EPIUSE FinOps Dashboard

1. Welcome to EPIUSE FinOps Dashboard

The EPIUSE FinOps Dashboard helps your team make sense of AWS spend. It reads your Cost & Usage Report data, surfaces what's actually driving your bill, recommends where you can save money, and tracks your cloud carbon footprint.

How it fits together

The dashboard runs in EPI-USE's AWS account, but your billing data never leaves your account. We use a read-only role that lets us run Athena queries against the cost data already in your S3 buckets — that's it.

┌─────────────────────────┐                  ┌─────────────────────────────┐
│  Your AWS account       │                  │  EPI-USE (the platform)     │
│                         │   Read-only      │                             │
│  • CUR 2.0 (billing)    │   role assumed   │  • Web dashboard            │
│  • Carbon Emissions     │  ◄──────────────│  • Authentication           │
│  • Cost Optimization    │                  │  • AI cost analyst          │
│    Hub recommendations  │   Queries        │                             │
│                         │  ◄──────────────│                             │
│                         │   only           │                             │
└─────────────────────────┘                  └─────────────────────────────┘

What you'll do in this guide

1. Connect your AWS account via a one-click CloudFormation template (Section 3 or 4).
2. Optionally set up single sign-on so your team uses their existing work logins (Section 7).
3. Invite the people on your team (Section 9).

2. Before you start

What you'll need

• An AWS account where you're an administrator (or have permissions to deploy CloudFormation, create IAM roles, set up S3 buckets, and configure Cost & Usage Reports).
• About 30 minutes the first time.
• Your team members' email addresses if you want to invite them right away.

Two AWS features to turn on first

These are free, take a couple of clicks, and unlock the most useful parts of the dashboard.

About cost

Adding the dashboard typically adds less than $5/month of new AWS charges to your account. The main contributors are S3 storage of CUR files and Athena query costs (both negligible at our query volumes thanks to caching). EPI-USE invoices you separately for the platform service per your agreement — there are no surprise AWS bills from us.

3. Connect a fresh AWS account

Use this path if you don't already have a CUR 2.0 daily export running. If you do have one, skip to Section 4 — it's faster.

4. Already have CUR 2.0 data?

Great — you don't need to set up another one. Tell our CloudFormation template where your CUR data lives, and it'll reuse your existing export. You just need to update one bucket policy and the rest happens automatically.

Step 4.1 — Find your CUR data path

AWS Console → Billing & Cost Management → Data Exports → click your CUR export. The path you need looks like:

s3://<your-cur-bucket>/<your-prefix>/<export-name>/data/

Examples:

• s3://acme-cur-bucket/finops/cur-2-daily/data/
• s3://acme-cur-bucket/cur/cloudbill-cur-2-daily/data/

The path must end with /data/ — that's the folder containing the partition subdirectories (the ones named BILLING_PERIOD=YYYY-MM).

Step 4.2 — Update your CUR bucket's policy

Your bucket policy probably allows only your existing CUR export to write into it. Our template adds two new exports (Carbon Emissions, Cost Optimization Hub), so you need to broaden the policy to allow them too.

Add this statement to your bucket policy (or replace the existing one if it's narrowly scoped):

{
  "Sid": "AllowAWSDataExportsToWriteToS3",
  "Effect": "Allow",
  "Principal": {
    "Service": ["bcm-data-exports.amazonaws.com", "billingreports.amazonaws.com"]
  },
  "Action": ["s3:PutObject", "s3:GetBucketPolicy"],
  "Resource": [
    "arn:aws:s3:::<your-cur-bucket>",
    "arn:aws:s3:::<your-cur-bucket>/*"
  ],
  "Condition": {
    "StringLike": {
      "aws:SourceArn": [
        "arn:aws:bcm-data-exports:us-east-1:<your-account-id>:export/*",
        "arn:aws:cur:us-east-1:<your-account-id>:definition/*"
      ]
    },
    "StringEquals": {
      "aws:SourceAccount": "<your-account-id>"
    }
  }
}

Replace <your-cur-bucket> and <your-account-id> with your real values and save.

Step 4.3 — Turn on Cost Optimization Hub

Same as the fresh-account flow: AWS Console → Cost Optimization Hub → Get started.

Step 4.4 — Launch the CloudFormation stack

In the dashboard, click Connect AWS Account → Launch Now. On the AWS review page, change these parameters:

Tick the IAM acknowledgement, click Create stack, wait for CREATE_COMPLETE.

Step 4.5 — Copy the RoleArn and paste it back

Same as steps 7-8 of the fresh-account flow.

5. What we create in your AWS account

Everything our template creates lives in your AWS account. Nothing is shared with other customers. Here's the full list:

That's it. No EC2 instances, no Lambda functions, no compute charges. Just storage and an IAM role.

6. What we can and can't see

This section is for the careful folks who want to know exactly what the dashboard can do in your account. Short version: read-only, billing data only, your account only.

Who can use the role

Only one principal: the FinOps Dashboard's backend service running in EPI-USE's AWS account (account 641079926598). Every assume-role call is logged in your AWS CloudTrail — you can audit exactly what we did and when.

What the role is allowed to do

What the role is NOT allowed to do

• Read object contents from any bucket outside your own AWS account.
• Read databases, Lambda code, EBS volumes, secrets, or anything that isn't billing data in S3.
• Create, modify, or delete any resource — except for managing its own scratch files in the results bucket.
• Change IAM (no creating users, no modifying policies, no assuming other roles).
• Decrypt anything with your KMS keys.
• Modify your CUR or Carbon Emissions data.

Want to audit what we've done?

AWS Console → CloudTrail → Event history → filter by User name = AWS-Cost-Analysis-Dashboard-Role. You'll see every action we've taken, when, and which Athena query.

Want to revoke access?

AWS Console → IAM → Roles → AWS-Cost-Analysis-Dashboard-Role → Delete. We instantly lose access. Your CUR data stays where it is — we never touched it anyway.

7. Sign in with your IdP (SSO)

If your organisation uses Microsoft Entra ID (Azure AD), Okta, Google Workspace, or another SAML 2.0 identity provider, you can configure single sign-on so your team uses their existing work logins instead of dashboard passwords.

Microsoft Entra ID (Azure AD) — most common setup

Okta — similar flow

1. Okta Admin → Applications → Create App Integration → choose SAML 2.0.
2. Use the values from the dashboard's SSO Configuration page for Single sign on URL, Audience URI, etc.
3. Name ID format: EmailAddress.
4. Add attribute statements: email ← user.email, given_name ← user.firstName, family_name ← user.lastName.
5. After saving, click View SAML setup instructions, copy the metadata XML, upload it to the dashboard's SSO Configuration page.
6. Set the app's Initiate Login URI to the Direct SSO Login Link.
7. Assign users, test from the Okta dashboard.

Any other SAML 2.0 IdP

The pattern is always: hand the IdP our Entity ID + Reply URL (from the dashboard's SSO Configuration page), make sure it emits email, given_name, family_name, name claims, export the metadata XML, upload it via the dashboard.

8. Auto-provision users (SCIM)

SCIM lets your IdP automatically create, update, and disable user accounts in the dashboard. It's a nice-to-have on top of SAML SSO, especially if you have lots of joiners and leavers.

Step 8.1 — Generate the SCIM token in the dashboard

Dashboard → SSO Configuration → SCIM Provisioning section → Generate SCIM Token. The token is shown once only — copy it the moment it appears, you can't get it back later.

Step 8.2 — Configure SCIM in Azure

1. Azure Portal → your enterprise app → Provisioning.
2. Tenant URL: https://api.cloudbillanalyzer.epiuse-aws.com/api/scim/<your-tenant-id>
3. Secret token: the plaintext token from step 8.1.
4. Click Test connection → expect a green check.
5. Save. Then set Scope to "Sync only assigned users and groups" and turn Status on.

