To monitor your global compute usage in real-time and actively manage an optimal portfolio of Reserved Instances and Savings Plans, we require limited API permissions on all AWS accounts in the Organization. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run and nothing more.

These permissions allow us to:

  • Access Cost Explorer data
  • Access CloudTrail events
  • Setup and access a Cost and Usage Report (CUR)
  • Understand the EC2 instances and images being used
  • Establish a real-time event feed of EC2 instance state change notifications
  • Fully manage EC2 Reserved Instances
  • Fully manage Savings Plans
  • Understand Organizations metadata and AWS account structure
  • Verify our permissions are applied correctly

At no point in time do we have access to:

  • your compute data plane (i.e. instances, clusters, or containers)
  • manipulate the compute control plane (e.g. start or terminate an instance, cluster, or task)
  • your data, whether local or in a managed storage/datastore service 

The actual IAM policy is:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "ce:*",
                "cloudtrail:LookupEvents",
                "cur:DescribeReportDefinitions",
                "ec2:AcceptReservedInstancesExchangeQuote",
                "ec2:CancelReservedInstancesListing",
                "ec2:CreateReservedInstancesListing",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:GetReservedInstancesExchangeQuote",
                "ec2:ModifyReservedInstances",
                "ec2:PurchaseReservedInstancesOffering",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "savingsplans:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/ProsperOps"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:Subscribe"
            ],
            "Resource": [
                "arn:aws:sns:*:*:ProsperOps-EC2-Instance-State-Changes"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/ProsperOps-EC2-Instance-State-Changes"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:PutBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::prosperops-cur-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::prosperops-cur-*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cur:PutReportDefinition"
            ],
            "Resource": [
                "arn:aws:cur:*:*:definition/prosperops-*"
            ]
        }
    ]
}


Did this answer your question?