IAM permissions for Essentials
Essentials resource scheduler IAM permissions
As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR) and provide you with scheduler recommendations that you can automate.
In order to extract the full potential of the nOps Scheduler, you need permissions for two nOps features:
- Essentials Resource Scheduler: To get the scheduling recommendations.
- Essentials Scheduler using Eventbridge: To automate the scheduling of resources based on the Essentials Resource Scheduler recommendations.
Note: To enable nSwitch recommendations for any child account, it is necessary to get the account fully configured. i.e. to enable the Read Only policy access at the child account level.
What? Why? and How Much?
The following tables describe each permission within the IAM policy:
- First column: Permission name.
- Second column: What the permission is?
- Third column: Why the permission is important for nOps?
- Fourth column: What kind of access the permission gives to nOps?
Cost Explorer Permissions
Cost Explorer | What | Why | Access (Limited: Read) |
---|---|---|---|
GetCostAndUsage | Retrieves cost and usage metrics for your account | Used to analyze resource utilization patterns and identify scheduling opportunities | Read: All resources |
S3 Bucket Permissions
S3 | What | Why | Access (Limited: Read/Write) |
---|---|---|---|
s3:* | Full S3 bucket access | Required to read and write CUR reports for analysis | Read/Write: Specific bucket only |
EventBridge Permissions
EventBridge | What | Why | Access (Limited: Write) |
---|---|---|---|
PutEvents | Allows sending events to EventBridge | Used to trigger scheduled actions for resource management | Write: All resources |
EC2 Permissions
EC2 | What | Why | Access (Limited: Write) |
---|---|---|---|
StartInstances | Starts EC2 instances | Used to start instances according to schedule | Write: All resources |
StopInstances | Stops EC2 instances | Used to stop instances according to schedule | Write: All resources |
RDS Permissions
RDS | What | Why | Access (Limited: Write) |
---|---|---|---|
StopDBInstance | Stops RDS instances | Used to stop database instances according to schedule | Write: All resources |
StartDBInstance | Starts RDS instances | Used to start database instances according to schedule | Write: All resources |
Auto Scaling Permissions
Auto Scaling | What | Why | Access (Limited: Write) |
---|---|---|---|
UpdateAutoScalingGroup | Modifies Auto Scaling group settings | Used to adjust scaling parameters based on schedule | Write: All resources |
CloudWatch Logs Permissions
CloudWatch Logs | What | Why | Access (Limited: Write) |
---|---|---|---|
PutLogEvents | Writes log events to CloudWatch | Used for logging scheduler activities | Write: All resources |
CreateLogGroup | Creates CloudWatch log groups | Used to set up logging for scheduler | Write: All resources |
CreateLogStream | Creates CloudWatch log streams | Used to organize scheduler logs | Write: All resources |
IAM Policy JSON
The permissions required at the payer and linked account(s) for ShareSave nSwitch are:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ce:GetCostAndUsage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
nOps also required two CUR reports to be configured, with the following bucket access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<paste-bucket-name-here>",
"arn:aws:s3:::<paste-bucket-name-here>/*"
]
}
]
}
Scheduler Permissions: Lambda and Eventbridge
nOps requires AWS managed AWSLambdaBasicExecutionRole permissions along with the following permission for Scheduler Lambda Function to automatically create schedules with the help of EventBridge:
These permissions are required on the child account or master account where the resources to be scheduled reside.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"events:PutEvents",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectTagging",
"ec2:StartInstances",
"ec2:StopInstances",
"rds:StopDBInstance",
"rds:StartDBInstance",
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": [
"*"
]
}]
}
To get the full CloudFormation YAML template, see nOps Essentials Lambda Function.