> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pelanor.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon Web Services (AWS)

> Understand how to connect Pelanor to your AWS accounts in order to pull billing data automatically.

# AWS Integration Overview

To integrate AWS billing data with Pelanor, open **Integrations → Add Integration → AWS** inside the platform and follow the step-by-step wizard.

## Prerequisites

* Access to your AWS organisation’s **management account**
* Two CloudFormation templates:
  * `pelanor-integration-management.json`
  * `pelanor-integration-subaccounts.json`

<Info>
  <strong>Note:</strong> Both templates will be available for download in the Integration Wizard, once you start the integration process.
</Info>

## Installation Steps

<Warning>
  Both the Management Account CloudFormation and the subaccount StackSets need to be executed in the <strong>us-east-1</strong> region, regardless of where your resources are deployed.
</Warning>

<Steps>
  <Step title="Management (Billing) Account Setup">
    Run the Management Account CloudFormation template once for the management account.\
    If your organization has a shared billing account managed by your MSP which is already connected to Pelanor, you may skip this step.

    1. Log in to the AWS **management account**.
    2. Open **CloudFormation** in `us-east-1`.
    3. Click **Create stack (with new resources)**.
    4. Upload `pelanor-integration-management.json`.
    5. Name the stack (e.g., `pelanor-management-integration`).
    6. Click through the wizard, keeping defaults.
    7. Wait until the stack reaches **CREATE\_COMPLETE**.
  </Step>

  <Step title="Sub-accounts Setup">
    Run the StackSet on every AWS subaccount you wish to integrate into Pelanor.

    1. In CloudFormation, open the **StackSet** tab.
    2. Upload `pelanor-integration-subaccounts.json`.
    3. Name the StackSet (e.g., `pelanor-subaccount-integration`).
    4. In **Deployment options**, choose region `us-east-1` only.
    5. Create the StackSet and wait until all targets show **SUCCEEDED**.
  </Step>
</Steps>

<Info>
  Although the integration is deployed only in `us-east-1`, it grants visibility over <em>all</em> AWS regions.
</Info>

***

## Architecture & Permissions

This section provides a deep-dive into the IAM roles requested by the Pelanor AWS integration.

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/pelanor-6a347cfc/images/aws-architecture.png" alt="Pelanor AWS Architecture" />
</Frame>

Pelanor requests the minimum practical AWS IAM permissions to collect cost data and surface optimisation insights.

You can adjust these permissions according to your preferences and security requirements.\
Note that this means that certain cloud costs or platform functionalities might not be available.

### Directly-Attached Permissions

| Permission                                                | Why It’s Needed                               |
| --------------------------------------------------------- | --------------------------------------------- |
| `athena:BatchGet*`, `athena:List*`                        | Athena Cost Insights                          |
| `autoscaling:Describe*`                                   | (Reserved) future EC2 scaling recommendations |
| `ce:Get*`, `ce:List*`                                     | Cost Explorer cross-validation                |
| `cloudfront:Get*`, `cloudfront:List*`                     | CloudFront Cost Insights                      |
| `cloudtrail:*` (Describe, Get, List, LookupEvents)        | Map Athena queries → users                    |
| `cloudwatch:*` (Describe, Get, List)                      | Collect resource metrics                      |
| `compute-optimizer:*`                                     | Opportunities (Cost Optimization)             |
| `cur:*`                                                   | Manage CUR export                             |
| `dynamodb:*` (Describe, List)                             | Planned DynamoDB insights                     |
| `ebs:Describe*`                                           | EBS Cost Insights                             |
| `ec2:*` (Describe, Get)                                   | EC2 & network insights                        |
| `ecs:*` (Describe, Get, List)                             | ECS Cost Insights                             |
| `eks:*` (Describe, List)                                  | EKS Cost Insights                             |
| `elasticache:Describe*`, `elasticloadbalancing:Describe*` | Planned ElastiCache insights                  |
| `elasticmapreduce:*` (Describe, Get…, List)               | EMR Cost Insights                             |
| `emr-serverless:*` (Get, List)                            | EMR Serverless insights                       |
| `es:*` (Describe, List)                                   | Network identifier resolution                 |
| `glue:*` (Get, List)                                      | Glue Cost Insights                            |
| `kinesis:*` (Describe, Get, List)                         | (Reserved) future Kinesis insights            |
| `lambda:List*`                                            | Lambda Cost Insights                          |
| `organizations:*` (Describe, List)                        | Fetch sub-account metadata                    |
| `rds:*` (Describe, ListTagsForResource)                   | RDS Cost Insights                             |
| `redshift:Describe*`                                      | Redshift Cost Insights                        |
| `resource-groups:*` (Get, List, Search)                   | Show tags for all resources                   |
| `s3:List*`                                                | S3 Cost Insights                              |
| `savingsplans:Describe*`                                  | Savings Plan coverage/utilisation             |

