Step 1: Preparing your resource usage data
As a resource is being used in your service, you track which tenant is using it. Record this data into a table that you can later upload for Application Cost Profiler to import. Each row in the table describes a resource , the tenant that is using the resource, and the start and end times of that usage. An example of a resource is an Amazon Elastic Compute Cloud (Amazon EC2) instance that is being used.
This step requires that you integrate code into your service to output the correct information about the usage.
The fields that are in a resource usage table are listed in the following table.
Field Description
ApplicationId Identifies the application or product in your
system that is being used. Defines the scope of the tenant metadata.
TenantId An identifier in your system for the tenant who
is consuming the specified resource. Application Cost Profiler aggregates to this level within the ApplicationId.
TenantDesc (Optional) Additional data about the tenant for
your own additional reporting.
UsageAccountId The account that the resource runs in (important
for accounts that are part of an organization).
Step 1: Preparing your resource usage data
Field Description
StartTime Timestamp (in milliseconds and microseconds)
from Epoch, in UTC. Indicates the start time of the period for the usage by the specified tenant.
EndTime Timestamp (in milliseconds and microseconds)
from Epoch, in UTC. Indicates the end time of the period for the usage by the specified tenant.
ResourceId Amazon Resource Name (ARN) for resource being
used.
Name (Optional) As an alternative to specifying a
ResourceId, you can specify a Name resource tag to attribute costs to a set of resources (the field must include the value you want to use for the Name tag). Resource tags are enabled as part of your Cost and Usage Report. For more information about resource tags, see Resource tags details in the Cost and Usage Report User Guide.
The output must be in a comma-separated values (.csv) file that includes a heading row, as shown in the following example.
Save the data as a file, with a .csv extension (or .csv.gzip if compressed with gzip). When you upload this data to Application Cost Profiler, each time slice is assigned to the associated tenant. In this example, the report includes the time slice of the Amazon EC2 instance cost for that tenant. For EC2 instances only, slices that are not associated with a specific tenant are added to an unattributed tenant. Overlapping time slices are counted multiple times. It's your responsibility to ensure that the data in your usage table is accurate.
NoteYour file must represent one hour of time. If a resource is used over multiple hours, end the usage on the hour, and have a new record in the next file that starts at the same time.
You must submit a single file containing an entire hour's data. If multiple files are submitted for the same hour's data, Application Cost Profiler only considers the data in the latest file.
For example, the following table shows how Application Cost Profiler calculates usage for three tenants, over an hour (3,600,000 milliseconds), based on provided time slices.
Tenant Provided time slices Calculated percent of hourly
cost
Tenant1 1,200,000 ms 33.34%
Tenant2 600,000 ms 16.66%
Step 2: Uploading your resource usage
Tenant Provided time slices Calculated percent of hourly
cost
<unattributed> 50.00%
In this example, Tenant1 is assigned one-third of the hour and Tenant2 is assigned one-sixth of the hour.
The remaining half-hour (1,800,000 ms) is not attributed to either of the clients, which is 50% of the hour.
Note
Currently, the following resources are enabled for Application Cost Profiler: Amazon EC2
instances, Lambda functions, Amazon Elastic Container Service (Amazon ECS) instances, Amazon Simple Queue Service (Amazon SQS) queues, Amazon Simple Notification Service (Amazon SNS) topics, and Amazon DynamoDB reads and writes.
Amazon SQS, Amazon SNS, and DynamoDB usage is not charged by time, unlike most
resources. In their case, the usage during an hour (for example, a number of reads and writes in DynamoDB), is categorized by the percentage of the hour that you allocate to different tenants, regardless of when the reads or writes happened during the hour.
Step 2: Uploading your resource usage
After you have a file of usage by tenant, upload your data file to Amazon S3 and make sure that Application Cost Profiler has permission to access it.
To learn more about creating an S3 bucket, see Application Cost Profiler specific prerequisites (p. 4).
You must make sure that Application Cost Profiler has access to your S3 bucket. This only needs to be done once per S3 bucket (you can reuse the same bucket for uploading multiple usage files). For information about giving access to the bucket, see Giving Application Cost Profiler access to your usage data S3 bucket (p. 7). If the bucket is encrypted,see Giving Application Cost Profiler access to SSE-KMS encrypted S3 buckets (p. 8).
NoteIt is not required that you encrypt the S3 buckets that you use for usage data.
Upload your data to the S3 bucket as a file, with a .csv extension (or .csv.gzip if compressed with gzip), at hourly intervals. After you upload a new file, you must inform Application Cost Profiler that you have uploaded it so that the file can be imported into your report.
