Controlling access with AWS Identity and Access Management
You can use AWS Identity and Access Management (IAM) to create identities (users, groups, or roles), and give those identities permissions to access the AWS Compute Optimizer console and APIs.
By default, IAM users don't have access to the Compute Optimizer console and APIs. You give users access by attaching IAM policies to a single user, a group of users, or a role. For more information, see Identities (Users, Groups, and Roles) and Overview of IAM Policies in the IAM User Guide.
After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view Compute Optimizer information by using an account-specific sign-in page. For more information, see How Users Sign In to Your Account.
Important
-
To view recommendations for EC2 instances, an IAM user requires the
ec2:DescribeInstances
permission. -
To view recommendations for EBS volumes, an IAM user requires the
ec2:DescribeVolumes
permission. -
To view recommendations for Auto Scaling groups, an IAM user requires the
autoscaling:DescribeAutoScalingGroups
andautoscaling:DescribeAutoScalingInstances
permissions. -
To view recommendations for Lambda functions, an IAM user requires the
lambda:ListFunctions
andlambda:ListProvisionedConcurrencyConfigs
permissions. -
To view recommendations for Amazon ECS services on Fargate, an IAM user requires the
ecs:ListServices
andecs:ListClusters
permissions. -
To view current CloudWatch metrics data in the Compute Optimizer console, an IAM user requires the
cloudwatch:GetMetricData
permission. -
To view recommendations commercial software licenses, certain Amazon EC2 instance roles and IAM user permissions are required. For more information see, Policies to enable commercial software license recommendations.
-
To view recommendations for Amazon RDS, an IAM user requires the
rds:DescribeDBInstances
andrds:DescribeDBClusters
permissions.
If the user or group that you want to give permissions to already has a policy, you can add one of the Compute Optimizer specific policy statements illustrated here to that policy.
Contents
- Compute Optimizer and AWS Organizations trusted access
- Policy to opt in to Compute Optimizer
- Policies to grant access to Compute Optimizer for standalone AWS accounts
- Policies to grant access to Compute Optimizer for a management account of an organization
- Policies to grant access to manage Compute Optimizer recommendation preferences
- Policies to enable commercial software license recommendations
- Policy to deny access to Compute Optimizer
Compute Optimizer and AWS Organizations trusted access
When you opt in using your organization's management account and include all member accounts within the organization, trusted access for Compute Optimizer is automatically enabled in your organization account. This allows Compute Optimizer to analyze compute resources in those member accounts, and generate recommendations for them.
Every time that you access recommendations for member accounts, Compute Optimizer verifies that trusted access is enabled in your organization account. If you disable Compute Optimizer trusted access after you opt in, Compute Optimizer denies access to recommendations for your organization's member accounts. Moreover, the member accounts within the organization aren't opted in to Compute Optimizer. To re-enable trusted access, opt in to Compute Optimizer again using your organization's management account and include all the member accounts within the organization. For more information, see Opting in your account. For more information about AWS Organizations trusted access, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.
Policy to opt in to Compute Optimizer
The following policy statement grants access to opt in to Compute Optimizer. It grants access to create a service-linked role for Compute Optimizer. This role is required to opt in. For more information, see Using service-linked roles for AWS Compute Optimizer. It also grants access to update the enrollment status to the Compute Optimizer service.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*" } ] }
Policies to grant access to Compute Optimizer for standalone AWS accounts
The following policy statement grants full access to Compute Optimizer for standalone AWS accounts. For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
The following policy statement grants read-only access to Compute Optimizer for standalone AWS accounts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "compute-optimizer:GetRDSDatabaseRecommendations", "compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "rds:DescribeDBInstances", "rds:DescribeDBClusters" ], "Resource": "*" } ] }
Policies to grant access to Compute Optimizer for a management account of an organization
The following policy statement grants full access to Compute Optimizer for a management account of your organization. For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", "organizations:ListDelegatedAdministrators", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "*" } ] }
The following policy statement grants read-only access to Compute Optimizer for a management account of an organization.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "compute-optimizer:GetRDSDatabaseRecommendations", "compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListDelegatedAdministrators", "rds:DescribeDBInstances", "rds:DescribeDBClusters" ], "Resource": "*" } ] }
Policies to grant access to manage Compute Optimizer recommendation preferences
The following policy statements grant access to view and edit recommendation preferences, such as the enhanced infrastructure metrics paid feature. For more information, see Recommendation preferences.
Grant access to manage recommendation preferences for EC2 instances only
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "Ec2Instance" } } } ] }
Grant access to manage recommendation preferences for Auto Scaling groups only
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "AutoScalingGroup" } } } ] }
Grant access to manage recommendation preferences for RDS instances only
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "RdsDBInstance" } } } ] }
Policies to enable commercial software license recommendations
For Compute Optimizer to generate license recommendations, attach the following Amazon EC2 instance roles and policies.
-
The
AmazonSSMManagedInstanceCore
role to enable Systems Manager. For more information, see AWS Systems Manager identity-based policy examples in the AWS Systems Manager User Guide. -
The
CloudWatchAgentServerPolicy
policy to enable the release of instance metrics and logs to CloudWatch. For more information, see Create IAM roles and users for use with the CloudWatch agent in the Amazon CloudWatch User Guide. -
The following IAM inline policy statement to read the secret Microsoft SQL Server connection string stored in AWS Systems Manager. For more information about inline policies, see Managed policies and inline policies in the AWS Identity and Access Management User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue*" ], "Resource": "arn:aws:secretsmanager:*:*:secret:ApplicationInsights-*" } ] }
Additionally, to enable and receive license recommendations, attach the following IAM policy to your user, group or role. For more information, IAM policy in the Amazon CloudWatch User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "applicationinsights:*", "iam:CreateServiceLinkedRole", "iam:ListRoles", "resource-groups:ListGroups" ], "Effect": "Allow", "Resource": "*" } ] }
Policy to deny access to Compute Optimizer
The following policy statement denies access to Compute Optimizer.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }