AWS cloud cost per user

Question

I have an AWS account. There are multiple users being managed by IaM service. Each user has access key and is at liberty to perform various actions such as files upload.

Is there any means to monitor cloud costs and usage by user? I utilize cost explorer AWS service and intend filtering and grouping costs/usages by user. Unfortunately haven't come up with any way to nail it in the most graceful way.

Answer 1

You can achieve this if you tag all your resources with a tag which has a Key:Username and Value:(person_who_created_it)

Architecture of the proposed solution looks similar to this

You can achieve this by writing a automation script in Lambda.

• So the idea is when a new resource is created, Config records it.

• We will create a Eventbridge rule with source as config and trigger a Lambda fucntion.

• Then this lambda gets the resource name and queries with cloudtrail and tag the resource that is created.

You can find a sample of the above architecture here - https://medium.com/@TechStoryLines/automatically-tagging-aws-resources-with-usernames-a-brief-automation-guide-57d70455e66a

Answer 2

I allways recomend to have an account per user type or subscription type in your system (free or premium for exmaple). Depending on the user who use your services, you will login that use with this account. Then, using the AWS Cost Categories, you can to see the cost by users type, and then, knowing your number of users for each tipe or subscription you could know your price per user.

Answer 3

AWS does not track costs by user.

When an IAM User makes a request to AWS to create resources (eg an EC2 instance or an RDS database), the user's permissions are checked to confirm that they are permitted to make that API call. If they are permitted, then the API call is allowed and the resources are created.

Resources created in an AWS Account are owned by the AWS Account, not an individual user. Thus, there is no relationship between resources and the credentials used to create the resource.

The closest link between users and resources would be the audit trail of API calls kept by AWS CloudTrail. CloudTrail stores information about the API call and the user that made the call, but it does not directly link to the resources that were created. This would take some effort to back-trace resources to users.

Typically, cost management is done by tagging resources. Such tags would identify cost centers or project codes that can be used to charge-back the cost of systems. Enforcing tagging is difficult. Only some services allow tagging to be enforced when services are launched. For others, it would be a matter of identifying resources that do not meet tagging requirements. See: Using AWS Config Rules to Manage Resource Tag Compliance | Sumo Logic

Answer 4

One common way to do this is to use Cost Allocation Tags.

You can define these tags and enforce them, e.g. using AWS Config and/or tag policies.

Answer 5

You can monitor every IAM user action through cloud trails logs. So you could imagine a solution based on those logs to calculate the cost of all actions from one IAM user