AWS - single account
This is the simplest onboarding path. You click a Launch Stack link, enter the handshake ID LevelFour gave you, and CloudFormation creates the LevelFourCrossAccountRole in your account. Five minutes start to finish.
If you have many AWS accounts under AWS Organizations, see the multi-account path instead - you can onboard every account in one deployment.
Self-service path (recommended)
You can do this entire flow from the LevelFour dashboard without an onboarding contact in the loop. Go to Connect Accounts → AWS in the dashboard (https://dashboard.levelfour.ai/connect-accounts/aws), click Connect via AWS Console, and the dashboard opens AWS Console with the v2 CloudFormation template pre-loaded. When you click Create stack, the deployed stack pings LevelFour automatically. The dashboard flips to Connected within ~30 seconds and starts ingesting cost data for that account. No emails, no copy-pasting ARNs.
The manual steps below are still here as a fallback when you cannot reach the dashboard (e.g., the customer who actually owns AWS access is separate from the LevelFour admin user).
Prerequisites
- An AWS account with permission to create IAM roles and CloudFormation stacks (typically an admin role)
- The LevelFour Handshake ID provided by your LevelFour onboarding contact
Step 1 - Open the Launch Stack link
Sign in to the AWS account you want to onboard, then click the Launch Stack link below. It opens the CloudFormation console with the LevelFour onboarding template pre-loaded.
https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://cf-templates-1bsphth8u70q9-us-east-1.s3.amazonaws.com/onboarding/v1/onboarding-levelfour-cloudformation-template.json&stackName=LevelFourMake sure the top-right account selector shows the AWS account you intend to onboard. Region doesn't matter for IAM resources - leave it on us-east-1.
Step 2 - Enter the handshake ID
CloudFormation shows the template's parameters:
- LevelFourHandshakeID - paste the value LevelFour gave you. Treat it like a secret; don't share or change it.
Leave the stack name as LevelFour (or change it if your team uses a naming convention).
Step 3 - Acknowledge the IAM capability
At the bottom of the page, tick:
I acknowledge that AWS CloudFormation might create IAM resources with custom names.
This consent is required because the template creates a role with a specific name (LevelFourCrossAccountRole) rather than letting AWS auto-generate one. A predictable name is what lets LevelFour locate the role without you having to copy ARNs back to us.
Click Create stack.
Step 4 - Wait for CREATE_COMPLETE
CloudFormation provisions the role. It typically takes 30–60 seconds. Watch the Events tab for progress. When the stack status reaches CREATE_COMPLETE, the role exists in your account.
Step 5 - Confirm the role and notify LevelFour
Open the stack's Outputs tab. You'll see:
- RoleArn -
arn:aws:iam::<your-account-id>:role/LevelFourCrossAccountRole - HandshakeID - the same value you entered (echoed back for verification)
Reply to your LevelFour onboarding contact with the AWS account ID. LevelFour validates that the role works (it attempts an sts:AssumeRole using your handshake ID) and starts ingesting data for that account.
Onboarding more accounts
Repeat steps 1–5 in each additional AWS account, using the same handshake ID. Each account gets its own role with the same predictable name.
If you reach a point where you're onboarding more than 3–4 accounts, switch to the multi-account path - it's one deploy that covers your whole organization.
What the role grants
The role created in your account trusts LevelFour's AWS account (730335248431) and only accepts AssumeRole requests that include your specific LevelFourHandshakeID as the external ID. Its permissions:
- AWS managed
ReadOnlyAccess(read-only access to all resources) - A focused inline policy covering: Cost Explorer, Compute Optimizer, Cost Optimization Hub, Savings Plans, Pricing, AWS Support, Trusted Advisor, S3 Storage Lens, BCM Data Exports, Container Insights, and the IAM service-linked role creation needed to enroll in those services
You can review the full template before deploying:
https://cf-templates-1bsphth8u70q9-us-east-1.s3.amazonaws.com/onboarding/v1/onboarding-levelfour-cloudformation-template.jsonRemoving access
To revoke LevelFour's access to an account, delete the CloudFormation stack:
aws cloudformation delete-stack --stack-name LevelFourThis removes the LevelFourCrossAccountRole. LevelFour stops being able to read data from that account immediately.
Troubleshooting
CREATE_FAILED with "Role with name LevelFourCrossAccountRole already exists"
You've already deployed the LevelFour role to this account. Either delete the existing role and re-deploy, or skip - this account is already onboarded.
CREATE_FAILED with an SCP-related error
Your AWS Organizations Service Control Policies are blocking IAM role creation in this account. Talk to your AWS administrator to permit iam:CreateRole, iam:AttachRolePolicy, and iam:PutRolePolicy for the role name LevelFourCrossAccountRole.
Stack succeeded but LevelFour says the role isn't accessible Double-check that the handshake ID you entered matches exactly what LevelFour provided. If it doesn't, update the stack and re-enter the correct value.
Onboarding
Connect your AWS accounts and GitHub organizations to LevelFour so it can read cost and usage data, surface savings recommendations, and open savings pull requests.
AWS - multi-account (Organizations)
Onboard every AWS account in your organization to LevelFour by deploying one CloudFormation StackSet from the management account.