Controlling access with AWS Identity and Access Management - AWS Compute Optimizer

Controlling access with AWS Identity and Access Management

You can use AWS Identity and Access Management (IAM) to create identities (users, groups, or roles), and then give those identities permissions to access the AWS Compute Optimizer console and APIs.

By default, IAM users do not have access to the Compute Optimizer console and APIs. You give users access by attaching IAM policies to a single user, a group of users, or a role. For more information, see Identities (Users, Groups, and Roles) and Overview of IAM Policies in the IAM User Guide.

After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view Compute Optimizer information by using an account-specific sign-in page. For more information, see How Users Sign In to Your Account.

Important

To view recommendations for EC2 instances, an IAM user must have ec2:DescribeInstances permission. To view recommendations for EBS volumes, an IAM user must have ec2:DescribeVolumes permission. To view recommendations for Auto Scaling groups, an IAM user must have autoscaling:DescribeAutoScalingGroups and autoscaling:DescribeAutoScalingInstances permission. To view recommendations for Lambda functions, an IAM user must have lambda:ListFunctions and lambda:ListProvisionedConcurrencyConfigs permission. To view current CloudWatch metrics data in the Compute Optimizer console, an IAM user must have cloudwatch:GetMetricData permissions.

If the user or group that you want to give permissions to already has a policy, you can add one of the Compute Optimizer-specific policy statements illustrated here to that policy.

Compute Optimizer and AWS Organizations trusted access

Trusted access for Compute Optimizer is automatically enabled in your organization account when you opt in using your organization's management account and include all member accounts within the organization. This allows Compute Optimizer to analyze compute resources in those member accounts, and generate recommendations for them.

Compute Optimizer verifies that trusted access is enabled in your organization account every time you access recommendations for member accounts. If you disable Compute Optimizer trusted access after you opt in, Compute Optimizer will deny access to recommendations for your organization's member accounts, and the member accounts within the organization will not be opted in to Compute Optimizer. To re-enable trusted access, opt in to Compute Optimizer again using your organization's management account and include all member accounts within the organization. For more information, see Opting in your account. For more information about AWS Organizations trusted access, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.

Policy to opt in to Compute Optimizer

The following policy statement grants access to opt in to Compute Optimizer. It grants access to create a service-linked role for Compute Optimizer, which is required to opt in. For more information, see Using Service-Linked Roles for AWS Compute Optimizer. It also grants access to update the enrollment status to the Compute Optimizer service.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*" } ] }

Policies to grant access to Compute Optimizer for standalone AWS accounts

The following policy statement grants full access to Compute Optimizer for standalone AWS accounts. For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

The following policy statement grants read-only access to Compute Optimizer for standalone AWS accounts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

Policies to grant access to Compute Optimizer for a management account of an organization

The following policy statement grants full access to Compute Optimizer for a management account of an organization.For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", ], "Resource": "*" } ] }

The following policy statement grants read-only access to Compute Optimizer for a management account of an organization.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount" ], "Resource": "*" } ] }

Policies to grant access to manage Compute Optimizer recommendation preferences

The following policy statements grant access to view and edit recommendation preferences, such as the enhanced infrastructure metrics paid feature. For more information, see Activating recommendation preferences.

Grant access to manage recommendation preferences for EC2 instances only

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "Ec2Instance" } } } ] }

Grant access to manage recommendation preferences for Auto Scaling groups only

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "AutoScalingGroup" } } } ] }

Policy to deny access to Compute Optimizer

The following policy statement denies access to Compute Optimizer.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }