Onboarding

Enable Automated Savings

Automated Savings attaches a scoped, time-limited IAM policy to a dedicated role named LevelFourSavingsExec whenever you approve a specific savings action, then removes it when the action finishes. Accounts onboarded before this role existed do not have it yet, so you enable it once per account by creating the empty role. The current onboarding templates already include it, so freshly onboarded accounts need nothing here.

However you create the LevelFourSavingsExec role (AWS Console, Terraform, a CloudFormation StackSet, or by hand in IAM), LevelFour detects it automatically, usually within a minute, and clears the update prompt in the dashboard. You do not need to use the in-app link or notify anyone.

The role is created empty, with no attached permissions. It only ever holds the scoped policy for a single approved action, for a short window, and it trusts only LevelFour's AWS account (730335248431) gated by your handshake ID. See what the onboarding stack creates for the full trust model.

One account, from the AWS Console

The fastest path for a single account is the dashboard. Go to Connect Accounts → AWS (https://dashboard.levelfour.ai/connect-accounts/aws). If any connected account is missing the role, an "update available" notice appears with an Update via AWS Console button that opens CloudFormation with the enablement template pre-loaded.

You can also open it directly. Sign in to the account you want to enable, then use the Launch Stack link:

https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://cf-templates-1bsphth8u70q9-us-east-1.s3.amazonaws.com/onboarding/v2/onboarding-levelfour-enable-savings.template.json&stackName=LevelFour-Enable-Savings&param_LevelFourHandshakeID=

Enter your LevelFourHandshakeID (the value LevelFour gave you), tick the IAM capability acknowledgement, and click Create stack. The stack creates only the empty LevelFourSavingsExec role and finishes in about 30 to 60 seconds.

This stack only adds the role, so it is safe to run in an account that is already connected to LevelFour. If CloudFormation reports that LevelFourSavingsExec already exists, that account is already enabled and there is nothing to do.

With Terraform

If you manage your account in Terraform, add the role to your configuration. It is an empty role; the only permissions it ever receives are the scoped, time-limited policies LevelFour attaches per approved action.

variable "levelfour_handshake_id" {
  type        = string
  description = "The handshake ID LevelFour provided. Treat it like a secret."
}

resource "aws_iam_role" "levelfour_savings_exec" {
  name = "LevelFourSavingsExec"
  path = "/"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect    = "Allow"
      Principal = { AWS = "arn:aws:iam::730335248431:root" }
      Action    = "sts:AssumeRole"
      Condition = {
        StringEquals = { "sts:ExternalId" = var.levelfour_handshake_id }
      }
    }]
  })
}

Apply it the same way you manage the rest of the account. LevelFour picks up the role on its next probe.

Across an AWS Organization

The per-account onboarding template that your StackSet deploys already includes the empty LevelFourSavingsExec role, so member accounts onboarded with the current template already have it. You only need to act if your organization was onboarded before the role was added. In that case, redeploy the current onboarding template to your member accounts.

If you created the StackSet directly with the AWS CLI, update it in place. This re-fetches the current template and rolls it out to every targeted account:

aws cloudformation update-stack-set \
  --stack-set-name LevelFour-Onboarding \
  --template-url https://cf-templates-1bsphth8u70q9-us-east-1.s3.amazonaws.com/onboarding/v2/onboarding-levelfour-cloudformation-template.json \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameters ParameterKey=LevelFourHandshakeID,UsePreviousValue=true

If you onboarded with the Launch Stack wrapper, manage the rollout through that wrapper stack rather than updating the StackSet directly, to avoid drift. See multi-account onboarding for the StackSet setup, prerequisites, and template URLs. The management account is covered separately (AWS Organizations excludes it from service-managed StackSet targeting), so enable it with the single-account path above.

Prefer Terraform for your organization? Add the aws_iam_role above to the per-account module or StackSet template you already use to manage LevelFourCrossAccountRole.

Verify

Once the role exists, open Connect Accounts → AWS in the dashboard. The update notice and the header indicator clear on their own within about a minute. Use Re-check on the notice if you want to confirm immediately after applying with Terraform or the CLI. Automated Savings actions that previously reported "not enabled" will then run.

Remove

The role is removed when you delete the stack (or StackSet) that created it, or with terraform destroy if you manage it in Terraform. Deleting the empty role has no effect on the read-only LevelFourCrossAccountRole that LevelFour uses to analyze costs.

AWS - multi-account (Organizations)

Onboard every AWS account in your organization to LevelFour by deploying one CloudFormation StackSet from the management account.

Enable detailed cost data (CUR 2.0)

Turn on a Cost and Usage Report 2.0 data export so LevelFour can analyze granular, resource-level AWS cost data.

On this page

One account, from the AWS ConsoleWith TerraformAcross an AWS OrganizationVerifyRemove