Login Get Started

Get Started with AWS

Automated infrastructure deployment for secure, read-only access to your AWS Cost and Usage Reports.

Production Ready 5–15 minutes depending on configuration

What Gets Created

The setup script automatically provisions the following resources in your AWS account.

S3 Bucket

Dedicated storage for your Cost and Usage Report data with appropriate access controls.

Cost & Usage Report

Hourly billing data export with cost allocation tags enabled for granular carbon attribution.

IAM Role

Least-privilege, read-only cross-account role with External ID protection against confused deputy attacks.

StackSets

CloudFormation StackSets for AWS Organizations — automatically covers all child accounts.

Prerequisites

  • AWS CLI installed and configured
  • jq command-line tool
  • Administrator access to your AWS account
  • Your Tailpipe External ID (provided during onboarding)

Quick Start

Download the setup script

Clone the open-source repository from GitHub.

# Clone the repository
git clone https://github.com/tivarri/tailpipe-cloud-data-export.git
cd tailpipe-cloud-data-export/aws

Run the setup

Choose the mode that suits your workflow.

Interactive 
# Interactive mode (recommended)
chmod +x setup-tailpipe.sh
./setup-tailpipe.sh
Automated 
# Non-interactive mode
export EXTERNAL_ID="your-external-id"
./setup-tailpipe.sh
Dry Run 
# Dry run — preview only
DRY_RUN=1 ./setup-tailpipe.sh

Share configuration

The script outputs a JSON configuration summary containing the IAM role ARN and S3 bucket details. Share this with your Tailpipe Account Manager to complete the setup.

Setup Timeline

Management Account

without AWS Organizations

5–10 minutes

Management Account

with AWS Organizations

10–15 minutes

Standalone Account

single account setup

5 minutes

Security Features

Built with security best practices. Your infrastructure stays under your control.

Read-Only Access

IAM role has no write permissions. Tailpipe cannot modify your infrastructure.

External ID Protection

Prevents confused deputy attacks with a unique External ID per organisation.

No Long-Term Credentials

Uses IAM role assumption — no access keys or secrets are stored.

CloudTrail Audit

All access is logged in AWS CloudTrail for full audit visibility.

User-Controlled

Revoke access at any time by running the cleanup script or deleting the IAM role.

What Happens Next

AWS generates your first report

Initial Cost and Usage Reports appear within 24 hours of setup.

Tailpipe connects

We connect via the IAM role and begin processing your billing and usage data.

Emissions data available

Carbon emissions data appears in your Tailpipe dashboard within 24–48 hours.

Removal & Cleanup

The integration is fully reversible. Run the cleanup script to remove all Tailpipe resources from your AWS account. 

# Remove all Tailpipe resources
chmod +x cleanup-tailpipe.sh
./cleanup-tailpipe.sh

All resources created by the setup script (S3 bucket, IAM role, CUR, StackSets) will be deleted. For more options, see the full documentation on GitHub.

Need help with setup?

Check our integration FAQs or get in touch with our team.

View FAQs Contact Support
GitHub Documentation