Documentation and Best Practices

Learn how to use Cloudability and get the most out of our cloud cost management tool.

Follow

AWS Identity and Access Management (IAM) Policy

This IAM user policy was last updated on November 18, 2016.

If you haven’t updated your AWS IAM policy for Cloudability since then, you’re not getting the full benefit of our cloud cost management capabilities.

Here’s how you can update to the latest version for all of your organization's payer and linked accounts.


For reference, here is the latest IAM policy for payer accounts (need S3 bucket access):

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "masterpayerblock",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion"],
"Resource": [
"arn:aws:s3:::add-your-s3-bucket",
"arn:aws:s3:::add-your-s3-bucket/*"
]
}, {
"Sid": "linkedaccountblock",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeReservedCacheNodes",
"elasticache:ListTagsForResource",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeReservedDBInstances",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"redshift:DescribeReservedNodes",
"redshift:DescribeTags"
],
"Resource": "*"
}]
}

 

And here is the IAM policy for linked accounts (S3 bucket not needed):

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "linkedaccountblock",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeReservedCacheNodes",
"elasticache:ListTagsForResource",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeReservedDBInstances",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"redshift:DescribeReservedNodes",
"redshift:DescribeTags"
],
"Resource": "*"
}]
}

 

Change Log:

  • November 18, 2016 - updated permissions to include read-access to Describe endpoints that power the new Underutilized Resources report
  • July 20, 2016 - added read-access to RDS, Redshift, and ElastiCache endpoints to include these services in RI Amortization, RI Portfolio, and RI Planner

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk