Commitment Management Permissions
Prerequisites
To take advantage of all nOps Commitment Management Program, you must be subscribed to the nOps AWS Marketplace offering. If you have previously subscribed, please see the instructions on configuring Commitment Management to learn how the policies are created.
What? Why? and How Much?
The following tables describe each permission within the IAM policy:
- First column: Permission name.
- Second column: What the permission is?
- Third column: Why the permission is important for nOps?
- Fourth column: What kind of access the permission gives to nOps?
Payer Account S3 Permissions
| S3 | What | Why | Access (Limited: Read/Write) |
|---|---|---|---|
| ListBucket | Lists the contents of a bucket | Allows nOps to view CUR report contents | Read: Specific bucket |
| GetObject | Retrieves objects from S3 | Used to read CUR reports for analysis | Read: Specific bucket |
| PutObject | Uploads objects to S3 | Used to manage CUR report data | Write: Specific bucket |
| DeleteObject | Deletes objects from S3 | Used to manage CUR report lifecycle | Write: Specific bucket |
Linked Account EC2 Permissions
| EC2 | What | Why | Access (Limited: Read/Write) |
|---|---|---|---|
| DescribeReservedInstances | Lists reserved instances | Used to analyze current RI inventory | Read: All resources |
| DescribeReservedInstancesListings | Lists RI marketplace listings | Used to track RI marketplace activity | Read: All resources |
| DescribeReservedInstancesModifications | Lists RI modifications | Used to track RI changes | Read: All resources |
| DescribeReservedInstancesOfferings | Lists available RI offerings | Used to find suitable RI purchases | Read: All resources |
| ModifyReservedInstances | Modifies existing RIs | Used to optimize RI utilization | Write: All resources |
| PurchaseReservedInstancesOffering | Purchases new RIs | Used to acquire cost-saving RIs | Write: All resources |
| CreateReservedInstancesListing | Lists RIs on marketplace | Used to sell unused RIs | Write: All resources |
| CancelReservedInstancesListing | Removes RI marketplace listings | Used to manage RI sales | Write: All resources |
| GetReservedInstancesExchangeQuote | Gets RI exchange quotes | Used to evaluate RI exchanges | Read: All resources |
| AcceptReservedInstancesExchangeQuote | Accepts RI exchange quotes | Used to execute RI exchanges | Write: All resources |
Linked Account RDS Permissions
| RDS | What | Why | Access (Limited: Read/Write) |
|---|---|---|---|
| DescribeReservedDBInstances | Lists RDS reserved instances | Used to analyze current RDS RI inventory | Read: All resources |
| DescribeReservedDBInstancesOfferings | Lists RDS RI offerings | Used to find suitable RDS RI purchases | Read: All resources |
| PurchaseReservedDBInstancesOffering | Purchases RDS RIs | Used to acquire cost-saving RDS RIs | Write: All resources |
Linked Account Savings Plans Permissions
| Savings Plans | What | Why | Access (Limited: Read/Write) |
|---|---|---|---|
| SavingsPlans:* | Full Savings Plans access | Used to manage and optimize Savings Plans | Full access |
Support Permissions
| Support | What | Why | Access (Limited: Read/Write) |
|---|---|---|---|
| support:* | Full AWS Support access | Used to manage support cases and access support features | Full access |
AWS Managed Policies
The Commitment Management setup includes several AWS managed policies that are essential for different aspects of the service:
| Policy Name | ARN | Purpose | Access Level |
|---|---|---|---|
| AWSSupportAccess | arn:aws:iam::aws:policy/AWSSupportAccess | Used mainly for getting commitment utilization and coverage metrics to track the efficiency | Read/Write |
| AWSCloudTrail_ReadOnlyAccess | arn:aws:iam::aws:policy/AWSCloudTrail_ReadOnlyAccess | Used to capture detailed records of api calls made from the nOps account that we add, for example - CreateSavingsPlan API call is logged when we buy a savings plan | Read Only |
| AWSOrganizationsReadOnlyAccess | arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess | Very important as nOps AI needs to know org strcuture, which accounts are there at any give point in time so that commitments bought can be shared across organization (as we don't buy commitments from each individual account) | Read Only |
| AmazonEC2FullAccess | arn:aws:iam::aws:policy/AmazonEC2FullAccess | Needed temporarily but is also important when buying the initial set of RIs in the newly created nOps account added to your organization. AWS doesn't allow direct purchase of RIs unless it sees some usage so we create a t2.small for 20 mins in each region that has compute. You can opt for not allowing this but then AWS will take 6 weeks before lifting RI purchase restriction for us | Full Access |
| AWSSavingsPlansFullAccess | arn:aws:iam::aws:policy/AWSSavingsPlansFullAccess | Required to purchase, modify, and manage Savings Plans | Full Access |
| ServiceQuotasFullAccess | arn:aws:iam::aws:policy/ServiceQuotasFullAccess | Required to view and increase quota increases (if and only if needed). For example: increase RI quota per month | Full Access |
Important Notes:
- The
AmazonEC2FullAccesspolicy is temporary and only used to create t2.small instances for 20 minutes in regions with compute. This is necessary because AWS doesn't allow direct RI purchases without usage history. You can opt out of this, but AWS will then take 6 weeks to lift the RI purchase restriction. - The
AWSOrganizationsReadOnlyAccesspolicy is crucial as it allows nOps to understand your organization's structure and share commitments across accounts efficiently. - All managed policies are automatically updated by AWS when new permissions are added or modified, ensuring nOps has access to the latest features while maintaining security best practices.
