AWS Permissions
To ensure a seamless integration of your Amazon Web Services (AWS) account with OpsLyft, it's crucial to understand the permissions required. AWS permissions can be broadly categorized into general permissions and permissions specific to Cost and Usage Reports (CUR) Bucket Access and Editing. This section outlines these permissions, providing clarity on their role in the integration process.
General Permissions
| Service | Permissions taken |
|---|---|
| cloudwatch | cloudwatch:DescribeAlarmHistory cloudwatch:DescribeAlarms cloudwatch:DescribeAlarmsForMetric cloudwatch:GetMetricData cloudwatch:GetMetricStatistics cloudwatch:ListMetrics |
| AWS Portal (Billing and Usage) | aws-portal:ViewPaymentMethods aws-portal:ViewAccount aws-portal:ViewBilling aws-portal:ViewUsage cur:PutReportDefinition |
| Cost Explorer & Billing | ce:* pricing:* budgets:Describe* |
| Tagging Services | tag:GetTagKeys tag:GetTagValues tag:GetResources |
| S3 (Specific CUR bucket access) | s3:ListBucket s3:PutObject s3:PutObjectAcl |
| DynamoDB | dynamodb:DescribeTable dynamodb:ListTables |
| S3 (General) | s3:ListAllMyBuckets s3:ListBucket |
| EC2 | ec2:Describe* ec2:List* |
| lambda | lambda:ListFunctions |
| RDS | rds:Describe* |
| Cloudfront | cloudfront:Get* cloudfront:List* |
| Redshift | redshift:Describe* redshift:GetReservedNodeExchangeOfferings redshift:View* |
| Elasticache | elasticache:List* elasticache:Describe* |
| Elastic Kubernetes Service(EKS) | eks:List* eks:Describe* |
| Elastic Container Service(ECS) | ecs:List* ecs:Describe* |
| Elasticsearch | es:Describe* es:List* |
| Elasticloadbalancing | elasticloadbalancing:Describe* |
| elasticmapreduce | elasticmapreduce:List* elasticmapreduce:Describe* |
| Sagemaker | sagemaker:List* sagemaker:Describe* |
| ElasticBeanstalk | elasticbeanstalk:List* elasticbeanstalk:Describe* |
| DataPipeline | datapipeline:List* datapipeline:Describe* |
| lightsail | lightsail:GetRelationalDatabaseEvents lightsail:GetRelationalDatabaseLogEvents lightsail:GetRelationalDatabaseLogStreams lightsail:GetLoadBalancerMetricData lightsail:GetInstanceMetricData |
| route53 | route53:List* route53domains:Check* route53domains:List* route53domains:View* route53resolver:List* |
| autoscaling | autoscaling:Describe* |
| SNS | sns:GetTopicAttributes sns:ListSubscriptionsByTopic |
| EventBridge | events:DescribeRule events:ListTargetsByRule |
| Others | backup:Describe* backup:List* batch:List* batch:Describe* sts:GetCallerIdentity cloudtrail:LookupEvents ram:Get* ram:List* servicequotas:Get* servicequotas:List* service-quotas:List* service-quotas:Get* servicecatalog:Describe* servicecatalog:List* organizations:List* organizations:Describe* apigateway:GET sqs:List* mq:List* logs:Describe* logs:FilterLogEvents logs:ListTagsLogGroup logs:StartQuery logs:TestMetricFilter machinelearning:Describe* acm:List* glue:Get* kinesis:List* swf:List* kms:List* savingsplans:Describe* savingsplans:List&ast |
Specific Permissions
OpsLyft offers two methods to import your CUR: importing an existing report in CSV format or creating a new CUR. We request specific permissions to access the S3 bucket containing your CUR data.
CUR Bucket Access
For seamless integration, OpsLyft requests access to the bucket where your CUR resides. If the CUR bucket doesn't exist, OpsLyft seeks permission to create it. The permissions associated with CUR Bucket Access include:
{
"Sid": "CURBucketAccess",
"Effect": "Allow",
"Action": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::opslyft-",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::opslyft-",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket/*"
]
]
}
]
}
Note that OpsLyft requests access not only to the bucket but also to the CUR report itself
{
"Sid": "CURAccess",
"Effect": "Allow",
"Action": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:cur:*:",
{
"Ref": "AWS::AccountId"
},
":/definition/opslyft-cur-report"
]
]
}
]
}
Role Creation for Data Transfer
OpsLyft creates a new policy and attaches it to the “OpsLyftFetchUsageMetrics” that facilitates the copying and transferring of data from your CUR bucket (opslyft-<account-id>-cur-bucket) to OpsLyft's designated bucket (<account-id>-cur-bucket). The permissions associated with this role include:
{
"Sid": "CURCopyAccess",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket/*"
]
]
}
]
}