Skip to content

Latest commit

 

History

History
105 lines (80 loc) · 3.22 KB

iam-policy-scheduler.md

File metadata and controls

105 lines (80 loc) · 3.22 KB
Raw
title keywords tags sidebar permalink folder series weight
IAM permissions for Essentials
iam policies, iam, setup, onboarding, nswitch, sharesave
onboarding
iam
mydoc_sidebar
iam-policy-scheduler.html
GettingStarted
Onboarding
IAM
Essentials
3.0

Essentials resource scheduler IAM permissions

As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR). As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR) and provide you with scheduler recommendations that you can automate.

In order to extract the full potential of the nOps Scheduler, you need permissions for two nOps features:

Note: To enable nSwitch recommendations for any child account, it is necessary to get the account fully configured. I.e to enable the ReadOnly policy access at the child account level.

Access CUR data to analyze utilization

The permissions required at the payer and linked account(s) for ShareSave nSwitch are:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ce:GetCostAndUsage",
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

nOps also required two CUR reports to be configured, with the following bucket access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<paste-bucket-name-here>",
        "arn:aws:s3:::<paste-bucket-name-here>/*"
      ]
    }
  ]
}

Scheduler Permissions: Lambda and Eventbridge

nOps requires AWS managed AWSLambdaBasicExecutionRole permissions along with the following permission for Scheduler Lambda Function to automatically create schedules with the help of EventBridge:

These permissions are required on the child account or master account where the resources to be scheduled reside.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "events:PutEvents",
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:GetObjectTagging",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "rds:StopDBInstance",
            "rds:StartDBInstance",
            "logs:PutLogEvents",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "autoscaling:UpdateAutoScalingGroup"
        ],
        "Resource": [
            "*"
        ]
    }]
}

To get the full CloudFormation YAML template, see nOps Essentials Lambda Function.



{% include custom/series_related.html %}