Reference: AWS permissions

Edit online

The IAM identities that you set up in AWS must specify the permissions that Turbonomic needs to discover, monitor, and optimize your AWS workloads.

Minimum permissions - workload monitoring

The following minimum permissions are required to monitor AWS workloads.

Turbonomic functionality	Required permissions
Discovery of AWS organization	`organizations:DescribeOrganization` Discovers information (Organization ID, management account ID) about the organization that the current account is in. This permission is required for targets that need to access management and member accounts. `organizations:ListAccounts` Discovers all the accounts that belong to the current organization. Details such as account ID, name, status are read. This permission is only required for targets that need to access a management account. `organizations:ListTagsForResource` Discovers tag key-value pairs associated with all the accounts in the organization. This permission is only required for targets that need to access a management account.
Discovery of IAM identities (IAM user and/or IAM role)	`iam:GetUser` Queries details about the IAM user ARN. This permission reads the account ID to detect whether the current account is a management or a member account. `sts:AssumeRole` Allows a user to assume an IAM role and get temporary access credentials, which are then used to make AWS API calls. This permission is only required for targets that need to access a management account.
Discovery of regions and availability zones	`ec2:DescribeAvailabilityZones` Retrieves information (logical zone name `us-west-2a` and physical zone ID `usw2-az1`) about availability zones for all accessible regions `ec2:DescribeRegions` Discovers the names of accessible EC2 regions
Discovery of metrics for various entities	`cloudwatch:GetMetricData` Collects metrics for certain entity types, such as RDS database servers and Redshift data warehouses `cloudwatch:GetMetricStatistics` Collects metrics (CPU utilization) for VMs and volumes based on specific namespace and dimensions `cloudwatch:ListMetrics` Queries metadata (names, namespaces, dimensions) about metrics that need to be collected for entities `cloudwatch:ListTagsForResource` Retrieves tag key/value pairs associated with certain CloudWatch resources `pi:GetResourceMetrics` If Performance Insights (PI) is enabled for RDS database servers, collects PI-related metrics, such as DB cache hit rate `pi:ListAvailableResourceMetrics` Queries metadata about RDS metrics that are available for query
Discovery of EC2 VMs and instances	`ec2:DescribeAddresses` Discovers available Elastic IP addresses and their association to VM instances, including information about public and private IP addresses and network interfaces `ec2:DescribeImages` Discovers information about images used when creating VMs. This information is then used to detect the guest OS running on the VMs. `ec2:DescribeInstanceTypeOfferings` Detects VM instance types that are available in each zone. This information is later used to create policies that prevent VMs from incorrectly scaling to instance types that their zones do not support. `ec2:DescribeInstances` Discovers EC2 instance information, such as power state, instance ID, zone, and platform `ec2:DescribeInstanceTypes` Discovers information about VM instances that are running accelerator (GPU) cards, including information about accelerator cards, such as card name, card count, card memory, and manufacturer. This information is later used to generate correct scaling recommendations for VMs running accelerator cards. `ec2:DescribeInstanceAttribute` Discovers VM instances that enable the 'stop protection' feature. For these VM instances, action execution is blocked in Turbonomic and can be unblocked by disabling the 'stop protection' feature in the AWS console or CLI. `ec2:DescribeSpotInstanceRequests` Discovers product description about EC2 Spot VM instances `ec2:DescribeSpotPriceHistory` Retrieves current Spot prices for EC2 Spot VM instances
Discovery of EC2 Auto Scaling groups	`autoscaling:DescribeAutoScalingGroups` Queries information about available Auto Scaling groups Note: This permission is also required when parking EKS clusters. The permission is used to verify that the updated capacities for an EKS cluster were applied. `autoscaling:DescribeTags` Gets information about tags associated with Auto Scaling groups `autoscaling:DescribeLaunchConfigurations` Gets information about available EC2 Auto Scaling group launch configurations, such as name and instance type. AWS recommends using launch templates instead of launch configurations. `ec2:DescribeLaunchTemplateVersions` Discovers the latest and default launch template version details (ID, instance type) for Auto Scaling groups
