Amazon Web Services (AWS)

Amazon Web Services (AWS) began exposing key infrastructure services to businesses in the form of web services -- now widely known as cloud computing. The ultimate benefit of cloud computing, and AWS, is the ability to leverage a new business model and turn capital infrastructure expenses into variable costs. Businesses no longer need to plan and procure servers and other IT resources weeks or months in advance. Using AWS, businesses can take advantage of Amazon's expertise and economies of scale to access resources when their business needs them, delivering results faster and at a lower cost.


Amazon Web Services uses API Key Auth, a developer-friendly delegated access protocol. Quolum has already connected the necessary wires with Amazon Web Services. Using a sequence of click-throughs, your organization's administrator allows Quolum to make API calls to Amazon Web Services without getting access to passwords.

Step 1: Initiate a connection to Amazon Web Services

Click the Connect button from the Connections card. If you are not an admin, you can invite your organization's Amazon Web Services admin to make a connection to your Amazon Web Services organization account. When you click on the Connect button, the web browser will open a pop-up asking Access Key ID and Secret Access Key as shown in Step 2.


Quolum Catalog: Amazon Web Services App

Step 2: Log in to Amazon Web Services

Log in to Amazon Web Services using your organization's credentials. The exact login mechanism may depend on your Amazon Web Services plan, and the sign-in mechanism used. You may have corporate SSO such as Azure AD, GSuite, or Okta along with multi-factor authentication. Sometimes you may need to enter an API key and a token, the step by step details of which can be found in step 3. Once you have successfully logged-in you can find the Access Key ID and Secret Access Key as mentioned below in the following steps. If you want to connect only a single AWS account, make sure to create a policy as shown below. If you want to pull in data from all your accounts make sure you connect AWS Quolum integration with your management account and create a read only policy with appropriate conditions. The steps to create a separate policy and find management account are given below.


Amazon Web Services Authentication

Step 3: Find Management account in AWS

To find the Management account in AWS, you can follow these steps:

  • Log in to your AWS account.
  • Go to the AWS Management Console.
  • Click on your account name in the upper right-hand corner of the console.
  • Select "My Account" from the dropdown menu.
  • On the "My Account" page, you should see the account ID and account alias for your AWS account.
  • If your AWS account is part of an AWS Organization, you can click on the "Organization Settings" link to see the management account for the organization.
  • If your AWS account is not part of an AWS Organization, then the account you are logged into is the management account. You can see a management account tag as shown in the below picture.

Note: The management account is the AWS account that is used to create and manage an AWS Organization. It is the account that has the highest level of control over the organization and its member accounts. If you are not part of an AWS Organization, then your AWS account is the only account in your AWS environment, and therefore it is the management account. First login into your management account to pull in all your spends. Once that is done, proceed to the next step to find Access Key ID and Secret Access Key.

Step 4: Creating policy

Create a new IAM policy(you can name it appropriately) with following JSON:


Note: “ce” means cost explorer here and those are the only permissions we need to get the data we are looking for.

  1. Go to IAM users and create a new user (you can give a name like “quolum-aws-connection-user” or something else).
  2. Attach the newly created policy to this user.
  3. Go to “Security Credentials” tab for the newly created user and click on “create access keys”. Create one for “Third-party service”
  4. You can copy the generated credentials and use them to enter on quolum dashboard.

Step 5: Finding Access Key ID and Secret Access Key

If you want to use the AWS Cost Explorer API, you will need to generate an access key. Here's how to do that:

  • Log in to your AWS account.
  • Go to the AWS Management Console and select the "IAM" service.
  • Click on "Users" in the left-hand menu, then click on your user name.
  • Click on the "Security credentials" tab.
  • Under "Access keys", click "Create access key".
  • Make note of the Access Key ID and Secret Access Key that are generated. You will need these to authenticate your API requests to Cost Explorer.

Step 6: Back to Quolum

Once you have granted access to Quolum, the Connect button on the Connections card would now say Reconnect. Reconnect is used to reauthenticate under circumstances where the access has expired.

Under the hood

Quolum now has delegated access to your Amazon Web Services Workspace. The Quolum server, running on Amazon AWS VPC, will be able to make API calls and retrieve service-level utilization. Later, this data is crunched and available for visualization on the Quolum dashboard.