open the RLS Dashboard and verify the content of the RLS dataset + **Test with Additional User**: Create an additional Quick Suite user for testing (note: additional costs apply, delete after testing) ### How can I manage users and groups with full access? + **Athena Views**: Edit the **full\$1access\$1users** and **full\$1access\$1groups** views in Athena as inline tables + **Dataset Refresh**: After modifications, refresh the `cid_rls` dataset in Quick Suite + **CSV Alternative**: Configure a CSV file on S3 for more flexibility (views remain customizable and won’t be overwritten during updates) ### How do I apply RLS to other dashboards? Use the CID-CMD tool to enable RLS on any dashboard: ``` cid-cmd update --force --recursive --rls ENABLED ``` **Management Options**: \$1 Disable: `--rls DISABLED` \$1 Remove: `--rls CLEAR` ### How do I check the RLS status for all datasets? Use the CID-CMD status command: ``` cid-cmd status ``` ### How can I configure mapping between user groups and business units? This guide focuses on AWS Account ID-based access, but you can adapt it for [Organizational Taxonomy](add-org-taxonomy.md): + Use Account Tags or Resource Tags for business unit mapping + Create a custom RLS dataset with **UserName**, **GroupName**, and the same field configured as dashboard [Organizational Taxonomy](add-org-taxonomy.md) ## Authors + Stephanie Gooch, Sr. Commercial Architect, AWS OPTICS + Veaceslav Mindru, Sr. Technical Account Manager, AWS + Iakov Gan, Ex-Amazonian + Yin Lei, Sr. Technical Account Manager, AWS + Yuriy Prykhodko, Principal Technical Account Manager, AWS ## Feedback Follow [Feedback & Support](feedback-support.md). # SaaS Unit Metrics ## Last Updated November 2023 ## Introduction From time to time, customers will have concerns such as: "my AWS bills are going up and I don’t know whether that’s a good thing or a bad thing". Did the bill go up because they are operating more workloads in the cloud, or is it because they are using AWS inefficiently? … Perhaps, a little bit of both. Regardless of the reason, the most often encountered interpretation is that more spend is bad. That isn’t always the case. When your AWS invoice is viewed without the appropriate context, it is hard to tell if an increase in spend is a result of delivering more value from your use of the Cloud, or if it is due to inefficient and wasteful resource consumption. Being able to tell the difference is important. You’re now likely asking: "well, how do I tell the difference?" … Simply stated: with unit metrics. This hands-on lab will guide you through the steps required to add your business data to a visualization that represents a "cost-per" unit metric. This will provide context to as to whether changes to your AWS Cloud architecture and operations are improving, maintaining, or eroding gross profit margins. ## Source Some Metrics For this example, we will use the number of API calls to our service on a daily basis. To acquire something that resembles real life, we will use [these publicly available statistics](https://stats.boomi.com/). We are going to use the day the API requests took place to map the data to the existing datasets for cost and usage in your dashboards. Make sure you have the date formatted as a [date format](https://docs.aws.amazon.com/quicksight/latest/user/supported-date-formats.html) in your spreadsheet. 1. Create a CSV file with this data. 1. Go to Quick Sight>>Datasets and click **New dataset**. 1. Click on upload a file. Select the CSV you’ve created. Click next then click **Edit settings and prepared data**. ![\[Data source details with edit preview data button highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_editpreviewdata.png) 1. Make sure that the date field in your dataset is of type *date*. Change it if it is not. ![\[Dataset results with the date field header highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_dateformat.png) 1. Click **Save & Publish** and return to the list of your datasets in Quick Sight. 1. Click on summary\$1view and select **EDIT DATASET**. ![\[Summary view with edit dataset button highlighted\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_editdataset.png) 1. Click on **Add data**. Select from a dataset. Find your uploaded dataset and click **Select**. ![\[Add dataset with arrows pointing to each of the steps to find your dataset\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_adddata.png) 1. Click on the two pink dots next to your dataset. Select **Left** in the join clauses section below select the *Usage\$1Date* field on the left for **Summary\$1View** and the *Date* field from your uploaded dataset on the right. Click **Apply**. Then click **Save & publish**. ![\[Edit dataset with arrows and numbers pointing out each of the steps to add and apply the join clause\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customization_joinclauses.png) ## Customize your Dashboard For this guide we will use the Cost Intelligence Dashboard deployed in the earlier part of this lab. 1. Open the **Analysis** version of your dashboard so we can edit