Skip to main content

Commitment Management Permissions

Prerequisites

To take advantage of all nOps Commitment Management Program, you must be subscribed to the nOps AWS Marketplace offering. If you have previously subscribed, please see the instructions on configuring Commitment Management to learn how the policies are created.

What? Why? and How Much?

The following tables describe each permission within the IAM policy:

  • First column: Permission name.
  • Second column: What the permission is?
  • Third column: Why the permission is important for nOps?
  • Fourth column: What kind of access the permission gives to nOps?

Payer Account S3 Permissions

S3WhatWhyAccess (Limited: Read/Write)
ListBucketLists the contents of a bucketAllows nOps to view CUR report contentsRead: Specific bucket
GetObjectRetrieves objects from S3Used to read CUR reports for analysisRead: Specific bucket
PutObjectUploads objects to S3Used to manage CUR report dataWrite: Specific bucket
DeleteObjectDeletes objects from S3Used to manage CUR report lifecycleWrite: Specific bucket

Linked Account EC2 Permissions

EC2WhatWhyAccess (Limited: Read/Write)
DescribeReservedInstancesLists reserved instancesUsed to analyze current RI inventoryRead: All resources
DescribeReservedInstancesListingsLists RI marketplace listingsUsed to track RI marketplace activityRead: All resources
DescribeReservedInstancesModificationsLists RI modificationsUsed to track RI changesRead: All resources
DescribeReservedInstancesOfferingsLists available RI offeringsUsed to find suitable RI purchasesRead: All resources
ModifyReservedInstancesModifies existing RIsUsed to optimize RI utilizationWrite: All resources
PurchaseReservedInstancesOfferingPurchases new RIsUsed to acquire cost-saving RIsWrite: All resources
CreateReservedInstancesListingLists RIs on marketplaceUsed to sell unused RIsWrite: All resources
CancelReservedInstancesListingRemoves RI marketplace listingsUsed to manage RI salesWrite: All resources
GetReservedInstancesExchangeQuoteGets RI exchange quotesUsed to evaluate RI exchangesRead: All resources
AcceptReservedInstancesExchangeQuoteAccepts RI exchange quotesUsed to execute RI exchangesWrite: All resources

Linked Account RDS Permissions

RDSWhatWhyAccess (Limited: Read/Write)
DescribeReservedDBInstancesLists RDS reserved instancesUsed to analyze current RDS RI inventoryRead: All resources
DescribeReservedDBInstancesOfferingsLists RDS RI offeringsUsed to find suitable RDS RI purchasesRead: All resources
PurchaseReservedDBInstancesOfferingPurchases RDS RIsUsed to acquire cost-saving RDS RIsWrite: All resources

Linked Account Savings Plans Permissions

Savings PlansWhatWhyAccess (Limited: Read/Write)
SavingsPlans:*Full Savings Plans accessUsed to manage and optimize Savings PlansFull access

Support Permissions

SupportWhatWhyAccess (Limited: Read/Write)
support:*Full AWS Support accessUsed to manage support cases and access support featuresFull access

AWS Managed Policies

The Commitment Management setup includes several AWS managed policies that are essential for different aspects of the service:

Policy NameARNPurposeAccess Level
AWSSupportAccessarn:aws:iam::aws:policy/AWSSupportAccessUsed mainly for getting commitment utilization and coverage metrics to track the efficiencyRead/Write
AWSCloudTrail_ReadOnlyAccessarn:aws:iam::aws:policy/AWSCloudTrail_ReadOnlyAccessUsed to capture detailed records of api calls made from the nOps account that we add, for example - CreateSavingsPlan API call is logged when we buy a savings planRead Only
AWSOrganizationsReadOnlyAccessarn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccessVery important as nOps AI needs to know org strcuture, which accounts are there at any give point in time so that commitments bought can be shared across organization (as we don't buy commitments from each individual account)Read Only
AmazonEC2FullAccessarn:aws:iam::aws:policy/AmazonEC2FullAccessNeeded temporarily but is also important when buying the initial set of RIs in the newly created nOps account added to your organization. AWS doesn't allow direct purchase of RIs unless it sees some usage so we create a t2.small for 20 mins in each region that has compute. You can opt for not allowing this but then AWS will take 6 weeks before lifting RI purchase restriction for usFull Access
AWSSavingsPlansFullAccessarn:aws:iam::aws:policy/AWSSavingsPlansFullAccessRequired to purchase, modify, and manage Savings PlansFull Access
ServiceQuotasFullAccessarn:aws:iam::aws:policy/ServiceQuotasFullAccessRequired to view and increase quota increases (if and only if needed). For example: increase RI quota per monthFull Access

