Controlling access with Amazon Identity and Access Management
You can use Amazon Identity and Access Management (IAM) to create identities (users, groups, or roles), and give those identities permissions to access the Amazon Compute Optimizer console and APIs.
By default, IAM users don't have access to the Compute Optimizer console and APIs. You give users access by attaching IAM policies to a single user, a group of users, or a role. For more information, see Identities (Users, Groups, and Roles) and Overview of IAM Policies in the IAM User Guide.
After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view Compute Optimizer information by using an account-specific sign-in page. For more information, see How Users Sign In to Your Account.
Important
-
To view recommendations for EC2 instances, an IAM user requires the
ec2:DescribeInstancespermission. -
To view recommendations for EBS volumes, an IAM user requires the
ec2:DescribeVolumespermission. -
To view recommendations for Auto Scaling groups, an IAM user requires the
autoscaling:DescribeAutoScalingGroupsandautoscaling:DescribeAutoScalingInstancespermissions. -
To view recommendations for Lambda functions, an IAM user requires the
lambda:ListFunctionsandlambda:ListProvisionedConcurrencyConfigspermissions. -
To view recommendations for Amazon ECS services on Fargate, an IAM user requires the
ecs:ListServicesandecs:ListClusterspermissions. -
To view current CloudWatch metrics data in the Compute Optimizer console, an IAM user requires the
cloudwatch:GetMetricDatapermission. -
To view recommendations commercial software licenses, certain Amazon EC2 instance roles and IAM user permissions are required. For more information see, Policies to enable commercial software license recommendations.
If the user or group that you want to give permissions to already has a policy, you can add one of the Compute Optimizer specific policy statements illustrated here to that policy.
Contents
- Compute Optimizer and Amazon Organizations trusted access
- Policy to opt in to Compute Optimizer
- Policies to grant access to Compute Optimizer for standalone Amazon accounts
- Policies to grant access to Compute Optimizer for a management account of an organization
- Policies to grant access to manage Compute Optimizer recommendation preferences
- Policies to enable commercial software license recommendations
- Policy to deny access to Compute Optimizer
Compute Optimizer and Amazon Organizations trusted access
When you opt in using your organization's management account and include all member accounts within the organization, trusted access for Compute Optimizer is automatically enabled in your organization account. This allows Compute Optimizer to analyze compute resources in those member accounts, and generate recommendations for them.
Every time that you access recommendations for member accounts, Compute Optimizer verifies that trusted access is enabled in your organization account. If you disable Compute Optimizer trusted access after you opt in, Compute Optimizer denies access to recommendations for your organization's member accounts. Moreover, the member accounts within the organization aren't opted in to Compute Optimizer. To re-enable trusted access, opt in to Compute Optimizer again using your organization's management account and include all the member accounts within the organization. For more information, see Opting in your account. For more information about Amazon Organizations trusted access, see Using Amazon Organizations with other Amazon services in the Amazon Organizations User Guide.
Policy to opt in to Compute Optimizer
The following policy statement grants access to opt in to Compute Optimizer. It grants access to create a service-linked role for Compute Optimizer. This role is required to opt in. For more information, see Using Service-Linked Roles for Amazon Compute Optimizer. It also grants access to update the enrollment status to the Compute Optimizer service.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" } ] }
Policies to grant access to Compute Optimizer for standalone Amazon accounts
The following policy statement grants full access to Compute Optimizer for standalone Amazon Web Services accounts. For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
The following policy statement grants read-only access to Compute Optimizer for standalone Amazon Web Services accounts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
Policies to grant access to Compute Optimizer for a management account of an organization
The following policy statement grants full access to Compute Optimizer for a management account of your organization. For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", "organizations:ListDelegatedAdministrators", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "*" } ] }
The following policy statement grants read-only access to Compute Optimizer for a management account of an organization.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListDelegatedAdministrators" ], "Resource": "*" } ] }
Policies to grant access to manage Compute Optimizer recommendation preferences
The following policy statements grant access to view and edit recommendation preferences, such as the enhanced infrastructure metrics paid feature. For more information, see Recommendation preferences.
Grant access to manage recommendation preferences for EC2 instances only
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "Ec2Instance" } } } ] }
Grant access to manage recommendation preferences for Auto Scaling groups only
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "AutoScalingGroup" } } } ] }
Policies to enable commercial software license recommendations
For Compute Optimizer to generate license recommendations, attach the following Amazon EC2 instance roles and policies.
-
The
AmazonSSMManagedInstanceCorerole to enable Systems Manager. For more information, see Amazon Systems Manager identity-based policy examples in the Amazon Systems Manager User Guide. -
The
CloudWatchAgentServerPolicypolicy to enable the release of instance metrics and logs to CloudWatch. For more information, see Create IAM roles and users for use with the CloudWatch agent in the Amazon CloudWatch User Guide. -
The following IAM inline policy statement to read the secret Microsoft SQL Server connection string stored in Amazon Systems Manager. For more information about inline policies, see Managed policies and inline policies in the Amazon Identity and Access Management User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue*" ], "Resource": "arn:aws:secretsmanager:*:*:secret:ApplicationInsights-*" } ] }
Additionally, to enable and receive license recommendations, attach the following IAM policy to your user, group or role. For more information, IAM policy in the Amazon CloudWatch User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "applicationinsights:*", "iam:CreateServiceLinkedRole", "iam:ListRoles", "resource-groups:ListGroups" ], "Effect": "Allow", "Resource": "*" } ] }
Policy to deny access to Compute Optimizer
The following policy statement denies access to Compute Optimizer.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }