AWS Cost Explorer is an AWS tool that provides detailed visibility into your cloud costs and usage. It allows you to analyze spending patterns, identify cost drivers, and track costs by service, linked account, or custom tags over time.

Configuring AWS Cost Explorer as a Source

In the Sources tab, click on the “Add source” button located on the top right of your screen. Then, select the AWS Cost Explorer option from the list of connectors. Click Next and you’ll be prompted to add your access.

1. Setting up AWS permissions

You need to set up an IAM role or IAM user with permissions to access the Cost Explorer API. Choose one of the two authentication methods below.

Option A: IAM Role (recommended for cross-account access)

Create a role and add a custom trust policy

Open the AWS Console using the account that hosts the cost data you’d like to access.
Enter the IAM (Identity and Access Management) service page.
In the left panel under Access management, select Roles.
Click Create role.
In Trusted entity type, select Custom trust policy.
Change the Principal value to:

{
    "AWS": "arn:aws:iam::{AWS_ACCOUNT_ID}:role/nekt-ecs-task-role"
}

The variable must be replaced by the ID of the AWS account where the Nekt workspace is deployed. In order to find this information, click the dropdown in the top-right corner of the AWS console page after you log in with your account, then click on the “copy” icon to the right of your Account ID.

Check the full trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{AWS_ACCOUNT_ID}:role/nekt-ecs-task-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Click Next.
Click Next again without adding any permission. We’ll create an inline policy further on.
Under Role details, you can type any Role name as you want. Example: nekt-cost-explorer-source.
Optionally, type a Description. Example: Used by Nekt to read AWS Cost Explorer data.
Click Create role.

You should get redirected back to the IAM roles page and a message of success should appear at the top.Add permissions to the role

Open the role you just created by clicking View role in the right end of the green banner that appeared at the top of the page. If you dismissed it already, you can type the given Role name in the search field and then select it when it appears in the list.
Within Permission policies (0), click Add permissions.
Select Create inline policy.
Within Policy editor, select JSON.
Paste the following policy in the Policy editor:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NektCostExplorerRead",
            "Effect": "Allow",
            "Action": [
                "ce:GetCostAndUsage"
            ],
            "Resource": "*"
        }
    ]
}

Click Next.
Under Policy details type any Policy name as you want. Example: nekt-cost-explorer-policy.
Click Create policy.

You should get redirected back to the role you just created and a message of success should appear at the top.

When setting up the connector at Nekt, you will use the ARN of the role you’ve just created.

Option B: IAM User (access key / secret key)

If you prefer to use static credentials, create an IAM user with the ce:GetCostAndUsage permission.

Open the AWS Console and go to the IAM service page.
In the left panel, select Users and click Create user.
Give the user a name (e.g., nekt-cost-explorer) and click Next.
Attach a policy with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NektCostExplorerRead",
            "Effect": "Allow",
            "Action": [
                "ce:GetCostAndUsage"
            ],
            "Resource": "*"
        }
    ]
}

Click Next, then Create user.
Open the user you just created, go to the Security credentials tab, and click Create access key.
Select Third-party service, confirm, and click Create access key.
Copy the Access Key ID and Secret Access Key. You will need them in the next step.

Get in touch with us if you face any problem setting up permissions.

2. Add account access

The following configurations are available:

AWS Role ARN (recommended): The ARN of the IAM role you created in Step 1 (Option A). When provided, Nekt uses STS AssumeRole to obtain temporary credentials for cross-account access.
AWS Access Key ID: Your AWS access key ID with Cost Explorer permissions. Required when using key/secret authentication (Option B).
AWS Secret Access Key: Your AWS secret access key. Required when using key/secret authentication (Option B).
Start Date: The earliest date from which cost records will be synced.

Advanced settings

Granularity: Sets the aggregation granularity for cost data. Options are DAILY (default), MONTHLY, or HOURLY.
Cost Metric: Which cost metric to retrieve. Available options:
- UnblendedCost (default) — The actual cost incurred by each account for each service, before any consolidation discounts are applied.
- BlendedCost — The average cost across all accounts in an AWS Organization for a given service, distributing bulk discounts evenly.
- AmortizedCost — Spreads upfront reservation and Savings Plans payments across the months of the commitment term, giving a more even view of costs over time.
- NetAmortizedCost — Same as AmortizedCost but after applicable discounts (e.g., private pricing, EDPs) are applied.
- NetUnblendedCost — Same as UnblendedCost but after applicable discounts are applied.
- NormalizedUsageAmount — Usage normalized to a common unit size, useful for comparing usage across different instance types.
- UsageQuantity — The raw quantity of usage (e.g., hours, GB) rather than a dollar amount.
Filter Tags: A list of tag key/value pairs to filter costs by. Only resources matching all specified tags are included in the results. This also enables the cost_by_tag stream, which groups costs by the first tag key in the list.

