AWS Permissions
To ensure a seamless integration of your Amazon Web Services (AWS) account with OpsLyft, it's crucial to understand the permissions required. AWS permissions can be broadly categorized into general permissions and permissions specific to Cost and Usage Reports (CUR) Bucket Access and Editing. This section outlines these permissions, providing clarity on their role in the integration process.
General Permissions
Service | Permissions taken |
---|---|
cloudwatch | cloudwatch:DescribeAlarmHistory cloudwatch:DescribeAlarms cloudwatch:DescribeAlarmsForMetric cloudwatch:GetMetricData cloudwatch:GetMetricStatistics cloudwatch:ListMetrics cloudwatch:PutMetricData cloudwatch:PutMetricAlarm |
athena | dynamodb:DescribeTable dynamodb:ListTables |
S3 | s3:ListAllMyBuckets s3:ListBucket |
EC2 | ec2:Describe ec2:List |
lambda | lambda:ListFunctions |
RDS | rds:Describe* |
Cloudfront | cloudfront:Get cloudfront:List |
Redshift | redshift:Describe redshift:GetReservedNodeExchangeOfferings redshift:View |
Elasticache | elasticache:List elasticache:Describe |
Elastic Kubernetes Service(EKS) | eks:List eks:Describe |
Elastic Container Service(ECS) | ecs:List ecs:Describe |
Elasticsearch | es:Describe es:List |
Elasticloadbalancing | elasticloadbalancing:Describe* |
elasticmapreduce | elasticmapreduce:List elasticmapreduce:Describe |
Sagemaker | sagemaker:List sagemaker:Describe |
ElasticBeanstalk | elasticbeanstalk:List elasticbeanstalk:Describe |
lightsail | lightsail:GetRelationalDatabaseEvents lightsail:GetRelationalDatabaseLogEvents lightsail:GetRelationalDatabaseLogStreams lightsail:GetLoadBalancerMetricData lightsail:GetInstanceMetricData |
route53 | route53:List route53domains:Check route53domains:List route53domains:View route53resolver:List* |
autoscaling | autoscaling:Describe* |
Others | backup:Describe backup:List batch:List batch:Describe sts:GetCallerIdentity cloudtrail:LookupEvents ram:Get ram:List servicequotas:Get servicequotas:List service-quotas:List service-quotas:Get servicecatalog:Describe servicecatalog:List organizations:List organizations:Describe apigateway:Get sqs:List mq:List logs:Describe logs:FilterLogEvents logs:ListTagsLogGroup logs:StartQuery logs:TestMetricFilter machinelearning:Describe acm:List glue:Get kinesis:List swf:List kms:List savingsplans:Describe savingsplans:List aws-portal:ViewPaymentMethods aws-portal:ViewAccount aws-portal:ViewBilling aws-portal:ViewUsage cur:PutReportDefinition cur:DescribeReportDefinitions |
Specific Permissions
OpsLyft offers two methods to import your CUR: importing an existing report in CSV format or creating a new CUR. We request specific permissions to access the S3 bucket containing your CUR data.
CUR Bucket Access
For seamless integration, OpsLyft requests access to the bucket where your CUR resides. If the CUR bucket doesn't exist, OpsLyft seeks permission to create it. The permissions associated with CUR Bucket Access include:
{
"Sid": "CURBucketAccess",
"Effect": "Allow",
"Action": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::opslyft-",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::opslyft-",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket/*"
]
]
}
]
}
Note that OpsLyft requests access not only to the bucket but also to the CUR report itself
{
"Sid": "CURAccess",
"Effect": "Allow",
"Action": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:cur:*:",
{
"Ref": "AWS::AccountId"
},
":/definition/opslyft-cur-report"
]
]
}
]
}
Role Creation for Data Transfer
OpsLyft creates a new policy and attaches it to the “OpsLyftFetchUsageMetrics” that facilitates the copying and transferring of data from your CUR bucket (opslyft-<account-id>-cur-bucket)
to OpsLyft's designated bucket (<account-id>-cur-bucket)
. The permissions associated with this role include:
{
"Sid": "CURCopyAccess",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "AWS::AccountId"
},
"-cur-bucket/*"
]
]
}
]
}