NoteBy giving Application Cost Profiler access to your usage data, you agree that we may temporarily copy such usage data objects to the US East (N. Virginia) AWS Region while processing reports.
These data objects will be kept in the US East (N. Virginia) Region until the monthly report generation is complete.
Step 3: Importing usage data into Application Cost Profiler
After you have uploaded usage data to an Amazon S3 bucket that Application Cost Profiler has access to, inform Application Cost Profiler that the data exists and to import it into your final report. You do this by using the ImportApplicationUsage operation in the Application Cost Profiler API.
For information about the AWS Application Cost Profiler API, including the ImportApplicationUsage operation, see the AWS Application Cost Profiler API Reference.
The following example shows how to call ImportApplicationUsage. Replace the input text in brackets with the values for your S3 bucket and uploaded object.
Step 3: Importing usage data into Application Cost Profiler
POST /ImportApplicationUsage HTTP/1.1 Content-type: application/json {
"sourceS3Location" : {
"bucket": "<bucket-name>", "key": "<object-key>", "region": "<region-id>"
} }
Note
The region parameter is only required if your bucket is in an AWS Region that is disabled by default. For more information, see Managing AWS Regions in the AWS General Reference.
Application Cost Profiler generates a new report at the frequency that you requested when configuring your report (p. 10), using the data that you imported with ImportApplicationUsage.
After you have configured your report and automated importing your usage data into Application Cost Profiler, you are ready to view your generated reports. For more information about reports, see Using Application Cost Profiler reports (p. 15).
Data available in an Application Cost Profiler report
Using Application Cost Profiler reports
After you have integrated your usage data with AWS Application Cost Profiler and are sending the data on an hourly basis, Application Cost Profiler automatically generates your report.
Reports are generated either daily or monthly, based on the option you selected when configuring your report (p. 10). Reports are delivered to the Amazon Simple Storage Service (Amazon S3) bucket that you selected when you configured the report.
Daily reports generated on the first day of the month have the previous month's data.
Data available in an Application Cost Profiler report
The columns that are created in a usage report are shown in the following table.
Column name Description
PayerAccountId The management account ID in an organization,
or the account ID if the account is not part of AWS Organizations.
UsageAccountId The account ID for the account with usage.
LineItemType The type of record. Always Usage.
UsageStartTime Timestamp (in milliseconds) from Epoch, in UTC.
Indicates the start time of the period for the usage by the specified tenant.
UsageEndTime Timestamp (in milliseconds) from Epoch, in UTC.
Indicates the end time of the period for the usage by the specified tenant.
ApplicationIdentifier The ApplicationId specified in the usage data sent to Application Cost Profiler.
TenantIdentifier The TenantId specified in the usage data sent to
Application Cost Profiler. Data with no record in the usage data is collected in unattributed.
TenantDescription The TenantDesc specified in the usage data sent to Application Cost Profiler.
ProductCode The AWS product being billed (for example,
AmazonEC2).
UsageType The type of usage being billed (for example,
BoxUsage:c5.large).
Data available in an Application Cost Profiler report
Column name Description
Operation The operation being billed (for example,
RunInstances).
ResourceId The resource ID or Amazon Resource Name (ARN)
for the resource being billed.
ScaleFactor If a resource is over-allocated for an hour, for
example, the usage data reported is equal to 2 hours instead of 1 hour, a scale factor is applied to make the total equal the actual billed amount (in this case, 0.5). This column reports the scale factor used for the specific resource for that hour. The scale factor is always greater than zero (0) and less than or equal to 1.
TenantAttributionPercent The percentage of the usage attributed to the specified tenant (between zero (0) and 1).
UsageAmount The amount of usage attributed to the specified
tenant.
CurrencyCode The currency that the rate and cost are in (for
example, USD).
Rate The billing rate for the usage, per unit.
TenantCost The total cost for that resource for the specified
tenant.
Region The AWS Region of the resource.
Name If you created resource tags for your resources
on the Cost and Usage report, or through the resource usage data, the Name tag is shown here.
For more information about resource tags, see Resource tags details in the Cost and Usage Report User Guide.
The following is an example of the output report for one resource for two hours.
PayerAccountId,UsageAccountId,LineItemType,UsageStartTime,UsageEndTime,ApplicationIdentifier,TenantIdentifier,TenantDescription,ProductCode,UsageType,Operation,ResourceId,ScaleFactor,TenantAttributionPercent,UsageAmount,CurrencyCode,Rate,TenantCost,Region,Name
In this example, the first hour is allocated to Tenant1 for half of the time. A half hour remains as unattributed. In the second hour, four tenants are all allocated the full hour. In this case, the scale
Data available in an Application Cost Profiler report
factor scales them all down by 0.25, and they are all allocated one-quarter of the hour. You can see the final cost in the TenantCost column.
