Troubleshooting common Cost Explorer issues
This document will
go through the steps one can take to resolve common issues related to the CPM
Cost Explorer feature
1. Required Permissions
Make sure that you have updated the CPM instance role and all users associated
with CPM with the latest CPM JSON permission files. These can be found at this
that you configured the Cost allocation tags in AWS Cost Explorer
To allow CPM Cost Explorer calculations
in AWS, users must add cost allocation tags once.
activate user cost allocation tags:
Log in to the AWS Management Console at https://console.aws.amazon.com/billing/home#/.
Open the Billing and Cost Management console.
In the navigation pane, choose Cost Allocation Tags.
Choose the following tags to activate,
and then select Activate:
Note: If the above tags do not exist create and activate them.
3. Enable cost explorerVerify
that you have enabled Cost Explorer for each designated user in CPM in the Cost
explorer tab of General Settings.
NOTE: the root account for CPM is enabled
Other users need to be enabled by going to Users in the
left-hand pane of the CPM console, then select the checkbox next to the user
and select Edit. If not already enabled check the checkbox
and click Save at the bottom of the CPM Console.
enough time has elapsed for data to populate. It can take up to 48 hours for
cost data to populate the CPM console.
Troubleshooting Permission issues
If you have updated the CPM permission files for the CPM
instance role and all users and are still receiving either no data in the CPM
Console or specific access denied messages, then you need to try verifying the
role/user in the AWS IAM Policy Simulator. This can be found at this link: https://policysim.aws.amazon.com/home/index.jsp?#
To verify that the CPM role has sufficient permissions for
cost explorer please select under
Users, Groups, and Roles in the drop-down box “Roles”. Then select the CPM instance role. In this
example its named “joes”.
Under the IAM Polices make sure all polices attached
to the role are selected.
In the Policy Simulator section of the screen under Select
Service choose AWS Cost Explorer and in the Select Actions
drop down check the checkbox next to GetCostAndUsage.
Then click on Run Simulation.
If the test of the IAM role permission is successful you
should get under the Permission column Allowed
1 matching statements message.
You should add a new service and action for the following
two services/Actions and run the simulator.
pricing:GetProductsIf that is successful you should see all three permission with an
If you receive any Denied messages you should check the following:
- Do the
JSON permission policy files contain the
necessary three items for Cost Explorer? If not add them to the policy and
rerun the policy simulator.
- If you
have AWS Organizations enabled verify that there are no Service Control Polices
causing the access denied message. This is beyond the scope of CPM so you may
need to involve AWS Support.
If you checked the two above steps you can also try running
the API manually to verify functionality.
- connect via ssh to the CPM instance using the
login cpmuser and the instances private key.
- Run this command and send support the screenshot. This will get the costs for the time between 12/1/2020 and 2/15/2021.
- aws ce get-cost-and-usage --time-period
MONTHLY --metrics "BLENDED_COST" "UNBLENDED_COST" "AMORTIZED_COST" "NET_AMORTIZED_COST" "NET_UNBLENDED_COST" "USAGE_QUANTITY" "NORMALIZED_USAGE_AMOUNT"
Note: If you receive access denied messages then you should consult with AWS support as running this command bypasses CPM and indicates a AWS security issue.
Also, You can use AWS CloudTrail logs to search for specific
events related to Cost Explorer by filtering the logs. Open the CloudTrail
dashboard then change to Event History, then choose “Event
Name”, and type GetCostAndUsage.
You should get a filtered log and you can look at the individual messages
by clicking on them for possible error messages.
If support asks for AWS CloudTrail logs keep in mind it can
take upwards of 1 hour for the CloudTrail logs to update, so you should wait
before gathering the CloudTrail logs. You should export and send to N2WS Support
the JSON and the .csv file. Support would also need a complete set of CPM logs
so we can determine the cause of the AWS Cost Explorer issue you may be having.