IAM permissions for Essentials

Essentials resource scheduler IAM permissions

As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR) and provide you with scheduler recommendations that you can automate.

In order to extract the full potential of the nOps Scheduler, you need permissions for two nOps features:

Essentials Resource Scheduler: To get the scheduling recommendations.
Essentials Scheduler using Eventbridge: To automate the scheduling of resources based on the Essentials Resource Scheduler recommendations.

Note: To enable nSwitch recommendations for any child account, it is necessary to get the account fully configured. i.e. to enable the Read Only policy access at the child account level.

What? Why? and How Much?

The following tables describe each permission within the IAM policy:

First column: Permission name.
Second column: What the permission is?
Third column: Why the permission is important for nOps?
Fourth column: What kind of access the permission gives to nOps?

Cost Explorer Permissions

Cost Explorer	What	Why	Access (Limited: Read)
GetCostAndUsage	Retrieves cost and usage metrics for your account	Used to analyze resource utilization patterns and identify scheduling opportunities	Read: All resources

S3 Bucket Permissions

S3	What	Why	Access (Limited: Read/Write)
s3:*	Full S3 bucket access	Required to read and write CUR reports for analysis	Read/Write: Specific bucket only

EventBridge Permissions

EventBridge	What	Why	Access (Limited: Write)
PutEvents	Allows sending events to EventBridge	Used to trigger scheduled actions for resource management	Write: All resources

EC2 Permissions

EC2	What	Why	Access (Limited: Write)
StartInstances	Starts EC2 instances	Used to start instances according to schedule	Write: All resources
StopInstances	Stops EC2 instances	Used to stop instances according to schedule	Write: All resources

RDS Permissions

RDS	What	Why	Access (Limited: Write)
StopDBInstance	Stops RDS instances	Used to stop database instances according to schedule	Write: All resources
StartDBInstance	Starts RDS instances	Used to start database instances according to schedule	Write: All resources

Auto Scaling Permissions

Auto Scaling	What	Why	Access (Limited: Write)
UpdateAutoScalingGroup	Modifies Auto Scaling group settings	Used to adjust scaling parameters based on schedule	Write: All resources

CloudWatch Logs Permissions

CloudWatch Logs	What	Why	Access (Limited: Write)
PutLogEvents	Writes log events to CloudWatch	Used for logging scheduler activities	Write: All resources
CreateLogGroup	Creates CloudWatch log groups	Used to set up logging for scheduler	Write: All resources
CreateLogStream	Creates CloudWatch log streams	Used to organize scheduler logs	Write: All resources

IAM Policy JSON

The permissions required at the payer and linked account(s) for ShareSave nSwitch are:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ce:GetCostAndUsage"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

nOps also required two CUR reports to be configured, with the following bucket access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<paste-bucket-name-here>",
        "arn:aws:s3:::<paste-bucket-name-here>/*"
      ]
    }
  ]
}

Scheduler Permissions: Lambda and Eventbridge

nOps requires AWS managed AWSLambdaBasicExecutionRole permissions along with the following permission for Scheduler Lambda Function to automatically create schedules with the help of EventBridge:

These permissions are required on the child account or master account where the resources to be scheduled reside.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "events:PutEvents",
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:GetObjectTagging",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "rds:StopDBInstance",
            "rds:StartDBInstance",
            "logs:PutLogEvents",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "autoscaling:UpdateAutoScalingGroup"
        ],
        "Resource": [
            "*"
        ]
    }]
}

To get the full CloudFormation YAML template, see nOps Essentials Lambda Function.

Essentials resource scheduler IAM permissions​

What? Why? and How Much?​

Cost Explorer Permissions​

S3 Bucket Permissions​

EventBridge Permissions​

EC2 Permissions​

RDS Permissions​

Auto Scaling Permissions​

CloudWatch Logs Permissions​

IAM Policy JSON​

Scheduler Permissions: Lambda and Eventbridge​