Important Notes:

  1. The AmazonEC2FullAccess policy is temporary and only used to create t2.small instances for 20 minutes in regions with compute. This is necessary because AWS doesn't allow direct RI purchases without usage history. You can opt out of this, but AWS will then take 6 weeks to lift the RI purchase restriction.
  2. The AWSOrganizationsReadOnlyAccess policy is crucial as it allows nOps to understand your organization's structure and share commitments across accounts efficiently.
  3. All managed policies are automatically updated by AWS when new permissions are added or modified, ensuring nOps has access to the latest features while maintaining security best practices.

Policies and Permissions

  1. Within your AWS Payer/Management account, nOps will create a new hourly Cost/Usage Report(CUR), S3 bucket for the CUR and nOps ShareSave Payer cross-account role/policy :

    1. Trusted Entity Type: AWS Account
    2. Trusted Entity: nOps
    3. Role name: nops-sharesave-payer
    4. IAM Policy for the Role: IAM Policy
    5. Automated Creation: YAML File
  2. Within the CM linked account used by nOps to buy/sell Reserved Instances and buy Compute Savings Plans.

    1. Trusted Entity Type: AWS Account_Trusted
    2. Entity: nOps
    3. Role name: nops-sharesave-ri
    4. IAM Policy for the Role: IAM Policy
    5. Automated Creation: NA – preloaded

Commitment Management YAML file

AWSTemplateFormatVersion: "2010-09-09"

Description: |
nOps.io integration role for ShareSave accounts (updated September 12, 2022)
For more information visit https://help.nops.io

Parameters:
S3CurBucket:
Description: Format customername-sharesave
Type: String
ReportName:
Description: Format customername-sharesave
Type: String

Resources:
CURBucketCreate:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
BucketName: !Ref "S3CurBucket"

CURBucketPolicy:
Type: "AWS::S3::BucketPolicy"
DeletionPolicy: Retain
DependsOn: CURBucketCreate
Properties:
Bucket: !Ref "S3CurBucket"
PolicyDocument:
Statement:
- Action:
- "s3:GetBucketAcl"
- "s3:GetBucketPolicy"
Effect: Allow
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
Principal:
Service:
- billingreports.amazonaws.com
- Action:
- "s3:PutObject"
Effect: Allow
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
Principal:
Service:
- billingreports.amazonaws.com

CURCreate:
Type: "AWS::CUR::ReportDefinition"
DeletionPolicy: Retain
DependsOn: CURBucketPolicy
Properties:
ReportName: !Ref "ReportName"
RefreshClosedReports: True
S3Bucket: !Ref "S3CurBucket"
S3Prefix: sharesave
S3Region: us-east-1
TimeUnit: HOURLY
ReportVersioning: OVERWRITE_REPORT
AdditionalArtifacts:
- REDSHIFT
Compression: GZIP
Format: textORcsv

nOpsShareSaveRole:
Type: "AWS::IAM::Role"
DependsOn: CURBucketPolicy
Properties:
RoleName: nops-sharesave-payer
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::727378841472:root
Action:
- "sts:AssumeRole"
Path: /
Policies:
- PolicyName: nops-sharesave-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: S3ViewCUR
Effect: Allow
Action:
- "s3:ListBucket"
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
- Sid: S3AccessCUR
Effect: Allow
Action:
- "s3:GetObject"
- "s3:PutObject"
- "s3:DeleteObject"
Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AWSSupportAccess"

Commitment Managment IAM Roles

CM AWS Payer IAM Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>",
"Effect": "Allow",
"Sid": "S3ViewCUR"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>/*",
"Effect": "Allow",
"Sid": "S3AccessCUR"
}
]
}

CM Linked Account IAM Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering",
"ec2:CreateReservedInstancesListing",
"ec2:CancelReservedInstancesListing",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:AcceptReservedInstancesExchangeQuote",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:PurchaseReservedDBInstancesOffering",
"support:*",
"SavingsPlans:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}