You must first activate cost allocation tags in your AWS Billing console for them to appear in Cost Explorer data. See AWS documentation for details.

Once you’re done, click Next.

3. Select streams

Choose which data streams you want to sync. For faster extractions, select only the streams that are relevant to your analysis. Select the streams and click Next.

4. Configure data streams

Customize how you want your data to appear in your catalog. Select the desired layer where the data will be placed, a folder to organize it inside the layer, a name for each table, and the type of sync.

Layer: choose between the existing layers on your catalog.
Folder: a folder can be created inside the selected layer to group all tables being created from this new data source.
Table name: we suggest a name, but feel free to customize it. You have the option to add a prefix to all tables at once.
Sync Type: you can choose between INCREMENTAL and FULL_TABLE.
- Incremental: every time the extraction happens, only new data since the last sync is fetched.
- Full table: every time the extraction happens, the current state of the data is fetched.

Once you are done configuring, click Next.

5. Configure data source

Describe your data source for easy identification within your organization, not exceeding 140 characters. To define your Trigger, consider how often you want data to be extracted from this source. AWS cost data is typically updated once per day, so a daily trigger is recommended. Once you are ready, click Next to finalize the setup.

6. Check your new source

You can view your new source on the Sources page. If needed, manually trigger the source extraction by clicking on the arrow button. Once executed, your data will appear in your Catalog.

For you to be able to see it on your Catalog, you need at least one successful source run.

Streams and Fields

Below you’ll find all available data streams from AWS Cost Explorer and their corresponding fields:

Cost and Usage

Total aggregated cost and usage across all AWS services for each time period.

Field	Description
`time_period_start`	Start date of the time period (e.g., 2024-01-01)
`time_period_end`	End date of the time period
`metric_name`	Name of the cost metric (e.g., UnblendedCost)
`amount`	The cost amount for the period
`unit`	The unit of the amount (e.g., USD)

Cost by Service

Cost and usage broken down by AWS service (e.g., Amazon EC2, Amazon S3, AWS Lambda) for each time period.

Field	Description
`time_period_start`	Start date of the time period
`time_period_end`	End date of the time period
`group_by_key`	The grouping dimension (SERVICE)
`group_by_value`	The AWS service name (e.g., Amazon Elastic Compute Cloud - Compute)
`metric_name`	Name of the cost metric
`amount`	The cost amount for the period
`unit`	The unit of the amount

Cost by Linked Account

Cost and usage broken down by linked AWS account for each time period. Useful for organizations with multiple AWS accounts under a consolidated billing setup.

Field	Description
`time_period_start`	Start date of the time period
`time_period_end`	End date of the time period
`group_by_key`	The grouping dimension (LINKED_ACCOUNT)
`group_by_value`	The AWS account ID
`metric_name`	Name of the cost metric
`amount`	The cost amount for the period
`unit`	The unit of the amount

Cost by Tag

Cost and usage broken down by the first tag key specified in Filter Tags. This stream is only available when Filter Tags is configured in the source settings.

Field	Description
`time_period_start`	Start date of the time period
`time_period_end`	End date of the time period
`group_by_key`	The tag key prefixed with “tag:” (e.g., tag:Environment)
`group_by_value`	The tag value (e.g., production, staging)
`metric_name`	Name of the cost metric
`amount`	The cost amount for the period
`unit`	The unit of the amount

You must first activate cost allocation tags in your AWS Billing console for them to appear in Cost Explorer data. See AWS documentation for details.

Documentation

Get started

Using Nekt

Workspace

Resources

AWS Cost Explorer as a data source

Configuring AWS Cost Explorer as a Source

1. Setting up AWS permissions

2. Add account access

Advanced settings

3. Select streams

4. Configure data streams

5. Configure data source

6. Check your new source

Streams and Fields

Documentation

Get started

Using Nekt

Workspace

Resources

​Configuring AWS Cost Explorer as a Source

​1. Setting up AWS permissions

​2. Add account access

​Advanced settings

​3. Select streams

​4. Configure data streams

​5. Configure data source

​6. Check your new source

​Streams and Fields

Configuring AWS Cost Explorer as a Source

1. Setting up AWS permissions

2. Add account access

Advanced settings

3. Select streams

4. Configure data streams

5. Configure data source

6. Check your new source

Streams and Fields