CUR Setup
AWS Cost and Usage Reports (CUR) is the foundation of Guardian Pro's Cost Intelligence module. CUR provides the most detailed and comprehensive billing data available from AWS, and Guardian Pro uses this data to power all cost analysis, anomaly detection, and optimisation features.
Cost Intelligence features are unavailable until CUR is configured and data is synced. This is a one-time setup that typically takes 5 minutes, but AWS requires up to 24 hours to deliver the first report.
What is AWS CUR?
AWS Cost and Usage Reports deliver detailed hourly or daily line-item billing data to an S3 bucket in your account. Each line item includes:
- The AWS service and specific operation (e.g.,
EC2 - RunInstances) - The resource ID and region
- Usage quantity and cost (blended, unblended, amortised)
- Pricing details, discounts, and credits
- Tags applied to the resource
Guardian Pro ingests this data to provide granular cost visibility that goes far beyond what the AWS Cost Explorer console offers.
Prerequisites
Before configuring CUR, verify the following:
- You have administrator access (or the
ce:*andcur:*permissions) in the AWS account where you will create the report. - For AWS Organizations, CUR should be configured in the management account (payer account) to capture spending across all member accounts.
- The S3 bucket for CUR data must be in the same region as your Guardian Pro deployment, or in
us-east-1(where AWS delivers reports by default).
If you are using AWS Organizations with consolidated billing, you only need to configure CUR once in the management account. All member account costs are included automatically.
Step-by-Step Configuration
Step 1: Create a CUR Report in the AWS Console
- Sign in to the AWS Management Console in your management (payer) account.
- Navigate to Billing and Cost Management > Cost and Usage Reports.
- Click Create report.
Step 2: Configure Report Settings
| Setting | Recommended Value | Notes |
|---|---|---|
| Report name | guardian-pro-cur | Any descriptive name works |
| Include resource IDs | Enabled | Required for resource-level cost attribution |
| Time granularity | Hourly | Provides the most detailed analysis; Daily is also supported |
| Report versioning | Overwrite existing report | Keeps storage costs low |
| Data integration | Amazon Athena | Select this option to get Parquet format |
| Compression | Parquet | Automatically selected with Athena integration |
Include resource IDs must be enabled. Without resource IDs, Guardian Pro cannot attribute costs to specific resources, which disables rightsizing recommendations and resource-level cost views.
Step 3: Configure the S3 Bucket
You can use an existing bucket or create a new one:
Creating a new bucket:
- Click Configure next to the S3 bucket field.
- Enter a bucket name (e.g.,
guardian-pro-cur-data-{account-id}). - Select a region. We recommend the same region as your Guardian Pro deployment.
- Click Next and confirm the bucket policy.
Using an existing bucket:
- Enter the bucket name.
- AWS will prompt you to apply the required bucket policy. Review and confirm the policy.
Required S3 bucket policy (applied automatically by the CUR setup wizard):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::your-bucket-name"
},
{
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Step 4: Set the Report Path Prefix
| Setting | Recommended Value |
|---|---|
| Report path prefix | cur-reports |
This determines the folder structure in S3. Guardian Pro will look for reports at this path.
Step 5: Review and Create
- Review all settings on the confirmation page.
- Click Create report.
- AWS will begin generating the first report within 24 hours.
The first CUR report can take up to 24 hours to appear in your S3 bucket. Subsequent reports are delivered on the schedule you configured (hourly or daily). Guardian Pro will show a "Pending Data" status until the first report is available.
Connect CUR to Guardian Pro
Once the CUR report is created in AWS, configure Guardian Pro to ingest it:
- In the Guardian Pro console, navigate to Cost Analysis.
- The CUR Status card will show the current connection state.
- Enter the following details:
- S3 Bucket Name -- The bucket where CUR reports are delivered
- Report Path Prefix -- The prefix you configured (e.g.,
cur-reports) - Report Name -- The name of your CUR report (e.g.,
guardian-pro-cur)
- Click Verify Connection.
Guardian Pro will validate that it can access the S3 bucket and read report data.
CUR Status States
The CUR Status card on the Cost Dashboard shows one of the following states:
| Status | Meaning | Action Required |
|---|---|---|
| Not Configured | CUR has not been set up | Follow the setup steps above |
| Pending Data | CUR is configured but the first report has not arrived yet | Wait up to 24 hours for AWS to deliver the initial report |
| Active | CUR data is being ingested successfully | None -- Cost Intelligence is fully operational |
| Error | Guardian Pro cannot read CUR data | Check S3 bucket permissions and report configuration |
You can check whether AWS has delivered your first CUR report by navigating to the S3 bucket in the AWS Console and looking for files under your report path prefix.
IAM Permissions for CUR Access
Guardian Pro's cross-account role requires the following permissions to read CUR data from your S3 bucket:
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-cur-bucket",
"arn:aws:s3:::your-cur-bucket/*"
]
}
These permissions are included in the default Guardian Pro member role deployed during onboarding. If you customised the role, verify these permissions are present.
Best Practices
Use a Dedicated Bucket
We recommend using a dedicated S3 bucket for CUR data rather than sharing a bucket with other data. This simplifies permissions management and makes it easier to apply lifecycle policies.
Enable Versioning
Enable S3 versioning on your CUR bucket to protect against accidental deletion of billing data.
Apply Lifecycle Rules
CUR data accumulates over time. Consider applying an S3 lifecycle rule to transition older reports to S3 Glacier or S3 Glacier Deep Archive after 90 days:
Current → S3 Standard (0-90 days) → S3 Glacier (90-365 days) → Delete (365+ days)
Encryption
Enable server-side encryption (SSE-S3 or SSE-KMS) on your CUR bucket. Guardian Pro supports reading from encrypted buckets provided the cross-account role has the necessary KMS permissions.
Troubleshooting
CUR status shows "Error"
- Verify the S3 bucket exists and is in an accessible region.
- Check that the Guardian Pro cross-account role has
s3:GetObjectands3:ListBucketpermissions on the bucket. - Confirm the report name and path prefix match what you configured in AWS.
- If using KMS encryption, verify the cross-account role has
kms:Decryptpermission on the key.
CUR status stuck on "Pending Data"
- AWS can take up to 24 hours to deliver the first CUR report. This is an AWS-side limitation, not a Guardian Pro issue.
- After 24 hours, check the S3 bucket directly in the AWS Console to confirm files are present.
- If files are present but Guardian Pro still shows "Pending Data", verify the report path prefix matches exactly.
Data appears incomplete
- Ensure Include resource IDs was enabled when creating the CUR report. Without this, resource-level cost data is unavailable.
- Verify the CUR report covers the time period you are analysing. Historical data is only available from the date the CUR report was first created.
Next Steps
- Cost Dashboard -- View your spending data once CUR is active
- Anomaly Detection -- Automated alerts for spending anomalies
- Budgets -- Set spending limits with threshold alerts