Using CloudCheckr to Only Monitor Costs

CloudCheckr allows users to establish accounts that are used solely to monitor their AWS Costs.  For this use case, you can create users that have very limited permissions on your AWS deployment.  This is accomplished by adding the Access Key and Secret Key from an IAM user whose permissions only allow access to the account’s programmatic billing bucket within S3.  With these permissions CloudCheckr will be able to access the billing reports within the programmatic billing bucket, but nothing else within the AWS account.


The Detailed Billing Reports are extremely fine grained. They provide details such as:

  • The resource ID of each charge
  • The time of the charge down to the hour
  • Both credits and costs
  • Resource Tags linked to each charge
  • Region, Service name, and account of each charge
  • Operation and Usage Type for each charge

AWS provides you all these details in a CSV file that you would then need to parse and read through. CloudCheckr does that work for you, reading it all and making it easy to query interactively, to mine and understand literally millions of lines of billing records. We often come across a single month billing file that is several GB compressed and millions of lines. Like CloudWatch, Detailed Billing data often lags behind by a few hours to a few days from your actual usage.

In order to use Detailed Billing, you must setup Programmatic Billing within AWS first.  For instructions on enabling Programmatic Billing within AWS, please go here:


When creating a CloudCheckr account used to monitor costs you will be able to view your costs in the following reports:

NOTE:  CloudWatch Cost data will not be available in these reports.  You will only be able to view data from the AWS Detailed Billing reports.


Below is the AWS IAM permission needed for CloudCheckr to access the Detailed Billing Reports.  Create an IAM Group and User and add the following as a Custom Policy.

For step-by-step instructions on creating the IAM Group, User and Permissions, please go here:

NOTE: Replace S3PROGRAMMATICBUCKETNAME with the name of your programmatic billing bucket.

  "Version": "2012-10-17",
  "Statement": [
       "Resource": ["arn:aws:s3:::S3PROGRAMMATICBUCKETNAME"]
  "Statement": [
       "Resource": ["arn:aws:s3:::S3PROGRAMMATICBUCKETNAME/*"]

NOTE: The “Resource” for each “Statement” above is different. For “Action”:[“s3:GetObject”] ensure you have added “/*” to the end of the bucket name. For “Action”:[“s3:List*”] ensure you have NOT added “/*” to the end of the bucket name.

Generate a pair of Access and Secret Keys from this user, and use those as your credentials when creating your Account within CloudCheckr.

NOTE: After creating your CloudCheckr account and adding your credentials you will need to configure your account with the name of the S3 Programmatic Billing Bucket.  To add the bucket name, edit your cost-only account and click on the Detailed Billing tab.  Simply enter the name of your S3 Programmatic Billing bucket in the text box.

If you need any assistance with this setup, please contact

Leave a Reply