Limited IAM Permissions for AWS Compute Active Discount Management

To monitor your global compute usage and actively manage an optimal portfolio of Reserved Instances and Savings Plans, we require limited IAM permissions. The specific permission set depends on which mode the ProsperOps platform is operating in for your AWS organization:

1. Real-time mode (default) - Direct customers generally operate in this mode. Our platform receives real-time state change notifications and immediately reacts. Optimization activities occur the fastest in this mode.

2. Lagging mode - Reseller customers operate in this mode. Our platform operates purely from the AWS Cost and Usage Report (CUR) which lags in time from when compute changes occur. Our platform reacts on CUR update cycles, so optimization activities generally happen multiple times per day.

Regardless of mode, we're firm believers in the security principle of least privilege, so our permission sets include the minimum amount of access we need to run and nothing more.

At no point in time do we have access to:

  • Your compute data plane (e.g. instances, clusters, containers)
  • Manipulate the compute control plane (e.g. start or terminate an instance, cluster, or task)
  • Your data, whether local or in a managed storage/datastore service 

Read more: What level of access ProsperOps needs

Real-time mode

In Real-time mode, we require one set of permissions on the AWS Management account and a separate, smaller permission set on all AWS Member accounts.

Management Account

These permissions allow us to:

  • Access Cost Explorer data
  • Setup and access a Cost and Usage Report (CUR)
  • Understand the EC2 instances and images being used
  • Establish a real-time event feed of EC2 instance state change notifications
  • Fully manage EC2 Reserved Instances
  • Fully manage Savings Plans
  • Understand EC2 Capacity Reservations
  • Understand and increase the monthly EC2 Reserved Instance purchase service quota limit
  • Understand Organizations metadata and AWS account structure
  • Verify our permissions are applied correctly

The Real-time mode Management account IAM policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "ce:Get*",
            "ce:List*",
                "cur:DescribeReportDefinitions",
                "ec2:AcceptReservedInstancesExchangeQuote",
                "ec2:CancelReservedInstancesListing",
                "ec2:CreateReservedInstancesListing",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeCapacityReservations",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:GetCapacityReservationUsage",
                "ec2:GetReservedInstancesExchangeQuote",
                "ec2:ModifyReservedInstances",
                "ec2:PurchaseReservedInstancesOffering",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
            "savingsplans:CreateSavingsPlan",
               "savingsplans:ReturnSavingsPlan",
            "savingsplans:Describe*",
"servicequotas:GetServiceQuota",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
            ],
          "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:SimulatePrincipalPolicy"
            ],
          "Resource": "arn:aws:iam::*:role/ProsperOps"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:SetTopicAttributes",
                "sns:Subscribe"
            ],
          "Resource": "arn:aws:sns:*:*:ProsperOps-EC2-Instance-State-Changes"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets"
            ],
          "Resource": "arn:aws:events:*:*:rule/ProsperOps-EC2-Instance-State-Changes"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
              "s3:ListBucket",
              "s3:PutBucketPolicy"
            ],
          "Resource": "arn:aws:s3:::prosperops-cur-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject"
            ],
          "Resource": "arn:aws:s3:::prosperops-cur-*/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cur:DeleteReportDefinition",
                "cur:ModifyReportDefinition",
                "cur:PutReportDefinition"
            ],
          "Resource": "arn:aws:cur:*:*:definition/prosperops-*"
      },
        {
            "Effect": "Allow",
          "Action": "servicequotas:RequestServiceQuotaIncrease",
          "Resource": "arn:aws:servicequotas:*:*:ec2/L-D0B7243C"
        }
    ]
}

Member Accounts

These permissions allow us to:

  • Understand the EC2 instances and images being used
  • Establish a real-time event feed of EC2 instance state change notifications
  • Fully manage EC2 Reserved Instances
  • Fully manage Savings Plans
  • Understand EC2 Capacity Reservations
  • Understand and increase the monthly EC2 Reserved Instance purchase service quota limit
  • Understand Organizations metadata
  • Verify our permissions are applied correctly

The Real-time mode Member account IAM policy is:

