Prepare Your AWS Account

Before CloudCheckr can begin to monitor your AWS environment, you must configure CloudCheckr and AWS so that they can exchange data.

A cross-account role is the IAM identity that lets you establish that connection between CloudCheckr and AWS.

When you assume a cross-account role, AWS provides temporary credentials for that session—reducing the possibility of unauthorized access. More importantly, a cross-account role allows you to access resources from different AWS accounts without the need to sign in and out of each account.

Before you can prepare your AWS account, you must:

  • decide how you want to create your cross-account role: manually or through the CloudFormation template
  • confirm if you are using the Detailed Billing Report (DBR) or the Cost and Usage Report (CUR) to ingest billing data from AWS

The method you choose for cross-account role creation and your billing source will determine your account preparation steps.


  1. Review the pros and cons of each cross-account role creation method and decide which one works best for your deployment:




    Create Manually
    • best if you are less technical/new to AWS
    • you can tailor each policy to fit your needs
    • best if you don't have access to all modules
    • you must create a cross-account role and policies separately
    • you must manually update each policy any time CloudCheckr makes changes

    Create Using CloudFormation

    • recommended by CloudCheckr
    • the template creates your cross-account role and policies automatically in one step
    • requires some familiarity with CloudFormation and AWS environment
    • your policies are limited to 6,144 characters
  2. Confirm your billing source.

    By the end of 2019, AWS plans to replace the DBR with the CUR. CloudCheckr is currently offering both billing methods, but plans to migrate all customers to a new platform where the CUR is the primary billing method.

    Based on the status of your CloudCheckr project in this migration process, verify your billing source:

    • If you are an existing CloudCheckr customer who uses the DBR and you have not moved over to the new platform, continue to use the DBR.
    • If you are an existing CloudCheckr customer who has configured the CUR and you have moved over to the new platform, use the CUR.
    • If you are a new CloudCheckr customer, CloudCheckr will automatically activate you on the new platform where you can only use the CUR.
  3. Click the button to follow the account preparation instructions that correspond to your account creation method and billing source:

How did we do?