How to review costs across many AWS accounts
If your work spans many AWS accounts — a consultant with several clients, an MSP, or a platform engineer covering every team’s account — the cost review loop in CloudPouch is the same three keystrokes per account: Cmd/Ctrl + K to switch profiles, pick the account, Cmd/Ctrl + Enter to analyze it. There is nothing to install or deploy in any of the accounts, which matters most when the accounts belong to different organizations that are not yours.
One profile per account, once
Section titled “One profile per account, once”CloudPouch reads the same ~/.aws/credentials and ~/.aws/config files as the AWS CLI, so the setup is whatever you already use for CLI work:
- Different clients, different organizations: one profile per client account — static credentials, an SSO profile, or a role-chaining profile with
source_profile. All three types appear in the profile switcher. - Many accounts behind one IAM Identity Center: define a single
sso-sessionblock and reference it from every profile. One browser sign-in then covers all of those profiles until the session expires.
Each account needs read-only permissions for the analysis you want to run — for client engagements, send the client the policy from Create a CloudPouch IAM policy before you start. See Connect an AWS profile for the profile formats in detail.
The review loop
Section titled “The review loop”For each account:
- Press
Cmd/Ctrl + K— the Search AWS profiles… palette opens. Type part of the profile name, pressEnter. The switch is local; no browser, no re-login, no dashboard to rebuild. - Press
Cmd/Ctrl + Enterto start Bulk Cost Insights Analysis for every eligible service (available for the Current Month and Previous Month timeframes). Live badges show each service as Queued, Done, or Failed. - Read the results top-down: start with the insights carrying the largest estimated savings, and note them per account.
- Check the Permission issues panel before concluding an account is clean. It lists every AWS API call that failed — service, region, operation, and error code — so you can tell “nothing to optimize” apart from “CloudPouch wasn’t allowed to look.” For client accounts, this panel is also the exact list of permissions to request next.
Then Cmd/Ctrl + K again, next account.
Compare that with doing the same rounds in the browser: signing out of one account, signing into the next, navigating to Cost Explorer, and setting up the view again — minutes of clicking per account instead of seconds, and worse the more accounts you cover. If that browser routine is your actual pain point, see How to switch between AWS accounts without logging in and out.
Why this works well for client accounts
Section titled “Why this works well for client accounts”Consultants reviewing a client’s AWS spend usually can’t — and shouldn’t — deploy vendor tooling into the client’s account. CloudPouch never asks for that: no CloudFormation stack, no cross-account role to a vendor’s AWS account, no agent. The client grants a read-only policy to a principal you can assume, and the analysis runs from your laptop.
The data path fits client engagements for the same reason: cost and resource data flows between the client’s AWS account and your machine, and results are stored locally — there is no vendor-side copy of the client’s billing data to explain in a security review. Details in Desktop app vs SaaS.
Two things the profile switch does not remove: each profile still needs valid credentials (an expired SSO session triggers the browser sign-in once, then you’re back in the app), and CloudPouch analyzes one account at a time — it is a per-account review loop, not a consolidated multi-account dashboard.