Connect an AWS Account

How access works

Cloptima connects to AWS through a secure, read-only cross-account IAM role created by a CloudFormation template — the same approach used by tools like Datadog and CloudHealth. The template auto-generates a unique External ID, so there's nothing to configure by hand.

• Can: read EC2/S3/RDS resources, CloudWatch metrics, and cost/billing data; generate recommendations
• Cannot: create, modify, or delete resources, access your data or applications, or change security settings

Choose a deployment method

In Cloptima, start onboarding and choose AWS. After the read-only permissions overview, pick how to deploy the CloudFormation stack: the AWS Console one-click flow (recommended for most users) or the AWS CLI (if you don't have console access but have the CLI configured).

Option A — Deploy via the AWS Console

Cloptima opens the CloudFormation console pre-configured. Review the template (the External ID is generated automatically), click Create stack, and wait 1–2 minutes for completion. Then open the stack's Outputs tab and copy the RoleArn and ExternalId values.

Option B — Deploy via the AWS CLI

Cloptima shows copy-ready commands. Run the create-stack command, poll status until it reads CREATE_COMPLETE (about 1–2 minutes), then run the outputs command to print the Role ARN and External ID. You'll need AWS CLI configured with CloudFormation and IAM permissions.

Connect the account in Cloptima

Give the account a friendly name, paste the Role ARN and External ID back into Cloptima, and choose Test Connection & Continue. Once validated, your cost dashboard populates within about 5–10 minutes.

Optional: enable actual-cost reconciliation

To reconcile against real billing data, grant read-only access to your Cost and Usage Report (CUR). During CloudFormation setup you can supply your CUR S3 bucket and prefix as stack parameters (CURReportBucketName and CURReportPrefix), or add them later from Billing settings.