Home > CCS > Configuring Cloud Cruiser > 01 Collections > Amazon Web Services > AWS permissions needed by Cloud Cruiser

AWS permissions needed by Cloud Cruiser

This article is a detailed list of credentials and permissions that you set up in your Amazon Web Services (AWS) accounts to give Cloud Cruiser the ability to collect data and, in limited cases, make changes for you.

For each AWS user to which you grant these permissions, you must provide an access key ID and a secret key to Cloud Cruiser.

Usage and cost data

The permissions in this section are needed for Cloud Cruiser to collect detailed billing reports, which are the primary source of the data you see in reports and analytics.

The following permissions are required on the billing (payer) account for each AWS collection that you create. You cannot create a collection without them.

Because you enter the credentials for usage and billing data into Cloud Cruiser separately from credentials for other access, you can use separate AWS user accounts for these two purposes.

Specific user permissions needed
  • Access to billing information on the account from which Cloud Cruiser will collect usage and billing information. If you use consolidated billing, this is the payer account.
  • The Amazon S3 Read Only policy. If you do not want this policy to provide access to all S3 buckets, you can restrict it to the bucket where this account's detailed billing reports are placed. For the JSON version of the Amazon S3 Read Only policy, see Amazon S3 Read Only in the AWS documentation.

Utilization and other metrics

The permissions in this section are needed for Cloud Cruiser to collect resource utilization, application performance, and operational health data available through the Amazon CloudWatch service. This not only provides richer reporting, but also enables Insights to alert users to take action based on these metrics, such as when a resource is underutilized.

Specific user permissions needed

For each applicable account, the CloudWatchReadOnlyAccess policy. If this policy does not exist in your cloud, you must create a role with the CloudWatch Read Only policy.  For the JSON version of the CloudWatch Read Only policy, see CloudWatch Read Only in the AWS documentation. For general information about IAM roles, see Managing IAM Roles in the AWS documentation.

RI advice

The permissions in this section are needed for Cloud Cruiser to read information about your reserved instance (RI) ownership and activity so that the RI Advisor can recommend actions to help you save money using RIs.

Specific user permissions needed

For each applicable account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeReservedInstancesOfferings",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings"
            ],
            "Resource": "*"
        }
    ]
}

Purchasing, selling, and modifying RIs

The permissions in this section are needed for Cloud Cruiser to perform the actions recommended by the RI Advisor, saving several steps over manually performing the same actions in the AWS portal. You can use the RI Advisor to receive advice without these permissions.

Specific user permissions needed

For each applicable account, the following additional Actions added to the Statement for RI advice:

"ec2:PurchaseReservedInstancesOffering",
"ec2:CreateReservedInstancesListing",
"ec2:ModifyReservedInstances",
"rds:PurchaseReservedDBInstancesOffering,

The complete set of permissions for the RI Advisor, to allow both receiving advice and performing actions, is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:PurchaseReservedInstancesOffering",
                "ec2:CreateReservedInstancesListing",
                "ec2:ModifyReservedInstances",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:PurchaseReservedDBInstancesOffering"
            ],
            "Resource": "*"
        }
    ]
}
You must to post a comment.
Last modified
15:29, 20 Oct 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.