it. Start by adding a new tab on the far right side of the dashboard. Rename it to "Unit Metrics". ![\[Dashboard showing several tabs with an arrow pointing to the Unit Metrics tab\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_newtab.png) 1. Lets start by creating a *per API cost* field. On the top right click **Insert** and then **Add calculated field**. ![\[Add calculated date field\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_addcalculatedfield.png) 1. Call it *Cost per API Call* and add syntax to divide your Cost field by the new API Count field you imported. Click save. ![\[Add syntax for cost field\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_calculatedfield1.png) 1. Let’s add a visual that shows us our new Cost per API call day over day. Click **Visualize** and select **Add visual**. Drag over your new Cost Per API Call field into the new visuals. ![\[Displaying the result of add visual to the analysis\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_addingcostperapicallfield.png) 1. Let’s change this to a line graph that shows day-over-day trends. Click on the Line Chart visual type. Next, add the usage\$1date field to your X axis. ![\[Analysis with red arrows and numbers indicating the steps to add usage date to the x axis field well\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_createlinegraph.png) 1. We now see our per API call unit cost day-over-day. Lets map the number of API calls on top of this to see the correlation. ![\[Analysis with arrows indicating where to move the api count metric to in the field well\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_addapicounttograph.png) 1. Tough to see it if our AWS spend is small. Let’s give the API count its own Y axis. ![\[Value context menu with arrow pointing to the option to show on right y-axis\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizationsownyaxis.png) 1. Now we have a visual that shows us the correlation between API counts and the cost per API on that day. But it might be difficult to talk about a cost per API call if its less than \$10.01 on average. So how do we adjust the multiplier so we can talk about cost per 10,000 API requests? We will add a control and a parameter in Quick Sight to accomplish this. Click on **Data**, then **Add Parameters**. Set it to an **intInteger**, give it a name, and set the default to 10. ![\[Analysis with an inset image with arrows and numbers indicating the steps to create a new parameter\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_setparametermultiplier.png) 1. On the next selection screen, pick **Control**. On the next screen, give the control a name (this will be seen in the dashboard), select Dropdown or List for Style, and put in some multiplier options. I chose 1 through 1 million by orders of magnitude. Check "Hide select all option…". ![\[Add control dialog\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_createcontrolformultiplier.png) 1. The control will appear at the top of your dashboard. Click on it, click the three dots, select **Move to sheet**. Position it at the top or wherever you like. ![\[Context menu showing the move to sheet selection\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_movecontrol.png) 1. Now we need to tie whatever someone selects here to the actual per API cost value. Create a **new calculated field** called Adjusted API Count and set it to be \$1API Count\$1/\$1\$1APIcallmultiplier\$1\$1. The *APIcallmultiplier* is the name of the parameter you just created. Click save. Next swap the API count field for the new Adjusted API Count calculated field. Finally, edit the **Cost Per API Call** calculated field we created in step 3 to be Cost/\$1Adjusted API Count\$1. ![\[Arrow pointing to the Adjusted API count value indicating what to swap\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_swapadjustedcostvalue.png) 1. Now when you select a multiplier from your drop down or list, the cost per API call amounts in the graph should change by that order of magnitude. 1. Lets add a few more visuals to get you familiar with what else you can do. Create a new visual, and in the **Visual Types** section choose KPI indicator. 1. In the Field Wells along the top of the dashboard put the **usage\$1date** in as the Trend group, click on the arrow next to it and select **Aggregate** and choose month. Next, put the Cost Per API call field into the Value box. And finally, to get rid of all those decimal places, select the Cost per API call field in the well, click on the down arrow next to it and select **Show as: Currency**. ![\[Showing how to change a field to display as currency\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_showascurency.png) 1. Now we can see how our cost per API call month-over-month changed from this month to the prior month. Finally, lets add a table where you can dig into the details and see cost per API call per service, per tag, per business unit, per account, per region, etc. 1. Create a new visual and set the visual type to **Pivot Table**. In the Values field well put Cost Per API Call set to