Onboarding

Onboarding

LevelFour reads two things from your infrastructure: cloud cost and usage data (to detect waste and calculate savings), and Infrastructure-as-Code in your repositories (Terraform, CloudFormation, AWS CDK, Pulumi, and Kubernetes manifests, used to open pull requests with the savings changes). You grant each kind of access through a self-service flow in the dashboard at Connect Accounts.

Pick the paths that match how you operate.

Which path is right for me?

AWS - single account

Use this if any of the following are true:

  • You have one AWS account, or only a few that you onboard one at a time.
  • You don't use AWS Organizations, or you only use it for consolidated billing.
  • You prefer to grant access to each account explicitly.

You'll click a Launch Stack link, deploy a single CloudFormation stack per account, and LevelFour auto-detects the role as soon as it exists. Five minutes per account.

AWS - multi-account (Organizations)

Use this if all of the following are true:

  • You use AWS Organizations with all features mode enabled.
  • You want to onboard many member accounts at once, including future accounts that join your organization.
  • You can deploy CloudFormation from the management account (or a delegated StackSets admin account).

You'll click one Launch Stack link in the management account, paste your AWS Organizations root or OU ID, and CloudFormation StackSets fans the role out to every account in the target OU. Future accounts that join the OU pick up the role automatically.

GitHub organization

One GitHub App install powers two shift-left FinOps products:

  • PR bot. On every PR your team opens that touches your Infrastructure-as-Code (Terraform, CloudFormation, CDK, Pulumi, or Kubernetes manifests), the bot scores cost and performance impact against your real usage data, posts a before vs after comparison comment, drops inline commit suggestions on the diff, and posts a check-run status visible in the PR checks panel. The cost conversation happens at review time, not after a surprise bill.
  • IaC PR platform. Reads the Infrastructure-as-Code across the repos you granted access to (Terraform, CloudFormation, CDK, Pulumi, Kubernetes manifests), finds cost waste, and proactively opens savings pull requests for your team to review and merge.

You'll click Install GitHub App from the dashboard, GitHub opens its install picker for the org of your choice, you grant access to all repositories or a curated subset, and LevelFour auto-detects the install within seconds. AWS and GitHub onboarding are independent: you can do either, both, or each at its own pace.

What gets created in each account

Both paths create the same IAM role in each AWS account:

  • Name: LevelFourCrossAccountRole
  • Trusts: LevelFour's AWS account (730335248431) via the external LevelFourHandshakeID you provide
  • Permissions: ReadOnlyAccess plus a focused policy covering Cost Explorer, Compute Optimizer, Cost Optimization Hub, Savings Plans, Pricing, Trusted Advisor, S3 Storage Lens, and Container Insights actions

The role is named consistently across every account so LevelFour can locate it as arn:aws:iam::<account_id>:role/LevelFourCrossAccountRole without you having to copy ARNs back to us.

After deployment

Once the role exists in your accounts, tell your LevelFour onboarding contact the management account ID and the handshake ID you used. LevelFour discovers every active account in your organization, verifies the role works in each, and starts ingesting cost and usage data within a few minutes.

LevelFour Developer Docs

Build with the LevelFour cloud cost optimization API using official SDKs for Python, TypeScript, and Go.

AWS - single account

Onboard one AWS account to LevelFour by deploying a CloudFormation template with a Launch Stack link.

On this page

Which path is right for me?AWS - single accountAWS - multi-account (Organizations)GitHub organizationWhat gets created in each accountAfter deployment