Edit me

Essentials resource scheduler IAM permissions

As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR). As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR) and provide you with scheduler recommendations that you can automate.

In order to extract the full potential of the nOps Scheduler, you need permissions for two nOps features:

Note: To enable nSwitch recommendations for any child account, it is necessary to get the account fully configured. I.e to enable the ReadOnly policy access at the child account level.

Access CUR data to analyze utilization

The permissions required at the payer and linked account(s) for ShareSave nSwitch are:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ce:GetCostAndUsage",
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

nOps also required two CUR reports to be configured, with the following bucket access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<paste-bucket-name-here>",
        "arn:aws:s3:::<paste-bucket-name-here>/*"
      ]
    }
  ]
}

Scheduler Permissions: Lambda and Eventbridge

nOps requires AWS managed AWSLambdaBasicExecutionRole permissions along with the following permission for Scheduler Lambda Function to automatically create schedules with the help of EventBridge:

These permissions are required on the child account or master account where the resources to be scheduled reside.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "events:PutEvents",
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:GetObjectTagging",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "rds:StopDBInstance",
            "rds:StartDBInstance",
            "logs:PutLogEvents",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "autoscaling:UpdateAutoScalingGroup"
        ],
        "Resource": [
            "*"
        ]
    }]
}

To get the full CloudFormation YAML template, see nOps Essentials Lambda Function.



Related articles
Managing Karpenter Configurations With nOps GitOps support
Managing Resources With Karpenter GitOps Support
Configuring ASGs by Tag
nOps Copilot-Managed ASGs
Compute Copilot For ASG Support Matrix
Onboarding your Autoscaling Groups to nOps Compute Copilot
Onboarding your Autoscaling Groups to nOps Compute Copilot via Stackset
Compute Copilot for ECS
Onboarding your EKS clusters to Copilot for EKS Cluster Autoscaler
EKS Provisioner Examples
Compute Copilot for EKS - Karpenter Beta Support
Onboarding your EKS clusters to Compute Copilot for EKS Karpenter
Minimum IAM permissions for the nOps platform
IAM permissions for the nOps platform
Commitment Management Permissions
Onboarding AWS Linked Accounts
Onboarding Multiple AWS Linked Accounts with CloudFormation
Service Control Policies
Onboarding AWS with Automatic Setup
Onboarding AWS with 1-click CloudFormation
AWS SSO Integration
Azure SSO Integration
SSO Integration
Okta SSO Integration
OneLogin SSO Integration
Datadog Agent in ASG for Enhanced Rightsizing
DataDog Agent Configuration On your Linux based ASG
Maximizing Cost Efficiency with nOps Essentials Idle Instance Feature
Cloudwatch Agent Configuration On your Linux based EC2
Idle EBS Volume Cleanup
EC2 and ASG Rightsizing with nOps with DataDog integration
Introduction to nOps Essentials
KMS Key Permissions
Essentials Stack
Essentials for Storage
Essentials Summary Page
nOps Scheduler with Terraform
Back to top       Home
Tags: onboarding iam