AWS - Root/Payer Account Integration

The following set of instructions will walk you through the process of setting up Tenacity in your AWS Root/Payer account.

If you need Integration instructions for the sub-accounts in your AWS Organization please follow the instructions located here: AWS-Sub-Account Integration

Note: The AWS sub-organization account deployment steps are dependent on the completion of the AWS Root/Payer Account Integration.

First let's talk about what we're going to create in your AWS account:

  • An IAM Role, which grants Tenacity's SaaS platform the ability access your account from Tenacity’s AWS account
  • IAM policies which allow the role created read only access to your AWS Account
  • IAM Policies
  • A Lambda function that creates an AWS Cost and Usage report
  • An S3 bucket where AWS delivers the Cost and Usage Report


  • Access to your AWS Root/Payer account with a user that has access to create a CloudFormation Stack as well as IAM Roles and Policies.
  • The Root/Payer and Sub-Organization AWS Account ID's you want protected by Tenacity
  • Approximately 15-30 minutes of available time (depending on how many sub-organizations you have)

If you encounter any problems along the way, please don't hesitate to chat with using the widget in the bottom right hand corner.

CloudFormation Integration Process

Please copy the CloudFormation link we provided you.

  1. Login to your AWS Root/Payer AWS account
  2. Copy and Paste or click the CloudFormation link provided by Tenacity
  3. Edit the name of the CloudFormation stack (if you'd like)
  4. Enter in all of your AWS account numbers in the specified box, separated by comma's
  5. Note: Your Root/Payer account number should be entered here, along with all your sub-account ID's connected to your Root/Payer account through AWS Organizations.
  6. Check the acknowledgement boxes at the bottom
  7. Click Create Stack
  8. Note: if you experience any issues please don't hesitate to reach out to us via the chat in the bottom right hand corner of this page.

Wrapping Up:

After we've received your account specific values we will initiate the deployment of your Tenacity account and send you an email when the process is complete. Compliance scoring and deep insights into your costs in AWS take some time to populate into our platform, but don’t worry we will send you an additional email as soon as they are available in the console. This typically takes about 60 minutes.