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
                "ec2:AcceptReservedInstancesExchangeQuote",
                "ec2:CancelReservedInstancesListing",
                "ec2:CreateReservedInstancesListing",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeCapacityReservations",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:GetCapacityReservationUsage",
                "ec2:GetReservedInstancesExchangeQuote",
                "ec2:ModifyReservedInstances",
                "ec2:PurchaseReservedInstancesOffering",
                "organizations:DescribeOrganization",
            "savingsplans:CreateSavingsPlan",
               "savingsplans:ReturnSavingsPlan",
            "savingsplans:Describe*",
"servicequotas:GetServiceQuota",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:SimulatePrincipalPolicy"
],
"Resource": "arn:aws:iam::*:role/ProsperOps"
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:GetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:SetTopicAttributes",
"sns:Subscribe"
],
"Resource": "arn:aws:sns:*:*:ProsperOps-EC2-Instance-State-Changes"
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets"
],
"Resource": "arn:aws:events:*:*:rule/ProsperOps-EC2-Instance-State-Changes"
},
        {
            "Effect": "Allow",
        "Action": "servicequotas:RequestServiceQuotaIncrease",
        "Resource": "arn:aws:servicequotas:*:*:ec2/L-D0B7243C"
        }
]
}

 

Lagging mode

In lagging mode, we require one set of permissions on the AWS Management account and a separate, smaller permission set on any AWS Member accounts where RI or SP commitment will reside (which may be none). For resellers, no permissions are required on end-customer accounts.

Management Account

These permissions allow us to:

  • Access Cost Explorer data
  • Setup and access a Cost and Usage Report (CUR)
  • Fully manage EC2 Reserved Instances
  • Fully manage Savings Plans
  • Understand and increase the monthly EC2 Reserved Instance purchase service quota limit
  • Understand Organizations metadata and AWS account structure
  • Verify our permissions are applied correctly

The Lagging mode Management account IAM policy is:

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
               "ce:Get*",
          "ce:List*",
                "cur:DescribeReportDefinitions",
                "ec2:AcceptReservedInstancesExchangeQuote",
                "ec2:CancelReservedInstancesListing",
                "ec2:CreateReservedInstancesListing",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:GetReservedInstancesExchangeQuote",
                "ec2:ModifyReservedInstances",
                "ec2:PurchaseReservedInstancesOffering",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
            "savingsplans:CreateSavingsPlan",
               "savingsplans:ReturnSavingsPlan",
            "savingsplans:Describe*",
"servicequotas:GetServiceQuota",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:SimulatePrincipalPolicy"
],
"Resource": "arn:aws:iam::*:role/ProsperOps"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::prosperops-cur-*"
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::prosperops-cur-*/*"
},
{
"Effect": "Allow",
"Action": [
"cur:DeleteReportDefinition",
"cur:ModifyReportDefinition",
"cur:PutReportDefinition"
],
"Resource": "arn:aws:cur:*:*:definition/prosperops-*"
},
        {
            "Effect": "Allow",
      "Action": "servicequotas:RequestServiceQuotaIncrease",
      "Resource": "arn:aws:servicequotas:*:*:ec2/L-D0B7243C"
        }
]
}

Member Accounts (if applicable, only where RI or SP commitment will reside)

These permissions allow us to:

  • Fully manage EC2 Reserved Instances
  • Fully manage Savings Plans
  • Understand and increase the monthly EC2 Reserved Instance purchase service quota limit
  • Understand Organizations metadata
  • Verify our permissions are applied correctly

The Lagging mode Member account IAM policy is:

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
                "ec2:AcceptReservedInstancesExchangeQuote",
                "ec2:CancelReservedInstancesListing",
                "ec2:CreateReservedInstancesListing",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:GetReservedInstancesExchangeQuote",
                "ec2:ModifyReservedInstances",
                "ec2:PurchaseReservedInstancesOffering",
                "organizations:DescribeOrganization",
            "savingsplans:CreateSavingsPlan",
               "savingsplans:ReturnSavingsPlan",
              "savingsplans:Describe*",
"servicequotas:GetServiceQuota",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:SimulatePrincipalPolicy"
],
"Resource": "arn:aws:iam::*:role/ProsperOps"
},
        {
            "Effect": "Allow",
      "Action": "servicequotas:RequestServiceQuotaIncrease",
      "Resource": "arn:aws:servicequotas:*:*:ec2/L-D0B7243C"
        }
]
}