Skip to main content

AWS IAM Permissions for CloudYali Integration

This document provides an overview of the AWS IAM permissions required by CloudYali to securely access your cloud environment. These permissions are used to collect data for cost management, monitoring, and optimization—ensuring that CloudYali can perform necessary operations without compromising the security of your AWS infrastructure.

The following permissions are included in the Cross Account IAM Role created via the CloudFormation script, ensuring read-only access to your AWS resources.

AWS IAM Role Overview

The Cross Account IAM Role used by CloudYali is designed to provide read-only access, following the principle of least privilege. The role is created using a CloudFormation script and includes various managed and custom policies that grant access to AWS services needed for cost analysis and resource monitoring.

Trust Policy

The trust policy associated with the IAM Role allows CloudYali's AWS Account to assume the role, ensuring secure cross-account access without sharing credentials.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::310957700191:user/cloudyalisync"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalID": "<ExternalID>"
        }
      }
    }
  ]
}

Replace <ExternalID> with the external ID provided during the onboarding process.

Policies Included in the IAM Role

The CloudFormation script creates several policies that define the permissions granted to the IAM Role. These policies ensure that CloudYali can collect necessary data while maintaining security.

1. CloudYaliReadOnlyAccess Policy

The CloudYaliReadOnlyAccess policy is designed to provide read-only access to a wide range of AWS services, enabling CloudYali to gather necessary information for cost analysis, monitoring, and cloud optimization. This policy includes the following permissions:

  • General Access: Grants Get*, List*, and Describe* permissions for numerous AWS services. This allows CloudYali to view details about resources across your AWS environment without making any modifications. Some key services include:
    • EC2: To describe instances and gather cost data (ec2:Describe*, ec2:Get*).
    • S3: To list buckets and access cost and usage reports (s3:List*, s3:Get*).
    • RDS: To describe database instances (rds:Describe*, rds:Get*).
    • CloudFormation: To describe stacks and gather information on the infrastructure (cloudformation:Describe*, cloudformation:Get*).
    • CloudWatch: To read metrics for monitoring purposes (cloudwatch:Get*, cloudwatch:List*).
    • IAM: To list roles and gather metadata (iam:Get*, iam:List*).
    • Cost Explorer: To collect cost and usage data (ce:Get*, ce:List*).
    • Trusted Advisor: To access service checks and recommendations (support:Describe*, trustedadvisor:Describe*).

These permissions ensure that CloudYali can effectively analyze cloud costs and resource usage without having the ability to modify, delete, or create resources, maintaining the security and integrity of your AWS environment.

2. CloudYaliCostOptimizationHubReadOnlyAccess

This policy is used to access cost optimization recommendations and related data. It includes permissions such as:

  • cost-optimization-hub:GetRecommendation: Allows CloudYali to access AWS cost optimization recommendations.
  • cost-optimization-hub:ListRecommendations: Provides CloudYali with the ability to list cost optimization recommendations and summaries.

3. CloudYaliComputeOptimizerReadOnlyAccess

This policy grants read-only access to AWS Compute Optimizer, allowing CloudYali to assess the efficiency of your cloud resources. Permissions include:

  • compute-optimizer:Describe*
  • compute-optimizer:Get*

These permissions allow CloudYali to provide recommendations to help reduce compute costs.

4. CloudYaliCostAndUsageReport Policy

This policy is used to gather cost and usage data from AWS. It includes the following permissions:

  • cur:List* and cur:Describe*: To access AWS Cost and Usage Reports.
  • s3:Get* and s3:List*: To access the S3 bucket containing the cost and usage data.

5. Trusted Advisor Support Policy

This policy provides access to AWS Trusted Advisor checks and allows CloudYali to retrieve information that helps optimize your cloud environment.

  • support:Describe* and support:RefreshTrustedAdvisorCheck: Grants permissions to access Trusted Advisor checks and refresh their status.
  • trustedadvisor:Describe*: Allows CloudYali to retrieve detailed information from Trusted Advisor.

Security Considerations

  • Read-Only Access: All policies are designed to provide read-only access to ensure that CloudYali cannot make changes to your AWS environment.
  • Least Privilege Principle: The permissions requested are limited to those strictly necessary for cost monitoring and resource optimization.
  • No Write Permissions: CloudYali will never request write permissions, ensuring that your resources remain secure from unauthorized modifications.
  • Cross Account IAM Role: The use of a cross-account role allows secure access without the need for direct access credentials.

Summary

The IAM Role created for CloudYali includes a combination of managed and custom policies that enable secure, read-only access to the data required for cost analysis, cloud monitoring, and optimization. By following best practices for permissions management, CloudYali ensures that your AWS environment remains protected.

For additional questions or assistance, please visit our Support Page.

© 2024 CloudYali. All rights reserved.

Last updated on by Nishant Thorat