Discovery of EKS clusters	`eks:ListClusters` Discovers information about EKS clusters for an account `eks:DescribeCluster` Discovers detailed configuration and status information for a specific EKS cluster `eks:ListNodegroups` Discovers information about node groups associated with an EKS cluster `eks:DescribeNodegroup` Discovers detailed configuration and status information for a specific EKS node group
Discovery of EBS volumes	`ec2:DescribeVolumes` Discovers information (ID, type, tags, size) about EBS volumes `ec2:DescribeVolumeStatus` Checks the status of a volume when executing volume scale actions `ec2:DescribeVolumesModifications` Discovers the volume's last modification time and current state
Lookup of EBS volume attachment history	`cloudtrail:LookupEvents` Retrieves volume-related historical events from CloudTrail (such as attach, detach, and modify) during initial target registration. This information is used to correctly generate delete actions for unattached volumes.
Discovery of RDS database servers	`rds:DescribeDBClusters` Discovers information about supported RDS DB clusters `rds:DescribeDBInstances` Discovers information about supported RDS DB instances `rds:DescribeDBParameters` Discovers information about parameters for an RDS DB parameter group `rds:DescribeOrderableDBInstanceOptions` Discovers information about orderable DB instance options for a DB engine type `rds:DescribeReservedDBInstances` Discovers information (ID, class, duration, offering type) about Reserved Instances for RDS DB instances purchased under an account `rds:ListTagsForResource` Discovers information about tag key-value pairs associated with RDS resources
Discovery of Aurora DB clusters	`rds:DescribeGlobalClusters` Discovers information about Aurora global database clusters `rds:DescribeBlueGreenDeployments` Discovers information about Aurora blue/green deployments and their configuration states
Discovery of Redshift data warehouses	`redshift:DescribeClusters` Discovers information (ID, node type, status) about Redshift provisioned clusters `redshift:DescribeTags` Discovers tag key-value pairs associated with Redshift resources
Discovery of Reserved Instances	`ec2:DescribeReservedInstances` Discovers information (ID, instance type, tenancy, scope) about EC2 and RDS Reserved Instances that were purchased for the AWS account `ec2:DescribeReservedInstancesModifications` Discovers some information about modifications made to the purchased Reserved Instances
Discovery of Savings Plans	`savingsplans:DescribeSavingsPlans` Discovers information (commitment, EC2 instance family, offering ID) about available Savings Plans `savingsplans:DescribeSavingsPlansOfferingRates` Discovers information about offering rates for specified Savings Plans `ce:GetReservationUtilization` Discovers information (utilization percentage, purchased hours, actual hours) about reserved instance utilization using Cost Explorer API. This permission is only required for management and billing account targets. `ce:GetSavingsPlansUtilizationDetails` Discovers attributes and aggregates utilization and savings data for available Savings Plans during the billing time period. This permission is only required for management and billing account targets.
Discovery of pricing information	`pricing:DescribeServices` Discovers the list of services from AWS Pricing API endpoint. This permission is only required for targets that need to access a management account. `pricing:GetAttributeValues` Discovers values of service name attribute for each service previously discovered by AWS Pricing API. This permission is only required for targets that need to access a management account.
Discovery of spot pricing history	`ec2:DescribeAccountAttributes` Detects if current account is of EC2 Classic type. This permission is required for some filtering operations that are needed to query Spot pricing history.
Access to S3 bucket	`s3:GetBucketAcl` Retrieves Access Control List (ACL) for an S3 bucket. ACL contains the list of permissions granted to AWS accounts for that bucket. This permission checks whether the S3 bucket associated with the AWS Cloud Billing account is accessible. This permission is only required for targets that need to access a management account. `s3:GetObject` Downloads files from S3 bucket. For example the cost export JSON file. This permission is only required for targets that need to access a management account.

