# Connect to AWS Bedrock Connect your AWS account to Finora to track Bedrock model spend (Claude, Llama, Mistral, and other Bedrock-hosted models). > **Before you start** > > * You'll need to create or update an **IAM user** in the AWS account that owns your Bedrock workload. > * **AWS Cost Explorer must be enabled** in your account. It's free to enable — just open the Billing console and click into Cost Explorer once. (If your AWS admin handles billing access, ask them to confirm Cost Explorer is on.) ## Overview You'll create an IAM user in AWS that has read-only access to cost data — and nothing else. Then you paste the access keys into Finora. The user can't see your services, your data, or your account configuration. It can only read aggregated cost numbers. ## Step 1: Create an IAM user with read-only cost access 1. Sign in to the [AWS Console](https://console.aws.amazon.com) with an account that can manage IAM. 2. Open **IAM → Users → + Create user**. 3. Give the user a name like `finora-cost-reader`. 4. Click **Next** to attach permissions. 5. Choose **Attach policies directly → + Create policy**. 6. Switch to the **JSON** tab and paste this: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ce:GetCostAndUsage", "Resource": "*" } ] } ``` 7. Name the policy `FinoraCostExplorerReadOnly` and create it. 8. Back on the user creation page, attach the new policy and finish creating the user. 9. Open the new user, go to **Security credentials → + Create access key**. 10. Choose **Application running outside AWS**, click through, and **download or copy** the **Access key ID** and **Secret access key**. > The secret access key is shown **only once**. Save it in a password manager before navigating away. ## Step 2: Connect AWS to Finora 1. In Finora, click **Settings** in the sidebar, then open the **API Keys** tab. 2. From the **Provider** dropdown, choose **AWS Bedrock**. 3. Fill in: * **Access Key ID** — the `AKIA...` value from step 1 * **Secret Access Key** — the secret you copied * **Region** — choose the AWS region closest to your Bedrock workloads: * US East (N. Virginia) * US West (Oregon) * EU (Ireland) * EU (Frankfurt) * Asia Pacific (Singapore) * Asia Pacific (Tokyo) 4. Click **Save**. Finora makes a test cost lookup to confirm the credential works. On success, AWS Bedrock appears in your connected providers list. ## What Finora tracks for AWS Bedrock * Total cost in USD * Date of each charge * Which Bedrock model and usage type was billed * Linked AWS account (if you use consolidated billing across multiple accounts) Other AWS spend (EC2, S3, networking, etc.) stays in your AWS bill — Finora filters it out automatically. ## FAQs **My region isn't in the list — can I still connect?** The list covers the common Bedrock regions. If you need another (e.g. Mumbai, São Paulo), contact support. We can add it quickly. **Do I need to enable Cost Explorer first?** Yes — and this is the most common cause of connection failures. AWS Cost Explorer is opt-in. Open the AWS Billing console and click **Cost Explorer → Launch**. Activation can take up to 24 hours; until then, your first refresh will return zero rows. **Can I use an IAM role instead of an access key?** Not yet. Today, Finora uses long-lived access keys. Role-based access is on our roadmap. **Saving failed with `AccessDenied`. What's wrong?** Common causes: * Cost Explorer isn't enabled on the account. * The policy was attached to a group, not the user directly. * The access key was generated for a different user. Double-check that the `FinoraCostExplorerReadOnly` policy is on the user named `finora-cost-reader` and that Cost Explorer is enabled. **How do I rotate the access key?** Create a new access key for the same IAM user in AWS, paste it into Finora **Settings → API Keys → Update**, save, and then deactivate the old key in AWS. **Will Finora see my non-AI AWS costs?** No. Finora filters to Bedrock-related spend only. Other AWS services (EC2, S3, Lambda, etc.) are not pulled in. ## Removing the integration Open **Settings → API Keys**, find the AWS Bedrock row, click the trash icon, and confirm. Your stored credentials are deleted. We recommend you also deactivate or delete the IAM user in AWS afterwards. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.finora.services/billing-integrations/ai-providers/connect-to-aws-bedrock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.