To monitor your global compute usage in real-time and actively manage an optimal portfolio of Reserved Instances and Savings Plans, we require limited API permissions on all AWS accounts in the Organization. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run and nothing more.
These permissions allow us to:
- Access Cost Explorer data
- Setup and access a Cost and Usage Report (CUR)
- Understand the EC2 instances and images being used
- Establish a real-time event feed of EC2 instance state change notifications
- Fully manage EC2 Reserved Instances
- Fully manage Savings Plans
- Understand EC2 Capacity Reservations
- Understand Organizations metadata and AWS account structure
- Verify our permissions are applied correctly
At no point in time do we have access to:
- your compute data plane (i.e. instances, clusters, or containers)
- manipulate the compute control plane (e.g. start or terminate an instance, cluster, or task)
- your data, whether local or in a managed storage/datastore service
The actual IAM policy is:
Note: <aws_account_number> will automatically be replaced with your account number during our Onboarding process in the ProsperOps Console.
Note: For resellers arbitraging spend on a multi-tenant payer, the permissions above only need to be applied to the management account. No permissions are required on end-customer accounts.