Troubleshooting common Cost Explorer issues

Troubleshooting common Cost Explorer issues

This  document will go through the steps one can take to resolve common issues related to the CPM Cost Explorer feature


1.  Required Permissions

Make sure that you have updated the CPM instance role and all users associated with CPM with the latest CPM JSON permission files. These can be found at this link:

2.  Cost allocation tags

Verify that you configured the Cost allocation tags in AWS Cost Explorer

To allow CPM Cost Explorer calculations in AWS, users must add cost allocation tags once.

To activate user cost allocation tags:

a.    Log in to the AWS Management Console at

b.    Open the Billing and Cost Management console.

c.    In the navigation pane, choose Cost Allocation Tags.

d.    Choose the following tags to activate, and then select Activate:

·         cpm_server_id

·         cpm_policy_name

Note: If the above tags do not exist create and activate them. 

3.    Enable cost explorer

Verify that you have enabled Cost Explorer for each designated user in CPM in the Cost explorer tab of General Settings.

NOTE: the root account for CPM is enabled by default.
Other users need to be enabled by going to Users in the left-hand pane of the CPM console, then select the checkbox next to the user and select Edit. If not already enabled check the checkbox and click Save at the bottom of the CPM Console.

4.   Wait

 Ensure enough time has elapsed for data to populate. It can take up to 48 hours for cost data to populate the CPM console.

Troubleshooting Permission issues

If you have updated the CPM permission files for the CPM instance role and all users and are still receiving either no data in the CPM Console or specific access denied messages, then you need to try verifying the role/user in the AWS IAM Policy Simulator. This can be found at this link:

To verify that the CPM role has sufficient permissions for cost explorer please  select under Users, Groups, and Roles in the drop-down box “Roles”.  Then select the CPM instance role. In this example its named “joes”.

Under the IAM Polices make sure all polices attached to the role are selected. 

In the Policy Simulator section of the screen under Select Service choose AWS Cost Explorer and in the Select Actions drop down check the checkbox next to GetCostAndUsage.

Then click on Run Simulation.

If the test of the IAM role permission is successful you should get under the Permission column Allowed 1 matching statements message.

You should add a new service and action for the following two services/Actions and run the simulator.




If that is successful you should see all three permission with an Allowed message.

If you receive any Denied messages you should check the following:
  1.  Do the JSON permission policy  files contain the necessary three items for Cost Explorer? If not add them to the policy and rerun the policy simulator.
  2.  If you have AWS Organizations enabled verify that there are no Service Control Polices causing the access denied message. This is beyond the scope of CPM so you may need to involve AWS Support.

If you checked the two above steps you can also try running the API manually to verify functionality.

  1. connect via ssh to the CPM instance using the login cpmuser and the instances private key.
  2. Run this command and send support the screenshot. This will get the costs for the time between 12/1/2020 and 2/15/2021. 
  3. aws ce get-cost-and-usage --time-period Start=2020-12-01,End=2021-02-15 --granularity MONTHLY --metrics "BLENDED_COST" "UNBLENDED_COST" "AMORTIZED_COST" "NET_AMORTIZED_COST" "NET_UNBLENDED_COST" "USAGE_QUANTITY" "NORMALIZED_USAGE_AMOUNT" 

Note: If you receive access denied messages then you should consult with AWS support as running this command bypasses CPM and indicates a AWS security issue.   

Also, You can use AWS CloudTrail logs to search for specific events related to Cost Explorer by filtering the logs. Open the CloudTrail dashboard then change to Event History, then choose “Event Name”,  and type GetCostAndUsage. You should get a filtered log and you can look at the individual messages by clicking on them for possible error messages.

If support asks for AWS CloudTrail logs keep in mind it can take upwards of 1 hour for the CloudTrail logs to update, so you should wait before gathering the CloudTrail logs. You should export and send to N2WS Support the JSON and the .csv file. Support would also need a complete set of CPM logs so we can determine the cause of the AWS Cost Explorer issue you may be having.

    • Related Articles

    • Troubleshooting File Level Recovery (FLR) 3.0

      Background: File-level recovery requires N2WS to recover volumes in the background and attach them to a ‘worker’ instance launched for the operation, The worker will be launched in the same account and region as the snapshots being explored, using a ...
    • User Data may be restored incorrectly during instance recovery

      Issue: When using an executable script in “User Data” during an instance recovery, the script does not appear on the restored instance as intended. Example: Before instance restore: After instance restore: Fix: If you face this issue, please upgrade ...
    • "Cost Explorer Query Failure" alert in CPM 3.0

      After upgrading to CPM 3.0, you may see an Alert in the console which says "Cost Explorer Query Failure".  If you view the Alert, you will see an AccessDeniedException: The cause of this alert is due to the CPM role permissions not being updated with ...
    • Backups/DR/tag scans may start to fail because of clock issues or connectivity issues.

      Problem descriptions: If you start seeing failures in the logs of AWS API calls saying that "AWS was not able to validate the provided access credentials", this is likely caused by either lack of connectivity with AWS endpoints or time ...
    • Troubleshooting Linux scripts in CPM

      In order to troubleshoot scripts, you need to connect to the CPM instance over SSH (using user "cpmuser") and execute the scripts from command line. Please do not use "su" or "sudo", as CPM doesn't elevate permissions. If when you run the script you ...