Controlling access with AWS Identity and Access Management - AWS Compute Optimizer

Controlling access with AWS Identity and Access Management

You can use AWS Identity and Access Management (IAM) to create identities (users, groups, or roles), and then give those identities permissions to access the AWS Compute Optimizer console and APIs.

By default, IAM users do not have access to the Compute Optimizer console and APIs. You give users access by attaching IAM policies to a single user, a group of users, or a role. For more information, see Identities (Users, Groups, and Roles) and Overview of IAM Policies in the IAM User Guide.

After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view Compute Optimizer information by using an account-specific sign-in page. For more information, see How Users Sign In to Your Account.

Important

To view recommendations for EC2 instances, an IAM user must have ec2:DescribeInstances permission. To view recommendations for EBS volumes, an IAM user must have ec2:DescribeVolumes permission. To view recommendations for Auto Scaling groups, an IAM user must have autoscaling:DescribeAutoScalingGroups permission. To view recommendations for Lambda functions, an IAM user must have lambda:ListFunctions and lambda:ListProvisionedConcurrencyConfigs permission. To view current CloudWatch metrics data in the Compute Optimizer console, an IAM user must have cloudwatch:GetMetricData permissions.

If the user or group that you want to give permissions to already has a policy, you can add one of the Compute Optimizer-specific policy statements illustrated here to that policy.

Compute Optimizer and AWS Organizations trusted access

Trusted access for Compute Optimizer is automatically enabled in your organization account when you opt in using your organization's management account and include all member accounts within the organization. This allows Compute Optimizer to analyze compute resources in those member accounts, and generate recommendations for them.

Compute Optimizer verifies that trusted access is enabled in your organization account every time you access recommendations for member accounts. If you disable Compute Optimizer trusted access after you opt in, Compute Optimizer will deny access to recommendations for your organization's member accounts, and the member accounts within the organization will not be opted in to Compute Optimizer. To re-enable trusted access, opt in to Compute Optimizer again using your organization's management account and include all member accounts within the organization. For more information, see Opting in your account. For more information about AWS Organizations trusted access, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.

Policy to opt in to Compute Optimizer

The following policy statement grants access to opt in to Compute Optimizer. It grants access to create a service-linked role for Compute Optimizer, which is required to opt in. For more information, see Using Service-Linked Roles for AWS Compute Optimizer. It also grants access to update the enrollment status to the Compute Optimizer service.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*" } ] }

Policies to grant access to Compute Optimizer for standalone AWS accounts

The following policy statement grants full access to Compute Optimizer for standalone AWS accounts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

The following policy statement grants read-only access to Compute Optimizer for standalone AWS accounts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

Policies to grant access to Compute Optimizer for a management account of an organization

The following policy statement grants full access to Compute Optimizer for a management account of an organization.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", ], "Resource": "*" } ] }

The following policy statement grants read-only access to Compute Optimizer for a management account of an organization.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount" ], "Resource": "*" } ] }

Policy to deny access to Compute Optimizer

The following policy statement denies access to Compute Optimizer.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }