Skip to main content

IAM permissions for Essentials

Essentials resource scheduler IAM permissions

As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR) and provide you with scheduler recommendations that you can automate.

In order to extract the full potential of the nOps Scheduler, you need permissions for two nOps features:

Note: To enable nSwitch recommendations for any child account, it is necessary to get the account fully configured. i.e. to enable the Read Only policy access at the child account level.

What? Why? and How Much?

The following tables describe each permission within the IAM policy:

  • First column: Permission name.
  • Second column: What the permission is?
  • Third column: Why the permission is important for nOps?
  • Fourth column: What kind of access the permission gives to nOps?

Cost Explorer Permissions

Cost ExplorerWhatWhyAccess (Limited: Read)
GetCostAndUsageRetrieves cost and usage metrics for your accountUsed to analyze resource utilization patterns and identify scheduling opportunitiesRead: All resources

S3 Bucket Permissions

S3WhatWhyAccess (Limited: Read/Write)
s3:*Full S3 bucket accessRequired to read and write CUR reports for analysisRead/Write: Specific bucket only

EventBridge Permissions

EventBridgeWhatWhyAccess (Limited: Write)
PutEventsAllows sending events to EventBridgeUsed to trigger scheduled actions for resource managementWrite: All resources

EC2 Permissions

EC2WhatWhyAccess (Limited: Write)
StartInstancesStarts EC2 instancesUsed to start instances according to scheduleWrite: All resources
StopInstancesStops EC2 instancesUsed to stop instances according to scheduleWrite: All resources

RDS Permissions

RDSWhatWhyAccess (Limited: Write)
StopDBInstanceStops RDS instancesUsed to stop database instances according to scheduleWrite: All resources
StartDBInstanceStarts RDS instancesUsed to start database instances according to scheduleWrite: All resources

Auto Scaling Permissions

Auto ScalingWhatWhyAccess (Limited: Write)
UpdateAutoScalingGroupModifies Auto Scaling group settingsUsed to adjust scaling parameters based on scheduleWrite: All resources

CloudWatch Logs Permissions

CloudWatch LogsWhatWhyAccess (Limited: Write)
PutLogEventsWrites log events to CloudWatchUsed for logging scheduler activitiesWrite: All resources
CreateLogGroupCreates CloudWatch log groupsUsed to set up logging for schedulerWrite: All resources
CreateLogStreamCreates CloudWatch log streamsUsed to organize scheduler logsWrite: All resources

IAM Policy JSON

The permissions required at the payer and linked account(s) for ShareSave nSwitch are:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ce:GetCostAndUsage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

nOps also required two CUR reports to be configured, with the following bucket access policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<paste-bucket-name-here>",
"arn:aws:s3:::<paste-bucket-name-here>/*"
]
}
]
}

Scheduler Permissions: Lambda and Eventbridge

nOps requires AWS managed AWSLambdaBasicExecutionRole permissions along with the following permission for Scheduler Lambda Function to automatically create schedules with the help of EventBridge:

These permissions are required on the child account or master account where the resources to be scheduled reside.

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"events:PutEvents",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectTagging",
"ec2:StartInstances",
"ec2:StopInstances",
"rds:StopDBInstance",
"rds:StartDBInstance",
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": [
"*"
]
}]
}

To get the full CloudFormation YAML template, see nOps Essentials Lambda Function.