<Warning>
  Some permissions are requested <em>ahead of roadmap features</em> to minimise future IAM configuration.\
  You may revoke any you don’t wish to authorise; affected insights will simply be disabled.
</Warning>

***

### CUR Permissions

The CloudFormation template includes standard IAM actions required to retrieve Cost & Usage Reports (CUR).\
Further information on these permissions is available upon request.

***

### Bucket Permissions

To access the S3 bucket that stores integration artefacts, the CloudFormation template also grants:

```
s3:GetBucketAcl
s3:GetBucketPolicy
s3:GetBucketVersioning
s3:GetLifecycleConfiguration
s3:GetObject
s3:GetObjectAttributes
s3:GetObjectVersionAttributes
s3:ListBucket
```

### Customized IAM Policy

In case your organization's security policies prevent certain permissions from being granted to third-party tools such as Pelanor, we can create a customized CloudFormation file with a limited set of permissions. Contact Pelanor Support for more information.

## Comparing Costs with AWS Cost Explorer

Follow the steps below to ensure a sufficient comparison of costs between Pelanor and AWS Cost Explorer.

<Info>
  Cost validation should be performed at least 5 days after the billing period ends, as AWS sometimes posts late adjustments.
</Info>

### In AWS Cost Explorer

<Steps>
  <Step title="Open Cost Explorer">
    Log in to the AWS Console and open <strong>Cost Explorer</strong>.
  </Step>

  <Step title="Set Date Range">
    Choose a <strong>full calendar month</strong> that ended at least 5 days ago.

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/kF1xrGXac-rfo92E/images/pelanor-aws-ce-1.png?fit=max&auto=format&n=kF1xrGXac-rfo92E&q=85&s=abe086af4dd1a65d156e937fffa457a2" alt="AWS Cost Explorer – Date range" width="350" height="449" data-path="images/pelanor-aws-ce-1.png" />
    </Frame>
  </Step>

  <Step title="Group by Service">
    Set <strong>Group by → Service</strong>.

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/kF1xrGXac-rfo92E/images/pelanor-aws-ce-2.png?fit=max&auto=format&n=kF1xrGXac-rfo92E&q=85&s=a111626ed962048817c8206e2dec4caa" alt="AWS Cost Explorer – Group by Service" width="350" height="508" data-path="images/pelanor-aws-ce-2.png" />
    </Frame>
  </Step>

  <Step title="Apply Filters">
    <ul>
      <li><strong>Charge Type</strong> – exclude <em>Credits</em>, <em>Refunds</em>, <em>Tax</em>.</li>
      <li>If you have special-priced services, exclude them under <strong>Service</strong>.</li>
    </ul>

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/kF1xrGXac-rfo92E/images/pelanor-aws-ce-3.png?fit=max&auto=format&n=kF1xrGXac-rfo92E&q=85&s=0682a2404232aa1be27a14e1f6dda468" alt="AWS Cost Explorer – Filters" width="350" height="330" data-path="images/pelanor-aws-ce-3.png" />
    </Frame>
  </Step>

  <Step title="Advanced Options">
    Set <strong>Cost aggregation = Net Unblended</strong>.

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/kF1xrGXac-rfo92E/images/pelanor-aws-ce-4.png?fit=max&auto=format&n=kF1xrGXac-rfo92E&q=85&s=46f9f6b95a7d92cb4bd3756b35a339a6" alt="AWS Cost Explorer – Advanced Options" width="350" height="427" data-path="images/pelanor-aws-ce-4.png" />
    </Frame>
  </Step>

  <Step title="Additional Data Settings">
    Uncheck <strong>Show forecasted values</strong>.
  </Step>

  <Step title="Record Costs">
    Note the total cost and each service cost for later comparison.
  </Step>
</Steps>

### In Pelanor

<Steps>
  <Step title="Open Cost Explorer">
    Launch **Cost Explorer** inside Pelanor.
  </Step>

  <Step title="Match Date Range">
    Use the <strong>same date range</strong> selected in AWS Cost Explorer.

