Required policies for AWS
During Flexsave estimation and activation for Amazon Web Services (AWS), we may ask you to use one or more of our CloudFormation stack templates.
For people who want a more detailed look at the templates we use, this page fully documents the corresponding YAML files, along with a brief explanation of the template stack definition and our required policies.
Estimation
While getting an estimate, you can use the value of the Template URL field in the AWS Console to download the YAML file and view it yourself.
The YAML file looks like this:
Description: This template creates a Cross-Account-Role that will grant DoiT Flexsave permissions to get your AWS recommendations
Parameters:
CustomerId:
Type: String
Description: Customer ID for Cross-Account-Role
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: 'Cross-Account Role Configuration. *Do Not Modify*'
Parameters:
- CustomerId
Resources:
CrossAccountRole:
Properties:
Description: DoiT International Flexsave
RoleName: 'doitintl_cmp'
AssumeRolePolicyDocument:
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::068664126052:root
Sid: 'Estimations'
Version: '2012-10-17'
Path: '/'
Policies:
- PolicyDocument:
Statement:
- Action:
- 'ce:GetSavingsPlansPurchaseRecommendation'
- 'ce:GetCostAndUsage'
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: FlexsaveGetRecommendationsPolicy
Type: 'AWS::IAM::Role'
DoitCmpHook:
Type: Custom::DoitCmpHook
Properties:
ServiceToken: 'arn:aws:sns:us-east-1:068664126052:doitintl-aws-connect'
RoleArn: !GetAtt CrossAccountRole.Arn
AccountID: !Ref 'AWS::AccountId'
ExternalID: !Ref CustomerId
NotificationUrl: 'https://scheduled-tasks-dot-me-doit-intl-com.uc.r.appspot.com/webhooks/v1/flexsave-standalone-aws/update-recommendations'
Version: '1.0'
Outputs:
RoleName:
Value: !Ref CrossAccountRole
RoleArn:
Value: !GetAtt CrossAccountRole.Arn
In summary, this stack creates:
- A Cross-Account role named
doitintl_cmp
with read-only permissions to: - A webhook that tells us when the stack is created
This configuration allows Flexsave to get the information it needs to determine the optimal way to reduce your monthly cloud spend.
Activation
While activating Flexsave, you can use the value of the Template URL field in the AWS Console to download the YAML file and view it yourself.
The YAML file looks like this:
Description: This template creates a policy to allow Flexsave to manage savings plans.
Parameters:
CustomerId:
Type: String
Description: Customer ID for Cross-Account-Role
S3Bucket:
Type: String
Description: CUR S3 Bucket URL
CurPath:
Type: String
Description: CUR S3 Bucket Path
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: 'Cross-Account Role Configuration. *Do Not Modify*'
Parameters:
- CustomerId
- S3Bucket
- CurPath
Resources:
OrgBillingPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: doitintl_cmp
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Sid: Management
Action:
- organizations:ListAccounts*
- organizations:ListHandshakes*
- organizations:DescribeOrganization
- organizations:DescribeAccount
- organizations:DescribeHandshake
- organizations:InviteAccountToOrganization
Resource: '*'
- Effect: Allow
Sid: CostAndUsage
Action:
- ec2:DescribeReservedInstances
- savingsplans:DescribeSavingsPlans
- ce:Get*
- cur:DescribeReportDefinitions
Resource: '*'
- Effect: Allow
Sid: Onboarding
Action:
- iam:GetRole
- iam:GetPolicy
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/doitintl_cmp'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/doitintl_cmp'
- Effect: Allow
Sid: S3Bucket
Action:
- s3:ListBucket
Resource: !Sub
- 'arn:aws:s3:::${BucketName}'
- BucketName: !Ref S3Bucket
- Effect: Allow
Sid: S3Object
Action:
- s3:GetObject
Resource: !Sub
- 'arn:aws:s3:::${BucketName}/*'
- BucketName: !Ref S3Bucket
Roles:
- 'doitintl_cmp'
DoitCmpHook:
Type: Custom::DoitCmpHook
Properties:
ServiceToken: 'arn:aws:sns:us-east-1:068664126052:doitintl-aws-connect'
RoleArn: 'doitintl_cmp'
AccountID: !Ref 'AWS::AccountId'
ExternalID: !Ref CustomerId
NotificationUrl: 'https://scheduled-tasks-dot-me-doit-intl-com.uc.r.appspot.com/webhooks/v1/flexsave-standalone-aws/update-billing'
S3Bucket: !Ref S3Bucket
CurPath: !Ref CurPath
Version: '1.0'
Outputs:
RoleName:
Value: 'doitintl_cmp'
In summary, this stack creates:
- Role name
doitintl_cmp
- Policy name
doitintl_cmp
- A
Management
group for adding, removing, and overseeing our account inventory of Flexsave Plans - A
CostAndUsage
group to track cost and recommendations - An
Onboarding
group to periodically check permissions on our roles and policies - The
S3Bucket
andS3Object
groups to get CURs
This configuration allows Flexsave to get the information it needs to determine the optimal way to reduce your monthly cloud spend.