AWS Data Sources - Troubleshooting & FAQ
This page covers common issues and questions when configuring AWS data sources in CerteroX. For setup instructions, see Configuring AWS Data Sources.
Cost data is missing or much lower than expected
Symptom: The data source connects successfully but only shows a small fraction of your total AWS spend (e.g. $100 when your actual spend is thousands).
Likely cause: The data export was created from a member account rather than the management (payer) account of your AWS Organization.
In AWS Organizations, consolidated billing data for all linked accounts is only available from the management account. A data export created from a member account will only contain that individual account's direct charges.
Resolution:
In the AWS Console, go to AWS Organizations > Accounts.
Identify the management account — it is labelled with a "Management account" badge.
Sign in to the management account and create the data export from there.
Update or recreate the CerteroX data source using the new export details.
If the data export is confirmed to be from the management account, see also Only seeing root account costs — linked account data is missing below.
Only seeing root account costs — linked account data is missing
Symptom: The data export is from the management account and the S3 bucket contains a full CUR, but CerteroX only shows costs for the root account — not for linked (member) accounts.
Cause: By default, CerteroX only imports billing data for accounts that have been explicitly added as data sources. If the CUR contains costs for 10 linked accounts but only the root account is connected in CerteroX, costs for the other 9 are skipped.
Resolution — Option 1: Enable "Force import of linked accounts"
This is the quickest fix. It tells CerteroX to import billing data for all linked accounts found in the CUR, even if they haven't been individually added as data sources.
Go to Settings > Data Sources.
Click on your root AWS data source.
Click Actions > Update Credentials.
Enable the Force import of linked accounts toggle.
Click Save.
Note: With this option, all linked account costs will be imported and attributed to the root data source. However, features that depend on linked account credentials — such as resource discovery, start/stop scheduling, and resource details — will not work for those accounts.
Resolution — Option 2: Add each linked account individually
For full per-account functionality (resource discovery, scheduling, etc.), add each linked account as a separate data source:
Go to Settings > Data Sources.
Click Actions > Add.
Select AWS and Linked as the connection type.
Enter the access key for an IAM user in that linked account.
Repeat for each linked account.
This approach gives proper per-account attribution and enables all CerteroX features for each account.
"Not enough permissions" error when connecting
Symptom: CerteroX reports a permissions error during connection or data import.
Likely cause: The IAM user's policy is missing required permissions, particularly for CUR 2.0.
Resolution: Ensure the IAM policy includes permissions for both legacy CUR and CUR 2.0:
The bcm-data-exports permissions are required for CUR 2.0 (Standard data export). If you are using the legacy CUR format, cur:DescribeReportDefinitions alone is sufficient — but including all four ensures compatibility with both formats.
"Report files not found" after connecting
Symptom: The data source connects but CerteroX reports that report files cannot be found in the S3 bucket.
Possible causes and resolutions:
The data export was just created. AWS takes up to 24 hours to generate the first report. Wait and check again.
Incorrect export path prefix. In CerteroX, the export path prefix should be the last folder name only, not the full path. For example, if the S3 destination shows certeroxbucket/costreport, enter costreport as the prefix.
CUR version mismatch. Ensure the export type selected in CerteroX (CUR or CUR 2.0) matches the type of export created in AWS. Check this under AWS Billing & Cost Management > Data Exports.
Bucket region issue. The IAM user needs s3:GetBucketLocation permission and the bucket must be accessible from the credentials provided.
"Bucket not found" error
Symptom: CerteroX reports that the S3 bucket cannot be found.
Resolution:
Double-check the bucket name — it must match exactly (bucket names are case-sensitive).
Ensure the IAM user has s3:ListBucket and s3:GetBucketLocation permissions on the bucket.
Verify the bucket has not been deleted or renamed in AWS.
"Unable to create report: report limit reached"
Symptom: CerteroX cannot create a new data export automatically.
Cause: AWS limits the number of Cost and Usage Reports per account (typically 10). You have reached this limit.
Resolution:
Delete unused reports in AWS under Billing & Cost Management > Data Exports.
Alternatively, create the export manually in AWS and use the "Connect only to data in bucket" option in CerteroX instead.
"Unable to create report: quota exceeded"
Symptom: CerteroX cannot create a new CUR 2.0 data export.
Cause: You have reached the AWS service quota for BCM Data Exports.
Resolution:
Review and delete unused exports in Billing & Cost Management > Data Exports.
Request a quota increase via AWS Service Quotas if needed.
Alternatively, create the export manually and connect using the "Connect only to data in bucket" option.
No data for linked accounts
Symptom: A linked (member) AWS account shows no billing data in CerteroX.
Cause: Linked accounts rely on the root (management) account's data export for billing data.
Resolution:
Ensure a root AWS data source is connected in CerteroX with a valid data export from the management account.
Verify the linked account is part of the same AWS Organization as the management account.
If only a linked account is connected without a corresponding root account, CerteroX will not be able to import any billing data.
Data export only contains the current month
Symptom: After creating a new data export, only the current billing month's data appears — no historical data.
Cause: This is expected AWS behaviour. New data exports only generate data from the current billing month onwards. They do not backfill historical months.
Resolution:
If you need historical data, check whether a previous CUR or data export exists that covers earlier months.
Over time, data will accumulate as each billing month completes.
Which export type should I use — CUR or CUR 2.0?
CUR 2.0 (Standard data export) is recommended for new configurations. It is the current AWS standard and provides improved data structure.
Legacy CUR remains supported in CerteroX for existing configurations. AWS continues to support legacy CUR but recommends migrating to CUR 2.0.
If you are migrating from CUR to CUR 2.0, follow the Migrating from CUR to CUR 2.0 section in the configuration guide.
How long does it take for cost data to appear?
After creating a new data export:
AWS takes up to 24 hours to generate the first report file in S3.
CerteroX processes new data on its regular import cycle. After the report appears in S3, data should be visible in CerteroX within a few hours.
If data does not appear after 48 hours, check the data source's Advanced tab in CerteroX for import errors.
Can I use an existing S3 bucket for the data export?
Yes. When creating the data export in AWS, you can select an existing S3 bucket. Ensure:
The bucket policy allows the billingreports.amazonaws.com and bcm-data-exports.amazonaws.com services to write to it (see the bucket policy configuration in the setup guide).
The IAM user has s3:GetObject, s3:ListBucket, and s3:GetBucketLocation permissions on the bucket.