Controlling Access with AWS Identity and Access Management - AWS Compute Optimizer

Controlling Access with AWS Identity and Access Management

You can use AWS Identity and Access Management (IAM) to create identities (users, groups, or roles), and then give those identities permissions to access the AWS Compute Optimizer console and APIs.

By default, IAM users do not have access to the Compute Optimizer console and APIs. You give users access by attaching IAM policies to a single user, a group of users, or a role. For more information, see Identities (Users, Groups, and Roles) and Overview of IAM Policies in the IAM User Guide.

After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view Compute Optimizer information by using an account-specific sign-in page. For more information, see How Users Sign In to Your Account.

Important

In order to view recommendations for EC2 instances, an IAM user must have ec2:DescribeInstances permission. In order to view recommendations for Auto Scaling groups, an IAM user must have autoscaling:DescribeAutoScalingGroups permission. In order to view current CloudWatch metrics data in the Compute Optimizer console, an IAM user must have cloudwatch:GetMetricData permissions.

If the user or group that you want to give permissions to already has a policy, you can add one of the Compute Optimizer-specific policy statements illustrated here to that policy.

Granting access for standalone AWS accounts

The following policy statement grants full access to Compute Optimizer for standalone AWS accounts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "autoscaling:DescribeAutoScalingGroups", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

The following policy statement grants read-only access to Compute Optimizer for standalone AWS accounts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "ec2:DescribeInstances", "autoscaling:DescribeAutoScalingGroups", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

Granting access for a master account of an organization

The following policy statement grants full access to Compute Optimizer for a master account of an organization.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "autoscaling:DescribeAutoScalingGroups", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount" ], "Resource": "*" } ] }

The following policy statement grants read-only access to Compute Optimizer for a master account of an organization.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "ec2:DescribeInstances", "autoscaling:DescribeAutoScalingGroups", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount" ], "Resource": "*" } ] }

Denying access

The following policy statement denies access to Compute Optimizer.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }