Cloud Commitment Management AWS Policy
This policy gives Cloud Commitment Management access to get billing reports using APIs and S3 for the detailed billing report, cost explorer, and the cost and usage report.
Contact Support if you have signed a contract and need the full Cloud Commitment Management policy.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Outputs": {
"SpotFinOpsRoleArn": {
"Value": {
"Fn::GetAtt": ["SpotFinOpsRole", "Arn"]
}
}
},
"Parameters": {
"CostAndUsageBucket": {
"Type": "String",
"Description": "The bucket name of where the *HOURLY* Cost and Usage Report is located. https://console.aws.amazon.com/billing/home?#/reports"
},
"RoleName": {
"Type": "String",
"Default": "SpotByNetApp_Finops_ReadOnly"
},
"PolicyName": {
"Type": "String",
"Default": "SpotByNetApp_Finops_ReadOnly_Policy"
}
},
"Resources": {
"SpotFinOpsManagedPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": { "Ref" : "PolicyName" },
"Description": "Spot by NetApp Finops ReadOnly Policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:ValidateTemplate",
"cloudformation:Detect*"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyCloudFormation"
},
{
"Action": [
"es:ListElasticsearchInstanceTypes",
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:DescribeReservedElasticsearchInstances"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyElasticSearch"
},
{
"Action": [
"rds:DescribeReservedDBInstances",
"rds:DescribeDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:ListTagsForResource"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyRDS"
},
{
"Action": [
"redshift:DescribeReservedNodeOfferings",
"redshift:DescribeReservedNodes",
"redshift:DescribeClusters"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyRedshift"
},
{
"Action": [
"elasticache:DescribeReservedCacheNodesOfferings",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeCacheClusters",
"elasticache:ListAllowedNodeTypeModifications",
"elasticache:ListTagsForResource"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyElasticache"
},
{
"Action": [
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:DescribeReservedCapacity"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyDynamoDB"
},
{
"Action": [
"ec2:DescribeHostReservations",
"ec2:DescribeReservedInstances"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyEC2"
},
{
"Action": [
"savingsplans:DescribeSavingsPlanRates",
"savingsplans:DescribeSavingsPlans",
"savingsplans:DescribeSavingsPlansOfferingRates",
"savingsplans:DescribeSavingsPlansOfferings",
"savingsplans:ListTagsForResource"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlySavingsPlans"
},
{
"Action": [
"account:GetAccountInformation",
"billing:GetBillingData",
"billing:GetBillingDetails",
"billing:GetBillingNotifications",
"billing:GetBillingPreferences",
"billing:GetContractInformation",
"billing:GetCredits",
"billing:GetIAMAccessPreference",
"billing:GetSellerOfRecord",
"billing:ListBillingViews",
"ce:DescribeNotificationSubscription",
"ce:DescribeReport",
"ce:GetAnomalies",
"ce:GetAnomalyMonitors",
"ce:GetAnomalySubscriptions",
"ce:GetCostAndUsage",
"ce:GetCostAndUsageWithResources",
"ce:GetCostCategories",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetPreferences",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetTags",
"ce:GetUsageForecast",
"ce:ListCostAllocationTags",
"ce:ListSavingsPlansPurchaseRecommendationGeneration",
"consolidatedbilling:GetAccountBillingRole",
"consolidatedbilling:ListLinkedAccounts",
"cur:GetClassicReport",
"cur:GetClassicReportPreferences",
"cur:ValidateReportDestination",
"freetier:GetFreeTierAlertPreference",
"freetier:GetFreeTierUsage",
"invoicing:GetInvoiceEmailDeliveryPreferences",
"invoicing:GetInvoicePDF",
"invoicing:ListInvoiceSummaries",
"payments:GetPaymentInstrument",
"payments:GetPaymentStatus",
"payments:ListPaymentPreferences",
"tax:GetTaxInheritance",
"tax:GetTaxRegistrationDocument",
"tax:ListTaxRegistrations"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyViewBilling"
},
{
"Action": [
"cur:GetUsageReport",
"cur:DescribeReportDefinitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "ReadOnlyViewUsage"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListAccessPoints",
"s3:ListAccessPointsForObjectLambda",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListJobs",
"s3:ListMultiRegionAccessPoints",
"s3:ListMultipartUploadParts",
"s3:ListStorageLensConfigurations",
"s3:ListStorageLensConfigurations",
"s3:ListTagsForResource",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::sc-customer-*",
"Effect": "Allow",
"Sid": "S3SyncPermissions"
},
{
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CostAndUsageBucket" }]]}
],
"Effect": "Allow",
"Sid": "S3CURBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Describe*"
],
"Resource": [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CostAndUsageBucket" },"/*"]]}
],
"Effect": "Allow",
"Sid": "S3CURObject"
}
]
}
}
},
"SpotFinOpsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": ["arn:aws:iam::884866656237:root",
"arn:aws:iam::627743545735:root"]
},
"Effect": "Allow"
}
]
},
"Description" : "Spot by NetApp ReadOnly Finops IAM Role",
"ManagedPolicyArns": [
{
"Ref": "SpotFinOpsManagedPolicy"
}
],
"RoleName" : { "Ref" : "RoleName" }
}
}
}
} Explanation of permissions in policy
CloudFormation
These are the permissions for onboarding customers. For additional onboarding information, see Connect Your AWS Account.
