1. Help Center
  2. Security & Access Management

Limited IAM Permissions for Savings Analysis

To perform our Savings Analysis, we require extremely limited API permissions on your AWS management account. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.

At no point in time do we have access to:

  • Your compute data plane (e.g. instances, clusters, containers)
  • Manipulate the compute control plane (e.g. start or terminate an instance, cluster, or task)
  • Your data, whether local or in a managed storage/datastore service 

Read more: What level of access ProsperOps needs

 

These permissions will allow us to:

  • Access Cost Explorer, which we use to analyze 12 months of daily historical cost and usage data
  • Setup and access a Cost and Usage Report (CUR), which we use to analyze recent hourly volatility patterns
  • Understand Organizations metadata and AWS account structure
  • Verify our permissions are applied correctly

The actual IAM policy is:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "ce:GetCostAndUsage",
                "ce:GetDimensionValues",
                "ce:GetReservationCoverage",
                "ce:GetReservationUtilization",
                "ce:GetSavingsPlansCoverage",
                "ce:GetSavingsPlansUtilization",
                "ce:GetSavingsPlansUtilizationDetails",
              "cur:DescribeReportDefinitions",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/ProsperOps"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:PutBucketPolicy",
                "s3:PutBucketVersioning"
            ],
            "Resource": [
                "arn:aws:s3:::prosperops-cur-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::prosperops-cur-*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cur:DeleteReportDefinition",
                "cur:ModifyReportDefinition",
                "cur:PutReportDefinition"
            ],
            "Resource": [
                "arn:aws:cur:*:*:definition/prosperops-*"
            ]
        }
    ]
}