Currency. In columns put usage\$1date set to aggregate monthly. In rows, put the dimensions you want to group on, for example tags, service, and operation. ![\[Analysis dashboard focused on the pivot table visualization\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/saas/customizations_detailedtable.png) **Note** Note the little plus and minus signs next to the values in the columns and rows to the left. You can click on them to zoom in and see more granularity. For example, pick a tag value in the first column and click plus, then click plus on the relevant service, then click plus again to see the operations. Now you should be able to see the cost per API per operation, grouped by tag and service. ## Next Steps 1. Now that you know how to add controls, you might consider adding a control for a start date and end date to give users the ability to set the time being considered across all the visuals. 1. Explore [Quick Sight forecast](https://docs.aws.amazon.com/quicksight/latest/user/forecasts-and-whatifs.html) features to see if you can forecast what your cost per API call will be in the future. # Tailoring Data Collector schedules ## Last Updated March 2024 ## Tailoring Data Collector schedules The CloudFormation template for the Data Collection framework allows you to define two different schedules for collecting data. One schedule controls the Trusted Advisor, Cost Optimization Hub, Compute Optimizer, Organizations Data, Rightsizing, RDS Utilization, Inventory Collector, Transit Gateway, Backup, and ECS Chargeback modules. That schedule defaults to every 14 days, which should work well for those datasets in most cases. A second schedule is provided for the Cost Anomalies and Budgets modules, for which there are use cases that benefit from more frequent updating. The default frequency for those is daily. In both cases, you can override the template defaults and the set of modules that each schedule governs will be affected accordingly. However, your use cases may differ from those two generalizations such that you may wish to tailor the schedule more granularly for individual modules. Because the CloudFormation template ultimately deploys a dedicated EventBridge schedule for each module, you can easily adjust any module’s schedule to suit your needs. The following steps will show you how to apply such customizations. ### Click here to see step-by-step instructions for adjusting schedules 1. Navigate to the [Schedules](https://us-east-1.console.aws.amazon.com/scheduler/home?#schedules) section of the **Amazon EventBridge** console. 1. Find and select the schedule that you want to change. All schedules for the Data Collection framework will be named starting with the prefix you defined at deployment (for example, "CID-DC-"). The rest of the name corresponds to the module name. 1. Click **Edit** ![\[Find and select the schedule\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/data-collection-schedules/c11n-schedule-01.png) 1. On the **Specify schedule detail** page, scroll down to the **Schedule pattern** section. 1. From there you can adjust the **Rate expression** to suit your needs. Note: You can also change to a cron-based definition as well as make adjustments to the flexibility of your time window. ![\[Find and select the schedule\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/data-collection-schedules/c11n-schedule-02.png) 1. After you make your adjustments, click the **Skip to Review and save schedule** button. ![\[Find and select the schedule\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/data-collection-schedules/c11n-schedule-03.png) 1. Review your new schedule and click **Save schedule** at the bottom of the page to complete the change. ![\[Find and select the schedule\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/data-collection-schedules/c11n-schedule-04.png) # Data Collection without AWS Organizations When deploying AWS Cost Intelligence Dashboard (CID), customers who don’t have direct access to AWS Organizations (because it’s managed by partners or separate internal teams) should first consider collaborating with the team owning AWS Management (Payer) Account to deploy CID at scale across the organization with Row Level Security implemented, ensuring each business unit can only view cost and operational data for their specific AWS accounts. However, if collaboration with the Management account team isn’t feasible due to organizational constraints, customers can still deploy multiple CID dashboards independently without requiring AWS Organizations access, providing flexibility even without centralized organizational visibility. Following dashboards are available without access to AWS Organization: | Dashboard | Requirement | Details | | --- | --- | --- | | CUDOS, CID, KPI | Data Exports | CUR | | SPG Marketplace | Data Exports | CUR | | Sustainability | Data Exports | CUR, Carbon | | CORA | Data Exports | COH | | Amazon Connect Cost Insights Dashboard | Data Exports | CUR | | Trusted Advisor | Data Collection | Trusted Advisor Module | | Support Cases Radar | Data Collection | Support Cases Module | | Extended Support Cost Projection | Data Collection | Inventory Module | | Graviton Savings Dashboard | Data Collection | Inventory and Pricing Modules | | AWS News Feeds | Data Collection | AWS Feeds Module | Following Dashboards are not available without access to AWS Organization: + Health Events Dashboards, Compute Optimizer Dashboards, Anomaly Detection Dashboard, AWS Budgets Dashboard ## Data Exports without AWS Organizations Foundational dashboards like CUDOS, CID, and KPI are only depend on AWS Cost and Usage report in AWS Data Exports. Also CORA and FOCUS depend on Cost Optimization Hub and Focus reports respectively. Using CID Data Exports stack you can deploy AWS Data Exports in a set of AWS Account, and using replication consolidate all data in one of accounts called Data Collection Account for deploying of Dashboards. ![\[Architecture Data Exports\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/data-collection-without-org/data-exports-without-org-architecture.png) Please follow the instructions in [Data Exports](data-exports.md) and first install the Stack with Destination parameters in the Data Collection account. Please Note that in order to get data for the Data Collection itself you need to put the AWS Account of Data Collection Account in the list of SourceAccountIds as FIRST, and then you can add all other Account Ids that will later transfer their Data Exports here. Once done you can go ahead and install the Stack with only Source parameters in each AWS Account of your perimeter. (you need to specify Destination Account Id and keep Source Account Ids as empty). Do not forget to set the exports you need on both sides. ## Data Collection without AWS Organizations By default, the [Data Collection](data-collection.md) tooling uses AWS Organizations to obtain a list of accounts in scope for the modules that collect information at the Linked Account level. However, in some cases, business or governance policies may limit access to AWS Organizations. This guide shows you how to manually define a list of specific Linked Accounts to poll directly, rather than relying on the AWS Organizations API. ![\[Architecture Data Collection\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/data-collection-without-org/data-collect-without-org-architecture.png) 1. An administrator user uploads a list of accounts to S3 bucket (can be easily automated). 1. A scheduled event trigger an execution of Lambda Function. By default every 14 days. 1. The Account Collection Lambda can detect an account list on s3 bucket. 1. The data collection Lambda goes to each account and assume the role to read the information 1. The Lambda Stores collected data to S3 1. Customer can query tables via Athena 1. or deploy Quick Sight Dashboards on top of these data. To enable data collection you must first ensure that the [deploy-in-linked-account.yaml](https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-in-linked-account.yaml) CloudFormation template is installed in all concerned accounts. The standard deployment of the Data Collection permissions policy script is launched in the Management Account and employs a StackSet to automate the deployment of the account-level roles. But for this purpose, unless you have access to the Management Account for deploying the StackSet, you must instead deploy the permissions template in each Linked Account in scope. Note, not all Data Collection modules will work without AWS Organizations. The following modules are supported: + Inventory + ECS Chargeback + RDS Usage + Transit Gateway + Trusted Advisor + Support Cases ## Step by Step Guide 1. If you have not done so already, deploy the permissions stack into each Linked Account in scope. You should adjust the template parameters to choose the modules you wish to use, using the list of supported modules above. [https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-in-linked-account.yaml&stackName=CidDataCollectionLinkedAccountReadPermissionsStack¶m_DataCollectionAccountID=REPLACE%20WITH%20DATA%20COLLECTION%20ACCOUNT%20ID¶m_IncludeBudgetsModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeTAModule=yes¶m_IncludeTransitGatewayModule=no](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?&templateURL=https://aws-managed-cost-intelligence-dashboards-us-east-1.s3.amazonaws.com/cfn/data-collection/deploy-in-linked-account.yaml&stackName=CidDataCollectionLinkedAccountReadPermissionsStack¶m_DataCollectionAccountID=REPLACE%20WITH%20DATA%20COLLECTION%20ACCOUNT%20ID¶m_IncludeBudgetsModule=no¶m_IncludeECSChargebackModule=no¶m_IncludeInventoryCollectorModule=no¶m_IncludeRDSUtilizationModule=no¶m_IncludeTAModule=yes¶m_IncludeTransitGatewayModule=no) 1. Follow [Step 2](data-collection-deployment.md) of the standard Data Collection deployment to deploy the Data Collection tooling. Select the same modules that you selected with your permissions stack deployment. 