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:ValidateTemplate",
"cloudformation:Detect*"Elasticsearch
These permissions are required for providing the Cloud Commitment Management team with information about reserved instance offerings and view details of reserved ES instances:
"es:ListElasticsearchInstanceTypes",
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:DescribeReservedElasticsearchInstances"RDS
These permissions are required for providing the Cloud Commitment Management team with information about reserved DB instance details and available offerings:
"rds:DescribeReservedDBInstances",
"rds:DescribeDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:ListTagsForResource"Redshift
These permissions are required to provide the Cloud Commitment Management team with information about all Redshift instance details and available offerings:
"redshift:DescribeReservedNodeOfferings",
"redshift:DescribeReservedNodes",
"redshift:DescribeClusters" ElastiCache
These permissions are required for providing the Cloud Commitment Management team with information about all ElastiCache instance details and available offerings:
"elasticache:DescribeReservedCacheNodesOfferings",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeCacheClusters",
"elasticache:ListAllowedNodeTypeModifications",
"elasticache:ListTagsForResource"DynamoDB
These permissions are required for providing the Cloud Commitment Management team with information about all Dynamo instance details and available offerings:
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:DescribeReservedCapacity"EC2
These permissions are required for providing the Cloud Commitment Management team with information about all EC2 instance details and available offerings:
"ec2:DescribeHostReservations",
"ec2:DescribeReservedInstances" Savings plans
These permissions are required for providing the Cloud Commitment Management team with information about savings plan details and available offerings:
"savingsplans:DescribeSavingsPlanRates",
"savingsplans:DescribeSavingsPlans",
"savingsplans:DescribeSavingsPlansOfferingRates",
"savingsplans:DescribeSavingsPlansOfferings",
"savingsplans:ListTagsForResource" Account, billing, cost explorer, cost and usage report, invoicing, payments, and taxes
These permissions are required for providing the Cloud Commitment Management team with access to billing, cost explorer, cost and usage report, invoicing, payments, and tax details that are used to analyze spend and determine savings:
"account:GetAccountInformation",
"billing:GetBillingData",
"billing:GetBillingDetails",
"billing:GetBillingNotifications",
"billing:GetBillingPreferences",
"billing:GetContractInformation",
"billing:GetCredits",
"billing:GetIAMAccessPreference",
"billing:GetSellerOfRecord",
"billing:ListBillingViews",
"ce:DescribeNotificationSubscription",
"ce:DescribeReport",
"ce:GetAnomalies",
"ce:GetAnomalyMonitors",
"ce:GetAnomalySubscriptions",
"ce:GetCostAndUsage",
"ce:GetCostAndUsageWithResources",
"ce:GetCostCategories",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetPreferences",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetTags",
"ce:GetUsageForecast",
"ce:ListCostAllocationTags",
"ce:ListSavingsPlansPurchaseRecommendationGeneration",
"consolidatedbilling:GetAccountBillingRole",
"consolidatedbilling:ListLinkedAccounts",
"cur:GetClassicReport",
"cur:GetClassicReportPreferences",
"cur:ValidateReportDestination",
"cur:GetUsageReport",
"cur:DescribeReportDefinitions"
"freetier:GetFreeTierAlertPreference",
"freetier:GetFreeTierUsage",
"invoicing:GetInvoiceEmailDeliveryPreferences",
"invoicing:GetInvoicePDF",