Minimum permissions - action execution

The following permissions are required to execute actions for AWS workloads.

Turbonomic functionality	Required permissions
Execution of actions for EC2 VMs	`ec2:ModifyInstanceAttribute` Changes the VM instance type attribute as part of the VM scale action execution `ec2:StopInstances` Stops VM instances before scale action execution if they are currently running `ec2:StartInstances` Starts VM instances after scale action execution if they were previously running
Execution of actions for EC2 Auto Scaling groups and individual VMs in a group	`autoscaling:CreateLaunchConfiguration` Creates a new launch configuration with the new VM instance type as part of executing scale actions for VMs in Auto Scaling groups. Note that AWS encourages using launch templates instead of launch configuration for Auto Scaling groups. `autoscaling:DeleteLaunchConfiguration` Deletes the old launch configuration once a new one has been successfully created with the new VM instance type as part of executing scale actions for VMs in Auto Scaling groups `autoscaling:SuspendProcesses` Disables the `HealthCheck` process before scaling VMs in Auto Scaling groups. This process resumes after the scaling action completes successfully. `autoscaling:ResumeProcesses` Enables the `HealthCheck` process after scaling VMs in Auto Scaling groups `ec2:DescribeInstanceStatus` Confirms that the `HealthCheck` process has been started once the instance type has been changed as part of executing scale actions for VMs in Auto Scaling groups `autoscaling:SetDesiredCapacity` Adjusts the target number of VM instances that Auto Scaling groups will try to maintain as part of executing parking actions (start and stop) `autoscaling:TerminateInstanceInAutoScalingGroup` Terminates the VM instance in the Auto Scaling group as part of executing suspend actions for VMs `autoscaling:UpdateAutoScalingGroup` Updates the minimum size, maximum size, and desired capacity for Auto Scaling group as part of executing parking and suspend actions `ec2:CreateLaunchTemplateVersion` Creates a new launch template version with the new VM instance type as part of executing scale actions for VMs in Auto Scaling groups `ec2:ModifyLaunchTemplate` Modifies the launch template version as part of executing scale actions for VMs in Auto Scaling groups `iam:PassRole` Executes scale actions for VMs in Auto Scaling groups. This permission is required only if an IAM instance profile was specified for the Auto Scaling group. IAM instance profile contains an IAM role that is used by any new apps that are running on the new EC2 instances launched by the Auto Scaling group. This permission is not required if the Auto Scaling group being scaled does not have an IAM instance profile. `ec2:RunInstances` Launches new templates as part of Auto Scaling group VM scale action execution `ec2:CreateTags` Launches new templates as part of Auto Scaling group VM scale action execution. This permission is only required if the launch template that is used has tags. Optionally, you can restrict the permission scope to only the Auto Scaling group VM resources, instead of using the `*` symbol.
Execution of actions for EKS clusters	`eks:UpdateNodegroupConfig` Updates the minimum size, maximum size, and desired capacities for an EKS node group as part of executing parking actions `autoscaling:DescribeAutoScalingGroups` Verifies that the updated capacities were applied Note: This permission is also required to discover EC2 Auto Scaling groups.
Execution of actions for EBS volumes	`ec2:ModifyVolume` Modifies volume attributes (such as volume type, size, IOPS, and throughput) as part of executing scale actions for volumes `ec2:DeleteVolume` Deletes volumes that are currently unattached
Execution of actions for RDS database servers	`rds:ModifyDBInstance` Updates the allocated storage and IOPS values as part of executing scale actions for RDS database servers `rds:StartDBInstance` Starts the RDS instance that was previously stopped as part of executing parking actions `rds:StopDBInstance` Stops the running RDS DB instance temporarily as part of executing parking actions
Execution of actions for Aurora DB clusters	`rds:StartDBCluster` Starts an Aurora DB cluster that was previously stopped as part of executing parking actions `rds:StopDBCluster` Stops an Aurora DB cluster temporarily as part of executing parking actions
Execution of actions for Redshift data warehouses	`redshift:PauseCluster` Suspends a Redshift cluster temporarily
Key management	`KMS:CreateGrant` Allows a principal to create a grant (mechanism to delegate permissions to use the key for other principals) on a Key Management Service (KMS) key

Permission resources

Before setting up IAM identities in AWS, download the appropriate JSON or YAML resource that specifies the permissions outlined in the previous sections. Refer to the following table for guidance on the resource that you need to download based on your IAM policy.

Turbonomic target	IAM policy
AWS Billing	Choose one: [JSON] Workload monitoring (includes billing data monitoring) and action execution [JSON] Workload monitoring (includes billing data monitoring)
AWS	For a multi-account target (the target has access to multiple AWS accounts) For the management account, choose one: [JSON] Workload monitoring and action execution [JSON] Workload monitoring For member accounts, choose one: [YAML] Workload monitoring and action execution [YAML] Workload monitoring For a single-account target (the target has access to one AWS account), choose one: [JSON] Workload monitoring and action execution [JSON] Workload monitoring

Turbonomic target

IAM policy

AWS Billing

Choose one:

AWS

For a multi-account target (the target has access to multiple AWS accounts)
- For the management account, choose one:
  - [JSON] Workload monitoring and action execution
  - [JSON] Workload monitoring
- For member accounts, choose one:
  - [YAML] Workload monitoring and action execution
  - [YAML] Workload monitoring
For a single-account target (the target has access to one AWS account), choose one:
- [JSON] Workload monitoring and action execution
- [JSON] Workload monitoring