Yes, in most cases, the permissions required by the ProsperOps platform do not conflict with SCPs.
Service Control Policies (SCPs) are used by many organizations to put guardrails on the maximum available permissions for all linked accounts. SCPs may be configured in either allow- or deny-list configuration, so services and actions used by ProsperOps either need to be explicitly allowed or not be explicitly denied for our platform to properly function.
Complete IAM policies can be found here: https://help.prosperops.com/security-access-management#identity-access-management-iam-permissions
Summary of actions required for a Savings Analysis
- Amazon Cost Explorer
- ce:GetCostAndUsage
- ce:GetDimensionValues
- ce:GetReservationCoverage
- ce:GetReservationUtilization
- ce:GetSavingsPlansCoverage
- ce:GetSavingsPlansUtilization
- ce:GetSavingsPlansUtilizationDetails
- AWS Organizations
- organizations:DescribeOrganization
- organizations:ListAccounts
- AWS IAM
- iam:GetRolePolicy
- iam:ListRolePolicies
- iam:SimulatePrincipalPolicy
- Amazon S3
- s3:CreateBucket
- s3:ListBucket
- s3:PutBucketPolicy
- s3:PutBucketVersioning
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:GetObject
- AWS Cost and Usage Reports
- cur:DeleteReportDefinition
- cur:ModifyReportDefinition
- cur:PutReportDefinition
- cur:DescribeReportDefinitions
Summary of actions required for active discount management
Management account
- Amazon Cost Explorer
- ce:*
- Amazon EC2
- ec2:AcceptReservedInstancesExchangeQuote
- ec2:CancelReservedInstancesListing
- ec2:CreateReservedInstancesListing
- ec2:DescribeAccountAttributes
- ec2:DescribeAvailabilityZones
- ec2:DescribeCapacityReservations
- ec2:DescribeImages
- ec2:DescribeInstances
- ec2:DescribeReservedInstances
- ec2:DescribeReservedInstancesListings
- ec2:DescribeReservedInstancesModifications
- ec2:DescribeReservedInstancesOfferings
- ec2:GetCapacityReservationUsage
- ec2:GetReservedInstancesExchangeQuote
- ec2:ModifyReservedInstances
- ec2:PurchaseReservedInstancesOffering
- AWS Organizations
- organizations:DescribeOrganization
- organizations:ListAccounts
- AWS Savings Plans
- savingsplans:*
- AWS IAM
- iam:GetRolePolicy
- iam:ListRolePolicies
- iam:SimulatePrincipalPolicy
- Amazon SNS
- sns:CreateTopic
- sns:GetTopicAttributes
- sns:ListSubscriptionsByTopic
- sns:SetTopicAttributes
- sns:Subscribe
- Amazon EventBridge
- events:DescribeRule
- events:ListTargetsByRule
- events:PutRule
- events:PutTargets
- Amazon S3
- s3:CreateBucket
- s3:ListBucket
- s3:PutBucketPolicy
- s3:PutBucketVersioning
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:GetObject
- AWS Cost and Usage Reports
- cur:DescribeReportDefinitions
- cur:DeleteReportDefinition
- cur:ModifyReportDefinition
- cur:PutReportDefinition
Member Accounts
- Amazon Cost Explorer
- ce:*
- Amazon EC2
- ec2:AcceptReservedInstancesExchangeQuote
- ec2:CancelReservedInstancesListing
- ec2:CreateReservedInstancesListing
- ec2:DescribeAccountAttributes
- ec2:DescribeAvailabilityZones
- ec2:DescribeCapacityReservations
- ec2:DescribeImages
- ec2:DescribeInstances
- ec2:DescribeReservedInstances
- ec2:DescribeReservedInstancesListings
- ec2:DescribeReservedInstancesModifications
- ec2:DescribeReservedInstancesOfferings
- ec2:GetCapacityReservationUsage
- ec2:GetReservedInstancesExchangeQuote
- ec2:ModifyReservedInstances
- ec2:PurchaseReservedInstancesOffering
- AWS Organizations
- organizations:DescribeOrganization
- AWS Savings Plans
- savingsplans:*
- AWS IAM
- iam:GetRolePolicy
- iam:ListRolePolicies
- iam:SimulatePrincipalPolicy
- Amazon SNS
- sns:CreateTopic
- sns:GetTopicAttributes
- sns:ListSubscriptionsByTopic
- sns:SetTopicAttributes
- sns:Subscribe
- Amazon EventBridge
- events:DescribeRule
- events:ListTargetsByRule
- events:PutRule
- events:PutTargets