"invoicing:ListInvoiceSummaries",
"payments:GetPaymentInstrument",
"payments:GetPaymentStatus",
"payments:ListPaymentPreferences",
"tax:GetTaxInheritance",
"tax:GetTaxRegistrationDocument",
"tax:ListTaxRegistrations"S3
These permissions are required to write information from your AWS cost and usage report to the Cloud Commitment Management account. These are used to synchronize the cost and usage report and are required for the system to work. Do not remove these lines from the policy:
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListAccessPoints",
"s3:ListAccessPointsForObjectLambda",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListJobs",
"s3:ListMultiRegionAccessPoints",
"s3:ListMultipartUploadParts",
"s3:ListStorageLensConfigurations",
"s3:ListStorageLensConfigurations",
"s3:ListTagsForResource",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectAcl"IAM role
This role and permissions are issued to the Cloud Commitment Management production accounts:
"SpotFinOpsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": ["arn:aws:iam::884866656237:root",
"arn:aws:iam::627743545735:root"]
},
"Effect": "Allow"
}
]
},
"Description" : "Spot by NetApp ReadOnly Finops IAM Role",
"ManagedPolicyArns": [
{
"Ref": "SpotFinOpsManagedPolicy"
}
],
"RoleName" : { "Ref" : "RoleName" }
}
}
}Create policy using CloudFormation
Use this policy if you are creating a Cloud Commitment Management policy using CloudFormation.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Outputs": {
"SpotFinOpsRoleArn": {
"Value": {
"Fn::GetAtt": ["SpotFinOpsRole", "Arn"]
}
}
},
"Parameters": {
"CostAndUsageBucket": {
"Type": "String",
"Description": "The bucket name of where the *HOURLY* Cost and Usage Report is located. https://console.aws.amazon.com/billing/home?#/reports"
}
},
"Resources": {
"SpotFinOpsManagedPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "SC Account Policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullPolicy",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"dynamodb:List*",
"dynamodb:Describe*",
"savingsplans:List*",
"savingsplans:Describe*",
"ec2:Describe*",
"ec2:List*",
"ec2:GetHostReservationPurchasePreview",
"ec2:GetReservedInstancesExchangeQuote",
"elasticache:List*",
"elasticache:Describe*",
"es:List*",
"es:Describe*",
"cur:*",
"ce:*",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"trustedadvisor:*",
"support:*",
"organizations:List*",
"organizations:Describe*"
],
"Resource": ["*"]
},
{
"Sid": "S3SyncPermissions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:List*",
"s3:ListBucket",
"s3:PutObjectTagging",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::sc-customer-*"
},
{
"Sid": "S3BillingDBR",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:List*",
"s3:get*"
],
"Resource": [
{
"Fn::Join": [
"",
["arn:aws:s3:::", { "Ref": "CostAndUsageBucket" }, "*"]
]
},
{
"Fn::Join": [
"",
["arn:aws:s3:::", { "Ref": "CostAndUsageBucket" }, "/*"]
]
}
]
},
{
"Sid": "ServiceQuotas",
"Effect": "Allow",
"Action": "servicequotas:*",
"Resource": "*"
}
]
}
}
},
"SpotFinOpsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Description" :"This role is for Spot by Netapp for use with the Cloud Analyzer, Eco and other FinOps products. If you have any questions, please contact us at: eco@netapp.com",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::884866656237:root",
"arn:aws:iam::627743545735:root"
]
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
{
"Ref": "SpotFinOpsManagedPolicy"
},
"arn:aws:iam::aws:policy/job-function/Billing",
"arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess",
"arn:aws:iam::aws:policy/ServiceQuotasFullAccess"
]
}
}
}
}