AWS Architecture Blog
Email delta cost usage report in a multi-account organization using AWS Lambda
AWS Organizations gives customers the ability to consolidate their billing across accounts. This reduces billing complexity and centralizes cost reporting to a single account. These reports and cost information are available only to users with billing access to the primary AWS account.
In many cases, there are members of senior leadership or finance decision makers who don’t have access to AWS accounts, and therefore depend on individuals or additional custom processes to share billing information. This task becomes specifically complicated when there is a complex account organization structure in place.
In such cases, you can email cost reports periodically and automatically to these groups or individuals using AWS Lambda. In this blog post, you’ll learn how to send automated emails for AWS billing usage and consumption drifts from previous days.
Solution architecture
AWS provides the Cost Explorer API to enable you to programmatically query data for cost and usage of AWS services. This solution uses a Lambda function to query aggregated data from the API, format that data and send it to a defined list of recipients.
- Amazon EventBridge (Amazon CloudWatch Events) is configured to cue the Lambda function at a specific time.
- The function uses the AWS Cost Explorer API to fetch the cost details for each account.
- The Lambda function calculates the change in cost over time and formats the information to be sent in an email.
- The formatted information is passed to Amazon Simple Email Service (Amazon SES).
- The report is emailed to the recipients configured in the environment variables of the function.
Prerequisites
For this walkthrough, you should have the following prerequisites:
- An AWS account with Cost Explorer enabled.
- AWS user or role with permissions to deploy the AWS CloudFormation template.
- Valid email IDs to receive email notifications.
Walkthrough
- Download the AWS CloudFormation template from this link: AWS CloudFormation template
- Once downloaded, open the template in your favorite text editor
- Update account-specific variables in the template. You need to update the tuple, dictionary, display list, and display list monthly sections of the script for all the accounts which you want to appear in the daily report email. Refer to Figure 2 for an example of some dummy account IDs and email IDs.
- Optionally, locate “
def send_report_email
” in the template. The subject variable controls the subject line of the email. This can be modified to something meaningful to the recipients.
After these changes are made according to your requirements, you can deploy the CloudFormation template:
- Log in to the Cloud Formation console.
- Choose Create Stack. From the dropdown, choose With new resources (standard).
- On the next screen under Specify Template, choose Upload a template file.
- Click Choose file. Choose the local template you modified earlier, then choose Next.
- Fill out the parameter fields with valid email address. For
SchduleExpression
, use a valid Cron expression for when you would like the report sent. Choose Next.
Here is an example for a cron schedule:18 11 * * ? *
(This example cron expression sets the schedule to send every day at 11:18 UTC time.)
This creates the Lambda function and needed AWS Identity and Access Management (AWS IAM) roles.
You will now need to make a few modifications to the created resources.
- Log in to the IAM console.
- Choose Roles.
- Locate the role created by the CloudFormation template called “
daily-services-usage-lambdarole
” - Under the Permissions tab, choose Add Permissions. From the dropdown., choose Attach Policy.
- In the search bar, search for “Billing”.
- Select the check box next to the AWS Managed Billing Policy and then choose Attach Policy.
- Log in to the AWS Lambda console.
- Choose the
DailyServicesUsage
function. - Choose the Configuration tab.
- In the options that appear, choose General Configuration.
- Choose the Edit button.
- Change the timeout option to 10 seconds, because the default of three seconds may not be enough time to run the function to retrieve the cost details from multiple accounts.
- Choose Save.
- Still under the General Configuration tab, choose the Permissions option and validate the execution role.
The edited IAM execution role should display the Resource details for which the access has been gained. Figure 3 shows that the allow actions toaws-portal
forBilling
,Usage
,PaymentMethods
, and ViewBilling are enabled. If the Resource summary does not show these permissions, the IAM role is likely not correct. Go back to the IAM console and confirm that you updated the correct role with billing access.
- Optionally, in the left navigation pane, choose Environment variables. Here you will see the email recipients you configured in the Cloud Formation template. If changes are needed to the list in the future, you can add or remove recipients by editing the environment variables. You can skip this step if you’re satisfied with the parameters you specified earlier.
Next, you will create a few Amazon SES identities for the email addresses that were provided as environment variables for the sender and recipients:
- Log in to the SES console.
- Under Configuration, choose Verified Identities.
- Choose Create Identity.
- Choose the identity type Email Address, fill out the Email address field with the sender email, and choose Create Identify.
- Repeat this step for all receiver emails.
The email IDs included will receive an email for the confirmation. Once confirmed, the status shows as verified in the Verified Identities tab of the SES console. The verified email IDs will start receiving the email with the cost reports.
Amazon EventBridge (CloudWatch) event configuration
To configure events:
-
- Go to the Amazon EventBridge console.
- Choose Create rule.
- Fill out the rule details with meaningful descriptions.
- Under Rule Type, choose Schedule.
- Schedule the cron pattern from when you would like the report to run.
Figure 4 shows that the highlighted rule is configured to run the Lambda function every 24 hours.
An example AWS Daily Cost Report email
From: xxx@example.com (the email ID mentioned as “sender”)
Sent: Tuesday, April 12, 2022 1:43 PM
To: yyy@example.com (the email ID mentioned as “receiver”)
Subject: AWS Daily Cost Report for Selected Accounts (the subject of email as set in the Lambda function)
Figure 5 shows the first part of the cost report. It provides the cost summary and delta of the cost variance percentage compare to the previous day. You can also see the trend based on the last seven days from the same table. This helps in understanding a pattern around cost and usage.
This summary is broken down per account, and then totaled, in order to help you understand the accounts contributing to the cost changes. The daily change percentages are also color coded to highlight significant variations.
The second part of the report in the email provides the service-related cost breakup for each account configured in the Account dictionary section of the function. This is a further drilldown report; you will get these for all configured accounts.
Cleanup
- Delete the Amazon CloudFormation stack.
- Delete the identities on Amazon SES.
- Delete the Amazon EventBridge (CloudWatch) event rule.
Conclusion
The blog demonstrates how you can automatically and seamlessly share your AWS accounts’ billing and change information with your leadership and finance teams daily (or on any schedule you choose). While the solution was designed for accounts that are part of an organization in the service AWS organizations, it could also be deployed in a standalone account without making any changes. This allows information sharing without the need to provide account access to the recipients, and avoids any dependency on other manual processes. As a next step, you can also store these reports in Amazon Simple Storage Service (Amazon S3), generate a historical trend summary for consumption, and continue making informed decisions.