Edit me

Essentials resource scheduler IAM permissions

As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR). As a part of the free nOps platform, we analyze your Cost and Usage Report (CUR) and provide you with scheduler recommendations that you can automate.

In order to extract the full potential of the nOps Scheduler, you need permissions for two nOps features:

Note: To enable nSwitch recommendations for any child account, it is necessary to get the account fully configured. I.e to enable the ReadOnly policy access at the child account level.

Access CUR data to analyze utilization

The permissions required at the payer and linked account(s) for ShareSave nSwitch are:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ce:GetCostAndUsage",
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

nOps also required two CUR reports to be configured, with the following bucket access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<paste-bucket-name-here>",
        "arn:aws:s3:::<paste-bucket-name-here>/*"
      ]
    }
  ]
}

Scheduler Permissions: Lambda and Eventbridge

nOps requires AWS managed AWSLambdaBasicExecutionRole permissions along with the following permission for Scheduler Lambda Function to automatically create schedules with the help of EventBridge:

These permissions are required on the child account or master account where the resources to be scheduled reside.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "events:PutEvents",
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:GetObjectTagging",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "rds:StopDBInstance",
            "rds:StartDBInstance",
            "logs:PutLogEvents",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "autoscaling:UpdateAutoScalingGroup"
        ],
        "Resource": [
            "*"
        ]
    }]
}

To get the full CloudFormation YAML template, see nOps Essentials Lambda Function.



Related articles
Minimum IAM permissions for the nOps platform
IAM permissions for the nOps platform
YAML file for nOps Commitment Management
AWS SSO Integration
Azure SSO Integration
SSO Integration
Okta SSO Integration
OneLogin SSO Integration
Back to top       Home
Tags: onboarding iam