Policies and Permissions
-
Within your AWS Payer/Management account, nOps will create a new hourly Cost/Usage Report(CUR), S3 bucket for the CUR and nOps ShareSave Payer cross-account role/policy :
- Trusted Entity Type: AWS Account
- Trusted Entity: nOps
- Role name: nops-sharesave-payer
- IAM Policy for the Role: IAM Policy
- Automated Creation: YAML File
-
Within the CM linked account used by nOps to buy/sell Reserved Instances and buy Compute Savings Plans.
- Trusted Entity Type: AWS Account_Trusted
- Entity: nOps
- Role name: nops-sharesave-ri
- IAM Policy for the Role: IAM Policy
- Automated Creation: NA – preloaded
Commitment Management YAML file
AWSTemplateFormatVersion: "2010-09-09"
Description: |
nOps.io integration role for ShareSave accounts (updated September 12, 2022)
For more information visit https://help.nops.io
Parameters:
S3CurBucket:
Description: Format customername-sharesave
Type: String
ReportName:
Description: Format customername-sharesave
Type: String
Resources:
CURBucketCreate:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
BucketName: !Ref "S3CurBucket"
CURBucketPolicy:
Type: "AWS::S3::BucketPolicy"
DeletionPolicy: Retain
DependsOn: CURBucketCreate
Properties:
Bucket: !Ref "S3CurBucket"
PolicyDocument:
Statement:
- Action:
- "s3:GetBucketAcl"
- "s3:GetBucketPolicy"
Effect: Allow
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
Principal:
Service:
- billingreports.amazonaws.com
- Action:
- "s3:PutObject"
Effect: Allow
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
Principal:
Service:
- billingreports.amazonaws.com
CURCreate:
Type: "AWS::CUR::ReportDefinition"
DeletionPolicy: Retain
DependsOn: CURBucketPolicy
Properties:
ReportName: !Ref "ReportName"
RefreshClosedReports: True
S3Bucket: !Ref "S3CurBucket"
S3Prefix: sharesave
S3Region: us-east-1
TimeUnit: HOURLY
ReportVersioning: OVERWRITE_REPORT
AdditionalArtifacts:
- REDSHIFT
Compression: GZIP
Format: textORcsv
nOpsShareSaveRole:
Type: "AWS::IAM::Role"
DependsOn: CURBucketPolicy
Properties:
RoleName: nops-sharesave-payer
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::727378841472:root
Action:
- "sts:AssumeRole"
Path: /
Policies:
- PolicyName: nops-sharesave-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: S3ViewCUR
Effect: Allow
Action:
- "s3:ListBucket"
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
- Sid: S3AccessCUR
Effect: Allow
Action:
- "s3:GetObject"
- "s3:PutObject"
- "s3:DeleteObject"
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AWSSupportAccess"
Commitment Managment IAM Roles
CM AWS Payer IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>",
"Effect": "Allow",
"Sid": "S3ViewCUR"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>/*",
"Effect": "Allow",
"Sid": "S3AccessCUR"
}
]
}
CM Linked Account IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering",
"ec2:CreateReservedInstancesListing",
"ec2:CancelReservedInstancesListing",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:AcceptReservedInstancesExchangeQuote",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:PurchaseReservedDBInstancesOffering",
"support:*",
"SavingsPlans:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}