Amazon S3 bucket policy for Compute Optimizer - AWS Compute Optimizer

Amazon S3 bucket policy for Compute Optimizer

You can export your Compute Optimizer recommendations in a comma-separated values (.csv) file, and its metadata in a JavaScript Object Notation (.json) file, to an Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Exporting recommendations.

You must create the destination S3 bucket for your recommendations export before you create the export job. Compute Optimizer does not create the S3 bucket for you. The S3 bucket that you specify for your recommendations export files cannot be publicly accessible, and cannot be configured as a Requester Pays bucket. Additionally, the only encrypted S3 buckets that are supported are those encrypted with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).

As a best practice, create a dedicated S3 bucket for Compute Optimizer export files. For more information, see How Do I Create an S3 Bucket? in the Amazon Simple Storage Service Console User Guide. After you create the S3 bucket, ensure that it has the following required permission policy to allow Compute Optimizer to write the export files to it.

Specifying an existing bucket for the Compute Optimizer recommendation export files

Use the following procedure to add a policy to your S3 bucket that allows Compute Optimizer to write recommendations export files to your bucket.

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose the bucket where you want Compute Optimizer to deliver your export files.

  3. Choose Permissions.

  4. Choose Bucket Policy.

  5. Copy the following policy, and paste it into the Bucket Policy Editor text box.

    Replace the placeholders in italics with the name of your bucket, the optional object prefix, and the account number of the requester of the export job. If you plan to specify an object prefix when you create your recommendations export, include it in the policy. The object prefix is an optional addition to the S3 object key that organizes your export files in your S3 bucket.

    You must copy and paste this policy to include all three statements. The first statement (for the GetBucketAcl action) allows Compute Optimizer to get the access control list (ACL) of your bucket. The second statement (for the GetBucketPolicyStatus action) allows Compute Optimizer to get the policy status of your bucket, indicating whether the bucket is public. The third statement (for the PutObject action) gives Compute Optimizer full control to put the export file in your bucket. Your export request will fail if any of these statements is missing, or if the bucket name and optional object prefix in the policy don't match what you specify in your export request, or if the account number in the policy doesn't match the account number of the requester of the export job.

    Note

    If the existing bucket already has one or more policies attached, add the statements for Compute Optimizer access to that policy or policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who will access the bucket.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/compute-optimizer/myAccountID/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] }

    If you don't want to specify an object prefix, use the following policy instead.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/compute-optimizer/myAccountID/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] }

Additional resources

For more information about S3 buckets and policies, see the Amazon Simple Storage Service Console User Guide.