Skip to main content

AWS Permissions

To ensure a seamless integration of your Amazon Web Services (AWS) account with OpsLyft, it's crucial to understand the permissions required. AWS permissions can be broadly categorized into general permissions and permissions specific to Cost and Usage Reports (CUR) Bucket Access and Editing. This section outlines these permissions, providing clarity on their role in the integration process.

General Permissions

ServicePermissions taken
cloudwatchcloudwatch:DescribeAlarmHistory
cloudwatch:DescribeAlarms
cloudwatch:DescribeAlarmsForMetric
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
cloudwatch:PutMetricData
cloudwatch:PutMetricAlarm
athenadynamodb:DescribeTable
dynamodb:ListTables
S3s3:ListAllMyBuckets
s3:ListBucket
EC2ec2:Describe
ec2:List
lambdalambda:ListFunctions
RDSrds:Describe*
Cloudfrontcloudfront:Get
cloudfront:List
Redshiftredshift:Describe
redshift:GetReservedNodeExchangeOfferings
redshift:View
Elasticacheelasticache:List
elasticache:Describe
Elastic Kubernetes Service(EKS)eks:List
eks:Describe
Elastic Container Service(ECS)ecs:List
ecs:Describe
Elasticsearches:Describe
es:List
Elasticloadbalancingelasticloadbalancing:Describe*
elasticmapreduceelasticmapreduce:List
elasticmapreduce:Describe
Sagemakersagemaker:List
sagemaker:Describe
ElasticBeanstalkelasticbeanstalk:List
elasticbeanstalk:Describe
lightsaillightsail:GetRelationalDatabaseEvents
lightsail:GetRelationalDatabaseLogEvents
lightsail:GetRelationalDatabaseLogStreams
lightsail:GetLoadBalancerMetricData
lightsail:GetInstanceMetricData
route53route53:List
route53domains:Check

route53domains:List
route53domains:View

route53resolver:List*
autoscalingautoscaling:Describe*
Othersbackup:Describe
backup:List

batch:List
batch:Describe

sts:GetCallerIdentity
cloudtrail:LookupEvents
ram:Get
ram:List

servicequotas:Get
servicequotas:List

service-quotas:List
service-quotas:Get

servicecatalog:Describe
servicecatalog:List

organizations:List
organizations:Describe

apigateway:Get
sqs:List

mq:List
logs:Describe

logs:FilterLogEvents
logs:ListTagsLogGroup
logs:StartQuery
logs:TestMetricFilter
machinelearning:Describe
acm:List

glue:Get
kinesis:List

swf:List
kms:List

savingsplans:Describe
savingsplans:List

aws-portal:ViewPaymentMethods
aws-portal:ViewAccount
aws-portal:ViewBilling
aws-portal:ViewUsage
cur:PutReportDefinition
cur:DescribeReportDefinitions

Specific Permissions

OpsLyft offers two methods to import your CUR: importing an existing report in CSV format or creating a new CUR. We request specific permissions to access the S3 bucket containing your CUR data.

CUR Bucket Access

For seamless integration, OpsLyft requests access to the bucket where your CUR resides. If the CUR bucket doesn't exist, OpsLyft seeks permission to create it. The permissions associated with CUR Bucket Access include:

{
"Sid": "CURBucketAccess",
"Effect": "Allow",
"Action": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::opslyft-",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::opslyft-",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket/*"
]
]
}
]
}
note

Note that OpsLyft requests access not only to the bucket but also to the CUR report itself

{
"Sid": "CURAccess",
"Effect": "Allow",
"Action": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:cur:*:",
{
"Ref": "AWS::AccountId"
},
":/definition/opslyft-cur-report"
]
]
}
]
}

Role Creation for Data Transfer

OpsLyft creates a new policy and attaches it to the “OpsLyftFetchUsageMetrics” that facilitates the copying and transferring of data from your CUR bucket (opslyft-<account-id>-cur-bucket) to OpsLyft's designated bucket (<account-id>-cur-bucket). The permissions associated with this role include:

{
"Sid": "CURCopyAccess",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket/*"
]
]
}
]
}