Skip to main content

Overview

Virtual Integrations allow Managed Service Providers (MSPs) to create isolated cost views for specific groups of AWS accounts within their AWS Organization. This enables MSPs to provide each customer with access to only their relevant AWS accounts and cost data, without requiring separate AWS Organizations or additional infrastructure.

Key Benefits

  • Account-Level Isolation: Each virtual integration provides access to a specific subset of AWS accounts
  • Automatic Cost Filtering: Both AWS Cost Explorer and Athena queries automatically filter to show only relevant accounts
  • No Customer Setup Required: All configuration is managed from the MSP’s payer account
  • Single Integration Point: Uses the existing AWS integration in the payer account
  • Real-Time Updates: Account assignments can be changed at any time, and filters update automatically

How It Works

When you create a virtual integration:
  1. Select Accounts: Choose which AWS accounts from your organization should be included
  2. Automatic View Creation: The system creates filtered views for both Cost Explorer and Athena in your payer account****
  3. Instant Access: Cost data is immediately available and automatically filtered to show only the selected accounts

Prerequisites

AWS Organization Setup

Your AWS Organization must have:
  • Consolidated Billing: All accounts must be part of an AWS Organization with consolidated billing
  • Cost and Usage Report (CUR): A CUR must be configured and accessible in the payer account

IAM Role Requirements

The WivAccessRole in your P****ayer account must have the following permissions:

Athena Permissions (can already exist from Payer 1st on-boarding)

athena:StartQueryExecution
athena:GetQueryExecution
athena:GetQueryResults

AWS Billing Permissions

billing:ListBillingViews
billing:GetBillingView
billing:CreateBillingView
billing:UpdateBillingView
billing:DeleteBillingView
billing:GetResourcePolicy
billing:PutResourcePolicy
billing:DeleteResourcePolicy

S3 Access for CUR and Athena Results

s3:GetObject
s3:ListBucket
s3:PutObject
On the CUR bucket and Athena results bucket

Linked Account Requirements

The WivAccessRole in linked accounts requires:
  • Basic AWS read permissions: Same as a standard AWS integration

Creating a Virtual Integration

Via Console

image
image
image

Updating Account Assignments

You can add or remove accounts at any time:

Via Console

image
image
image
The system will automatically:
  • Update the Athena view to include the new accounts
  • Update the billing view filter
  • Validate that all changes completed successfully

Deleting a Virtual Integration

Via Console

image

The system will automatically clean up:
  • Athena view in the payer account
  • Billing view in the payer account
  • Integration secret
No manual cleanup required.

Cost Data Access

Cost Explorer Step

image
image

Cost Explorer API

When using the Cost Explorer API with a virtual integration, the billing view is automatically applied: 
response = cost_explorer.get_cost_and_usage(
    TimePeriod={
        'Start': '2025-01-01',
        'End': '2025-01-31'
    },
    Granularity='MONTHLY',
    Metrics=['UnblendedCost']
)
Results will only include the accounts assigned to the virtual integration.

Athena Queries Step

image
image

Athena Queries

All Athena queries are automatically rewritten to use the virtual integration’s view. The view ensures row-level security by filtering line_item_usage_account_id to only the assigned accounts.

Architecture Overview

image