1. Create either a JSON or CSV file with your Linked Account information. For either format, declare each account as on a separate line, per the following examples. Note there is no header row for the CSV but the order is the same as the JSON: `account_id, account_name, payer_id`. Name the file `account-list.json` or `account-list.csv` accordingly. JSON: ``` {"account_id": "111111111111", "account_name": "My account 1", "payer_id": "999999999999"} {"account id": "222222222222", "account name": "My account 2", "payer id": "999999999999"} ``` CSV: ``` 111111111111,My account 1,999999999999 222222222222,My account 2,999999999999 ``` 1. Locate the main bucket created by the Data Collection stack. The default is `cid-data-[YOUR ACCOUNT NUMBER]`. Create a folder off of the root and name it `account-list`. Then deploy the file you created to that folder. The framework will detect the existence of the file when it next runs and use it instead of AWS Organizations for the affected modules. The bucket path should look like something like `cid-data-111111111111/account-list/account-list.csv`. 1. Now you can trigger StepFunctions for data collection (Search TrustedAdvisor, locate the StepFunction and launch execution without any specific parameter needed). 1. When StepFunction completed you can check the data in Athena and proceed to deployment of dashboards. # AWS Spend in Local Currency ## Last Updated February 2025 ## Authors + Sumit Agarwal, Senior Technical Account Manager, AWS + Iakov Gan, Ex-Amazonian + Yuriy Prykhodko, Principal Technical Account Manager, AWS ## Introduction By default, all CID dashboards are built in USD (\$1). AWS Billing allows the use of local currencies, and even if the Billing is in USD, local currencies may be more convenient for analyzing costs. This guide provides steps to facilitate the customization of adding a choice of currency to CUDOS dashboard. This solution requires currency conversion rate data that you can obtain from public sources. ## Prerequisites + [CUDOS v5](cudos-cid-kpi.md) Dashboard deployed + Access to upload CSV to S3, create external table in Athena and amend Quick Sight Dataset and Dashboards. + Currency conversion rate file in CSV format [example.csv](samples/currency-conversion-rate.csv.zip), averaging currency conversion on monthly basis. For this example we use USD to GBP change rate, assuming that the CUR is in USD and we want to show it in GBP. ``` Month,CurrencyConversionRate 2024-02-01,0.7845326 2024-03-01,0.79015638 2024-04-01,0.79732566 2024-05-01,0.79801344 2024-06-01,0.78495453 2024-07-01,0.7915426 2024-08-01,0.78610283 2024-09-01,0.76168342 2024-10-01,0.75271059 2024-11-01,0.77358126 2024-12-01,0.78809978 2025-01-01,0.7978017 ``` ## Solution This customization aims to streamline data interpretation and decision making processes, providing a more personalized and efficient dashboard experience for our valued customers. ![\[Architecture Diagram\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/architecture-diagram.png) ### Adding a Currency conversion This customization requires several manual steps: 1. Prepare currency conversion csv as mentioned in Prerequisites. 1. Navigate to cid S3 bucket `s3://cid-{account_id}-shared/`, create a new folder named `CurrencyConversionRate` with in the bucket and upload the csv file to newly created CurrencyConversionRate folder. You can automate this step via Amazon Lambda function (outside of this guide). 1. In Amazon Athena, choose the cid database, then create an external table pointing to the currencyconversionrate.csv file uploaded to S3 by running the following SQL query. Please update the folder location with your Account Id. ``` CREATE EXTERNAL TABLE IF NOT EXISTS currencyconversionrate ( Month date, CurrencyConversionRate double ) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe' WITH SERDEPROPERTIES ('field.delim' = ',') STORED AS INPUTFORMAT 'org.apache.hadoop.mapred.TextInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat' LOCATION 's3://cid-{account_id}-shared/CurrencyConversionRate/' TBLPROPERTIES ( 'classification' = 'csv', 'skip.header.line.count' = '1' ); ``` 1. To preview the table and ensure the data is being populated correctly, run a `SELECT * FROM "currencyconversionrate" limit 10;` query in Athena. ![\[Preview Table\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/preview-external-table.png) 1. In Quick Sight, go to "Datasets" section and select summary\$1view dataset. Click on "Edit", then click on "Add data" in the top right corner. From the dropdown menu, choose "Data source". In the data source options, select CID datasource and then choose the currencyconversionrate table. ![\[Add data\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/add-data.png) 1. Select "Left Join" as the join type, and join the "billing\$1period" column from the "summary\$1view" table with the "month" column from the "currencyconversionrate" table. After this, apply the changes and then save and publish the dataset. ![\[Add join\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/add-join.png) 1. In the Quick Sight, go to the dashboards, then click CUDOS Dashboard and save it as new analyses. ![\[Save analysis\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/save-analysis.png) 