Service quotas
AWS Application Cost Profiler quotas and endpoints
Your AWS account has default quotas, formerly referred to as limits, for each AWS service. Unless otherwise noted, each quota is AWS Region-specific. You can request increases for some quotas, and other quotas cannot be increased.
The following tables list the service quotas per account and the AWS Region endpoints for Application Cost Profiler.
Service quotas
Resource Default value Description
Rate of PutReportDefinition
requests 5 The maximum number of
PutReportDefinition
requests 5 The maximum number of
GetReportDefinition
Maximum size of usage data file 10 MB The maximum size of an hourly usage data file.
Service endpoints
Application Cost Profiler is a global service. All API calls must be made to the US East (N. Virginia) endpoint.
• US East (N. Virginia) – application-cost-profiler.us-east-1.amazonaws.com
Data protection
Security in AWS Application Cost Profiler
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:
• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs.
To learn about the compliance programs that apply to Application Cost Profiler, see AWS Services in Scope by Compliance Program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations
This documentation helps you understand how to apply the shared responsibility model when using AWS Application Cost Profiler. It shows you how to configure Application Cost Profiler to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Application Cost Profiler resources.
Contents
• Data protection in AWS Application Cost Profiler (p. 19)
• Identity and access management for AWS Application Cost Profiler (p. 20)
• Compliance validation for AWS Application Cost Profiler (p. 31)
• Resilience in AWS Application Cost Profiler (p. 32)
• Infrastructure security in AWS Application Cost Profiler (p. 32)
Data protection in AWS Application Cost Profiler
The AWS shared responsibility model applies to data protection in AWS Application Cost Profiler.
As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the Data Privacy FAQ. For information about data protection in Europe, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
• Use multi-factor authentication (MFA) with each account.
Encryption at rest
• Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
• Set up API and user activity logging with AWS CloudTrail.
• Use AWS encryption solutions, along with all default security controls within AWS services.
• Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
• If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2.
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form fields such as a Name field. This includes when you work with Application Cost Profiler or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
Encryption at rest
AWS Application Cost Profiler always encrypts all data stored in the service at rest without requiring any additional configuration. This encryption is automatic when you use Application Cost Profiler.
For Amazon S3 buckets you provide, you must encrypt the report bucket, and can encrypt the usage data bucket and give Application Cost Profiler access. For more information, see Setting up Amazon S3 buckets for Application Cost Profiler (p. 5).
Encryption in transit
AWS Application Cost Profiler uses Transport Layer Security (TLS) and client-side encryption for encryption in transit. Communication with Application Cost Profiler is always done over HTTPS so your data is always encrypted in transit. This encryption is configured by default when you use Application Cost Profiler.
Identity and access management for AWS Application Cost Profiler
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Application Cost Profiler resources. IAM is an AWS service that you can use with no additional charge.
Topics
• Audience (p. 21)
• Authenticating with identities (p. 21)
• Managing access using policies (p. 23)
• How AWS Application Cost Profiler works with IAM (p. 24)
• AWS Application Cost Profiler identity-based policy examples (p. 26)
• Troubleshooting AWS Application Cost Profiler identity and access (p. 29)
Audience
Audience
How you use AWS Identity and Access Management (IAM) differs, depending on the work that you do in Application Cost Profiler.
Service user – If you use the Application Cost Profiler service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more Application Cost Profiler features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in Application Cost Profiler, see Troubleshooting AWS Application Cost Profiler identity and access (p. 29).
Service administrator – If you're in charge of Application Cost Profiler resources at your company, you probably have full access to Application Cost Profiler. It's your job to determine which Application Cost Profiler features and resources your employees should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with Application Cost Profiler, see How AWS Application Cost Profiler works with IAM (p. 24).
IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Application Cost Profiler. To view example Application Cost Profiler identity-based policies that you can use in IAM, see AWS Application Cost Profiler identity-based policy examples (p. 26).
Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. For more information about signing in using the AWS Management Console, see Signing in to the AWS Management Console as an IAM user or root user in the IAM User Guide.
You must be authenticated (signed in to AWS) as the AWS account root user, an IAM user, or by assuming an IAM role. You can also use your company's single sign-on authentication or even sign in using Google or Facebook. In these cases, your administrator previously set up identity federation using IAM roles.
When you access AWS using credentials from another company, you are assuming a role indirectly.
To sign in directly to the AWS Management Console, use your password with your root user email address or your IAM user name. You can access AWS programmatically using your root user or IAM
To sign in directly to the AWS Management Console, use your password with your root user email address or your IAM user name. You can access AWS programmatically using your root user or IAM