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/pbyqhjH4Ga65EhJ5/images/pelanor-aws-ce-5.png?fit=max&auto=format&n=pbyqhjH4Ga65EhJ5&q=85&s=43aaf696f8f15a7b3af50322b44b1c83" alt="Pelanor – Date range" width="350" height="250" data-path="images/pelanor-aws-ce-5.png" />
    </Frame>
  </Step>

  <Step title="Set Options">
    <ul>
      <li><strong>Amortization</strong> → select <em>Unblended</em>.</li>
      <li><strong>Payment Types</strong> → exclude <em>Credits</em>, <em>Tax</em>, <em>Refunds</em>.</li>
    </ul>

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/pbyqhjH4Ga65EhJ5/images/pelanor-aws-ce-6.png?fit=max&auto=format&n=pbyqhjH4Ga65EhJ5&q=85&s=313ccd4edb5fae981773bb6a6e323721" alt="Pelanor – Options" width="350" height="189" data-path="images/pelanor-aws-ce-6.png" />
    </Frame>
  </Step>

  <Step title="Apply Service Filters">
    If you excluded special-priced services in AWS, apply the same filters here.

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/pbyqhjH4Ga65EhJ5/images/pelanor-aws-ce-7.png?fit=max&auto=format&n=pbyqhjH4Ga65EhJ5&q=85&s=56a86c0dba7f7b6a0710043a85580b96" alt="Pelanor – Service Filters" width="350" height="300" data-path="images/pelanor-aws-ce-7.png" />
    </Frame>
  </Step>

  <Step title="Group by Product Name">
    Set <strong>Group by → AWS Product Name</strong>.

    <Frame>
      <img src="https://mintcdn.com/pelanor-6a347cfc/pbyqhjH4Ga65EhJ5/images/pelanor-aws-ce-8.png?fit=max&auto=format&n=pbyqhjH4Ga65EhJ5&q=85&s=b995a2619b75b17471e0e01e04e3b927" alt="Pelanor – Group by AWS Product Name" width="350" height="528" data-path="images/pelanor-aws-ce-8.png" />
    </Frame>
  </Step>

  <Step title="Record Costs">
    Note the total cost and each service cost.
  </Step>
</Steps>

## Comparing Results

* **Total Cost** – Pelanor vs. AWS (expected variance \< 1 %).
* **Per-Service Cost** – identify any services with higher discrepancies.
* Record services that exceed the threshold for further investigation.

<Info>
  If you run into any discreptancies, please reach out to the Pelanor Support team - we'll investigate and resolve any incosistencies. With your inquiry, include the date ranges you analyzed, as well as screenshots from both Pelanor and AWS Cost Explorer.
</Info>

## Understanding AWS Tag Normalization

## Understanding AWS Tag Normalization in Pelanor

When AWS delivers Cost & Usage Report (CUR) data in Parquet format, it rewrites tag keys in a predictable way.\
Pelanor mirrors these transformations for every AWS data source—CUR files, APIs, or resource logs—so you see a single, consistent tag name.

### How Tag Normalization Works

AWS’s Parquet exporter alters tag keys automatically. Pelanor applies the same rules, ensuring tags from all AWS sources line up.

#### Transformation Rules

1. Insert an underscore (`_`) before every uppercase letter.
2. Convert all uppercase letters to lowercase.
3. Replace non-alphanumeric characters with an underscore.
4. Collapse duplicate underscores into a single underscore.
5. Trim leading or trailing underscores.
6. If the key still exceeds the column-length limit, drop underscores from left to right until it fits.

#### Examples

| Original Tag Key | Normalized Tag Key |
| ---------------- | ------------------ |
| ExampleTagName   | example\_tag\_name |
| Example-Tag Name | example\_tag\_name |
| Environment      | environment        |
| CostCenter       | cost\_center       |
| AWS:Project      | aws\_project       |

### Why We Normalize Tags

* **Consistent experience** – tags look identical whether they come from CUR Parquet or direct API calls.
* **Simpler filtering** – no need to remember multiple spellings of the same tag.
* **Accurate cost allocation** – every source converges under one normalized key.
* **Comprehensive reports** – filtering by the tag captures all matching resources.

### Finding Your Original Tag Names

1. In AWS, open **Cost Explorer** or **Resource Groups & Tag Editor**.
2. Locate the tag keys in their original format.
3. Apply the transformation rules above to see how each key will appear in Pelanor.