Initial sync typically completes in 10-40 minutes. After that, IdP user changes propagate within about 40 minutes (Azure's default cycle).

Step 8.3 — Configure SCIM in Okta

Same general flow: Okta Admin → your app → Provisioning → Configure API Integration. Use the same Tenant URL and API token. Test, save, enable Create / Update / Deactivate.

9. Managing users

The three roles

Inviting someone

1. Dashboard → Users → Create New User.
2. Fill in their email, a display name, and a temporary password (you'll share this with them).
3. Pick a role and click Create & Invite User.

They get a welcome email with sign-in details. The temporary password is good for 7 days; on first sign-in they'll be asked to set their own.

Their invitation expired or they didn't get the email

Dashboard → Users → click the user → Resend Invitation. A fresh temporary password is generated and emailed.

Changing someone's role

Dashboard → Users → click the user → change role dropdown → save. Takes effect on their next page load.

Removing someone

Dashboard → Users → click the user → Delete. They lose access immediately.

If you use SCIM

Users provisioned through your IdP appear in the dashboard's user list automatically. Manage their lifecycle in your IdP — don't add or remove them from the dashboard directly, or your IdP will overwrite your changes on the next sync.

10. Troubleshooting

The dashboard says there's no data

1. Check the CloudFormation stack in AWS reached CREATE_COMPLETE. If it didn't, click the failed event in the stack's Events tab to see what went wrong.
2. Make sure the RoleArn you pasted into the wizard exactly matches the stack's output — no leading/trailing spaces.
3. Give it 24 hours from stack creation. The first daily Cost & Usage Report file lands once per day on AWS's schedule, not immediately.
4. If you want to check that the file actually landed: AWS Console → S3 → look for files under cur2-daily/cloudbill-cur-2-daily/data/BILLING_PERIOD=…/ in your CUR bucket.

Cost Optimization tab is empty

1. Confirm Cost Optimization Hub is enrolled: AWS Console → Cost Optimization Hub. If you see "Get started", it's not enrolled yet.
2. After enrolling, Cost Optimization Hub takes 24-48 hours to populate. Then the daily export needs another ~24 hours to land its first file. So allow up to 72 hours total.

Carbon Emissions tab is empty

AWS publishes carbon data monthly, about 3 months in arrears. For example, May 2026 data appears around August 2026. For brand-new AWS accounts, the first carbon file can take 1-3 months. This is an AWS schedule we can't speed up.

Clicking the SSO tile shows the password form

Your IdP's Sign on URL is set to the application root instead of the Direct SSO Login Link. Go back to your IdP's SAML configuration and replace the Sign on URL with the value labelled "DIRECT SSO LOGIN LINK" on the dashboard's SSO Configuration page.

Welcome email went to spam

Ask the recipient to mark it "Not spam" once. Email reputation builds over a couple of weeks; once their mail provider has seen a few legitimate emails from our sender domain, future ones land in the inbox. Our sender setup has DKIM, SPF, and DMARC all in place — the only missing ingredient is time.

Someone can't sign in — "incorrect email or password"

1. If they were just invited, their temporary password is good for 7 days. If it's been longer, resend the invitation.
2. If they use SSO, the password isn't checked — they should click their My Apps tile (or use the Direct SSO Login Link) instead of typing a password on the dashboard.
3. If the password is correct but still failing, check their account status: Dashboard → Users → find them. If status is "force change password", they need to use the temporary password and the dashboard will prompt them to set a permanent one.

"Forgot password" email never arrived

During early access, password-reset codes can only be delivered to email addresses we've verified with AWS's email service. Contact aws-ccoesupport@epiuse.com and we'll add the address.

11. Get help

Stuck on something not covered above? We're here.

To help us help you faster, include:

• Your AWS account ID
• The name of your organisation in the dashboard
• A screenshot of any error message
• The CloudFormation stack name and region (if it's an onboarding question)

Thanks for using EPIUSE FinOps Dashboard. We're glad to have you on board.