1. Go to the "Analyses" section , click on "CUDOSInLocalCurrency", then create a new parameter called "Currency". In "Datatype", choose "String", in "Values", select "single value", set "\$1" as the default currency, and then create the parameter. ![\[Add parameter\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/add-parameter.png) 1. Once the "Currency" parameter is created, click on the three dots located on the right side of the parameter. Then, click on "Add Control". ![\[Add control\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/add-control.png) 1. In the "Add control" window, select "Style" as "Dropdown". Next, click on "Specific values" and provide the local currency including "\$1"(for documentation purposes, we are using "£" as example). Ensure to check the option "Hide Select all.." option at the bottom. Finally, click to add the control. ![\[Control options\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/control-option.png) 1. Now, we need to edit the calculated fields to convert the cost into the currency selected in the control. Select "cost\$1unblended" and click on the three dots located on the right side. Then, click on "Edit calculated field". ![\[Edit calculated field\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/edit-calculated-field.png) 1. In the calculated field editor, replace the current code with the following code. Then, save the calculated field. If you combine different accounts with different currencies (ex: China and Global) you can check Multi Currency option below. **Example** ``` switch( ${Currency}, "$", {unblended_cost}, "£", {unblended_cost} * {currencyconversionrate}, NULL ) ``` ``` switch( ${Currency}, "$", switch(substring(region, 1, 4), 'cn-', {unblended_cost} * {currencyconversionrate}, {unblended_cost}), "¥", switch(substring(region, 1, 4), 'cn-', {unblended_cost}, {unblended_cost} / {currencyconversionrate}), NULL ) ``` ![\[Cost in USD\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/cost-usd.png) 1. Do the same for Amortized Cost **Example** ------ #### [ Simple Conversion ] ``` switch( ${Currency}, "$", {amortized_cost}, "£", {amortized_cost} * {currencyconversionrate}, NULL ) ``` ------ #### [ Multi Currency ] ``` switch( ${Currency}, "$", switch(substring(region, 1, 4), 'cn-', {amortized_cost} * {currencyconversionrate}, {amortized_cost}), "¥", switch(substring(region, 1, 4), 'cn-', {amortized_cost}, {amortized_cost} / {currencyconversionrate}), NULL ) ``` ------ 1. If you select the currency "£", it will convert the cost to "£" based on the month and conversion rate provided in the initial CSV file. Note that you will still see the "\$1" symbol in the cost in both cases because the "cost\$1unblended" format is fixed as currency type and cannot be changed dynamically. ![\[Cost in GBP\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/cost-gbp.png) ### Changing the symbol As of today (Feb 2025) Amazon Quick Sight do not allow dynamically changing a symbol on labels, so the only way to indicate changing currency is to use titles of visuals. 1. To change symbol, you’ll first need first to convert the format to a number. ![\[Change format\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/change-format.png) 1. After changing the format to a number, the currency symbol will be removed. ![\[Cost without symbol\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/cost-without-symbol.png) 1. To change the format to thousands, click on "More formatting options" as shown below. ![\[More formatting options\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/more-formatting-options.png) 1. Select the custom decimal places to 2 and set the units to thousands. ![\[Set decimal places\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/set-decimal-places.png) 1. Now your visual is formatted in thousands with the appropriate decimal places. Since it has been converted to numbers, the currency symbol is no longer visible. We understand this may cause some confusion regarding currency when viewing the number alone. ![\[Formatted visual\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/fomatted-visual.png) 1. To address this, you can dynamically change the visual’s title. Double-click on the title to edit it as shown below, then save your changes. This will update the title to include the currency symbol based on your selection at the currency control level. ![\[Edit title\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/edit-title.png) 1. This will ensure that a dollar symbol `$` is added to the title when you have selected the `$` option in the currency control. ![\[Title dollar\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/title-dollar.png) 1. When you select the pound symbol (£), the title will automatically update to include the £ symbol. ![\[Title GBP\]](http://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/images/customizations/currency-conversion/title-gbp.png) This summarizes the process for changing the currency of your visuals. You can repeat these steps for any other visuals if you wish to convert their currency as well.