Amazon S3 bucket policy for AWS Compute Optimizer
You can export your Compute Optimizer recommendations to an Amazon Simple Storage Service (Amazon S3) bucket. Your recommendations are exported as CSV file and the metadata is exported as a JSON file. For more information, see Exporting recommendations.
Before you create the export job, you must first create the destination S3 bucket for your recommendations export. Compute Optimizer doesn't create the S3 bucket for you. The S3 bucket that you specify for your recommendations export files must not be publicly accessible, and can't be configured as a Requester Pays bucket. As a security best practice, create a dedicated S3 bucket for Compute Optimizer export files. For more information, see How Do I Create an S3 Bucket? in the Amazon S3 Console User Guide.
Specifying an existing bucket for your recommendations export
After you create your S3 bucket, follow these steps to add a policy to the S3 bucket that allows Compute Optimizer to write recommendations export files to your bucket.
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
Choose the bucket where you want Compute Optimizer to deliver your export files.
-
Choose Permissions.
-
Choose Bucket Policy.
-
Copy one of the following policies, and paste it into the Bucket Policy Editor text box.
-
Replace the following placeholder text in the policy:
-
Replace
myBucketNamewith the name of your bucket. -
Replace
optionalPrefixwith the optional object prefix. -
Replace
myRegionwith the source AWS Region. -
Replace
myAccountIDwith the account number of the requester of the export job.
-
-
Include all three of the following statements in the policy:
-
The first statement (for the
GetBucketAclaction) allows Compute Optimizer to get the access control list (ACL) of your bucket. -
The second statement (for the
GetBucketPolicyStatusaction) allows Compute Optimizer to get the policy status of your bucket, indicating whether the bucket is public. -
The third statement (for the
PutObjectaction) gives Compute Optimizer full control to put the export file in your bucket.
Your export request fails if any of these statements are missing or if the bucket name and optional object prefix in the policy don't match what you specify in your export request. Your export also fails if the account number in the policy doesn't match the account number of the requester of the export job.
Note
If the existing bucket already has one or more policies attached, add the statements for Compute Optimizer access to that policy or policies. Evaluate the resulting set of permissions to ensure that they're appropriate for the users who access the bucket.
-
Policy option 1: Using an optional prefix
The object prefix is an optional addition to the S3 object key that organizes your export files in your S3 bucket. If you want to specify an object prefix when you create your recommendations export, use the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/optionalPrefix/compute-optimizer/myAccountID/*", "Condition": {"StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "myAccountID", "aws:SourceArn": "arn:aws:compute-optimizer:myRegion:myAccountID:*" } } } ] }
Note
The compute-optimizer/myAccountID/ component isn’t part
of the optional prefix. Compute Optimizer creates the
optimizer/myAccountID/ part of the
bucket path for you that's added to the prefix that you specify.
Policy option 2: No object prefix
If you don't want to specify an object prefix, use the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/compute-optimizer/myAccountID/*", "Condition": {"StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "myAccountID", "aws:SourceArn": "arn:aws:compute-optimizer:myRegion:myAccountID:*" } } } ] }
Using encrypted S3 buckets for your recommendations export
For the destination of your Compute Optimizer recommendations exports, you can specify S3 buckets that are encrypted with either Amazon S3 customer managed keys or AWS Key Management Service (KMS) keys.
To use an S3 bucket with AWS KMS encryption enabled, you must create a symmetric KMS key. Symmetric KMS keys are the only KMS keys that Amazon S3 supports. For instructions, see Creating keys in the AWS KMS Developer Guide. After you create the KMS key, apply it to the S3 bucket that you plan to use for your recommendations export. For more information, see Enabling Amazon S3 default bucket encryption in the Amazon Simple Storage Service User Guide.
Use the following procedure to grant Compute Optimizer the required permission to use your KMS key. This permission is specific for encrypting your recommendations export file when saving it to your encrypted S3 bucket.
-
Open the AWS KMS console at https://console.aws.amazon.com/kms
. -
To change the AWS Region, use the Region selector in the upper-right corner of the page.
-
In the left navigation menu, choose Customer-managed keys.
Note
Compute Optimizer recommendation exports aren't permitted for S3 buckets encrypted with AWS managed keys.
-
Choose the name of the KMS key that you used to encrypt the export S3 bucket.
-
Choose the Key policy tab, then choose Switch to policy view.
-
Choose Edit to edit the key policy.
-
Copy one of the following policies, and paste it into the statements section of the key policy.
-
Replace the following placeholder text in the policy:
-
Replace
myRegionwith the source AWS Region. -
Replace
myAccountIDwith the account number of the export requester.
The
GenerateDataKeystatement allows Compute Optimizer to call the AWS KMS API to obtain the data key for encrypting the recommendation files. This way, the uploaded data format can accommodate the bucket encryption setting. Otherwise, Amazon S3 rejects the export request.Note
If the existing KMS key already has one or more policies attached, add the statements for Compute Optimizer access to those policies. Evaluate the resulting set of permissions to ensure that they're appropriate for the users who access the KMS key.
-
Use the following policy if you didn't enable Amazon S3 bucket keys.
{ "Sid": "Allow use of the key to Compute Optimizer", "Effect": "Allow", "Principal": { "Service": "compute-optimizer.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "myAccountID", "aws:SourceArn": "arn:aws:compute-optimizer:myRegion:myAccountID:*" } } }
Use the following policy if you enabled Amazon S3 bucket keys. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys in the Amazon Simple Storage Service User Guide.
{ "Sid": "Allow use of the key to Compute Optimizer", "Effect": "Allow", "Principal": { "Service": "compute-optimizer.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "myAccountID", "aws:SourceArn": "arn:aws:compute-optimizer:myRegion:myAccountID:*" } } }
Additional resources
For more information about S3 buckets and policies, see the Amazon Simple Storage Service User Guide.
