Amazon S3 bucket policy for Compute Optimizer - AWS Compute Optimizer

Amazon S3 bucket policy for Compute Optimizer

You can export your Compute Optimizer recommendations in a comma-separated values (.csv) file, and its metadata in a JavaScript Object Notation (.json) file, to an Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Exporting recommendations.

You must create the destination S3 bucket for your recommendations export before you create the export job. Compute Optimizer does not create the S3 bucket for you. The S3 bucket that you specify for your recommendations export files cannot be publicly accessible, and cannot be configured as a Requester Pays bucket.

As a best practice, create a dedicated S3 bucket for Compute Optimizer export files. For more information, see How Do I Create an S3 Bucket? in the Amazon S3 Console User Guide. After you create the S3 bucket, ensure that it has the required permission policy to allow Compute Optimizer to write the export files to it. For more information, see Specifying an existing bucket for your recommendations export.

Using encrypted S3 buckets for your recommendations export

For the destination of your Compute Optimizer recommendations exports, you can specify S3 buckets that are encrypted with either Amazon S3-Managed Keys (SSE-S3) or Customer Master Keys (CMKs) stored in the AWS Key Management Service (AWS KMS).

You must create a symmetric CMK to use an S3 bucket with AWS KMS encryption enabled. Symmetric CMKs are the only CMKs supported by Amazon S3. For more information, see Creating keys in the AWS KMS Developer Guide. After you create the CMK, you must apply it to the S3 bucket that you plan to use for your recommendations export. For more information, see How do I enable default encryption for an Amazon S3 bucket? in the Amazon S3 Console User Guide.

Use the following procedure to grant Compute Optimizer the required permission to use your CMK to encrypt your recommendations export file when saving it to your encrypted S3 bucket.

  1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the left navigation menu, choose Customer Managed Keys.

  4. Choose the name of the CMK that you chose to encrypt the export S3 bucket.

  5. Choose the Key policy tab, then choose Switch to policy view.

  6. Choose Edit to edit the key policy.

  7. Copy and paste the following into the statements section of the key policy:

    The statement (for the GenerateDataKey action) allows Compute Optimizer to call the AWS KMS API to obtain the data key for encrypting the recommendation files. In this way, the uploaded data format can accommodate the bucket encryption setting. Otherwise, Amazon S3 will reject the export request.

    Note

    If the existing CMK already has one or more policies attached, add the statements for Compute Optimizer access to those policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who will access the CMK.

    { "Sid": "Allow use of the key to Compute Optimizer", "Effect": "Allow", "Principal": { "Service": "compute-optimizer.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*" }

Specifying an existing bucket for your recommendations export

Use the following procedure to add a policy to your S3 bucket that allows Compute Optimizer to write recommendations export files to your bucket.

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose the bucket where you want Compute Optimizer to deliver your export files.

  3. Choose Permissions.

  4. Choose Bucket Policy.

  5. Copy the following policy, and paste it into the Bucket Policy Editor text box.

    Replace the placeholders in italics with the name of your bucket, the optional object prefix, and the account number of the requester of the export job. If you plan to specify an object prefix when you create your recommendations export, include it in the policy. The object prefix is an optional addition to the S3 object key that organizes your export files in your S3 bucket.

    You must copy and paste this policy to include all three statements. The first statement (for the GetBucketAcl action) allows Compute Optimizer to get the access control list (ACL) of your bucket. The second statement (for the GetBucketPolicyStatus action) allows Compute Optimizer to get the policy status of your bucket, indicating whether the bucket is public. The third statement (for the PutObject action) gives Compute Optimizer full control to put the export file in your bucket. Your export request will fail if any of these statements is missing, or if the bucket name and optional object prefix in the policy don't match what you specify in your export request, or if the account number in the policy doesn't match the account number of the requester of the export job.

    Note

    If the existing bucket already has one or more policies attached, add the statements for Compute Optimizer access to that policy or policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who will access the bucket.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/compute-optimizer/myAccountID/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] }

    If you don't want to specify an object prefix, use the following policy instead.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus", "Resource": "arn:aws:s3:::myBucketName" }, { "Effect": "Allow", "Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/compute-optimizer/myAccountID/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] }

Additional resources

For more information about S3 buckets and policies, see the Amazon Simple Storage Service Console User Guide.