AWS Cloud Financial Management

Telenor simplifies data access and control with Row Level Security

We often talk about how essential it is to understand, harness, and visualize your cost and usage data to optimize the value you can achieve on the cloud. There’s a caveat, though. In some cases, users can be hindered with access to all available cost data for an organization. Instead of having easy access to the data they care about, they have to spend time configuring their own filtering rules to find the data they need.

With Row Level Security (RLS), you can restrict the data a user can see to a subset of the business most relevant to them. In this blog, we’re going to walk you through how Telenor implemented RLS on its  Multi-Payer Cost Dashboards, and how you can, too!

The background and benefits of Row Level Security

Amazon QuickSight powers data-driven organizations with unified business intelligence (BI) at scale . Using it in tandem with your organization’s AWS Cost & Usage Report (CUR) allows organizational stakeholders to understand your cost data by exploring interactive dashboards that you manage. Thousands of customers use the Cloud Intelligence Dashboards (CID) to create a customizable and accessible foundation for their own cost management and optimization.

By using Row Level Security (RLS), you can restrict the data a user can see to a subset of the business most relevant to them. Creating RLS provides the following benefits:

✔️ Ease and quality of customer experience, since the account owners can only see and focus on their own data, instead of having to filter through a 360 degree view of the entire organization

✔️ Improve security of cost and usage data, by limiting access to user-relevant data

✔️ Decrease operational overhead by adding a single, reusable approach

Telenor automates creation and management of RLS

Telenor Group is a leading telecommunications company across the Nordics and Asia with 172 million subscribers and annual sales of around 10.8B USD (2021). The central billing team looks over multiple AWS payer accounts and wanted to bring their AWS cost and usage data into a centralized location so the procurement team could see true cost at scale. To simplify access to this large amount of data, creating controls to specific Telenor payers was essential. So, AWS and Telenor set out to automate the creation and management of RLS.

These are the key steps of the solution Telenor deployed:

  1. Create a dedicated ‘Cost Account’ to store all their cost data and centrally manage all the dashboards
  2. Replicate all CURs into one bucket
  3. Deploy the Cost Intelligence Dashboard over this CUR data (one of the CIDs)
  4. Create a user access map of which users can access which AWS accounts data
  5. Setting up the RLS solution, using the Well-Architected Lab

Since Steps 1-3 are best practices for this solution, we’re going to focus on breaking down steps 4 and 5 for Telenor’s example.

Define user access

To complete Step 4, you must have a definition that specifies which users can see which accounts’ data. In the example below, we’re specifically talking about AWS QuickSight users and the email addresses they use for access. The mapping should be as restrictive as possible, allowing you to choose options like the example below, which shows single and multiple accounts, organizational unit, and entire organization.

Example of email mapping

Figure 1: Example of email mapping

Deploy RLS solution

So how did Telenor put this mapping into practice?

RLS Architecture diagram

Figure 2: RLS Architecture diagram

The above figure outlines the architecture for this solution and its components, but let’s note some highlights:

  • Telenor used the user access map that they came up with earlier to tag resources in your AWS Organization such account, OUs, or Payers(root) with the following key value: Cudos_user:useremail1@company.com; useremail2@company.com.
  • In the ‘Cost Account’, the Well-Architected Labs AWS CloudFormation template  was deployed to retrieve these tags and place them into an Amazon S3 bucket.
  • In AWS QuickSight, Telenor create a new dataset using the provided manifest code to point towards the tag data in their bucket.
  • Using this dataset, they created an RLS policy on the CID datasets.
  • Now, they have restricted their data to those who have been included in their user access map.

The Lab will take you through those sets in more detail so you can deploy it yourself.

Simplify access with Single Sign-On (SSO)

To further simplify access for AWS users, Telenor enabled SSO to access the Dashboard. Adding a new Application to Telenor SSO landing page creates a self-discoverable dashboard for all SSO users, this allows users to discover and access their cost and usage data. The full guide to set this up can be found here: CID Customization with SSO.

Set up easy access to AWS cost and usage dashboard for all SSO users

Figure 3: Set up easy access to AWS cost and usage dashboard for all SSO users

The success of this deployment with Telenor has meant developers can now identify and take action on multiple cost optimization opportunities for their specific accounts. They can also track recommended cost optimization metrics and KPIs without having to filter data to see what matters most to them. With RLS in the CID, they’ve been able to save time and money by increasing control over cost and usage data, and optimizing cost visibility and ownership.

Important considerations when building your own RLS solution

There are a couple of things to be aware of when you deploy this solution:

  • Adding RLS will have immediate effect, so make sure everyone in your organization is tagged on the appropriate resources in your AWS Organization, or else they could lose access to a Dashboard.
  • The emails you use in the tags must match the emails associated with the users in AWS QuickSight.
  • The AWS Lambda function runs automatically every day. If you make a change and want it to take immediate effect, re-run the AWS Lambda function created in the AWS CloudFormation, and refresh your dataset in AWS QuickSight.

Conclusion

You, too, can simplify access to cost and usage data using an RLS solution in the CID. This solution not only facilitates discoverability and accessibility of each account holders’ cost and usage data, it helps establish an individual and collective culture of cost awareness, accountability, and ownership

🏁GET STARTED: Build your Row Level Security (RLS) solution today

TAGS: , ,
Stephanie Gooch

Stephanie Gooch

Stephanie is a Commercial Architect in the AWS OPTICS team. She is a subject matter expert in guiding customers through ways to optimize their current and future AWS spend. Her team enable customers to organise and interpret billing and usage data, identify actionable insights from that data, and develop sustainable strategies to embed cost into their culture. In her previous career she managed the FinOps team for one of the Big four.

Veaceslav Mindru

Veaceslav Mindru

Veaceslav is a Senior Technical Account Manager in the Enterprise Support Team. He helps AWS customers meet their cloud goals, build highly reliable and cost effective systems, and achieve operational excellence while running workloads on AWS at minimal cost. He is also a contributor to the Cloud Intelligence Dashboards and co-author of CID customizations. During his free time you can find Veaceslav coaching local youth football team or at the local racing track.