Required policies for AWS

During Flexsave estimation and activation for Amazon Web Services (AWS), we may ask you to use one or more of our CloudFormation stack templates.

For people who want a more detailed look at the templates we use, this page fully documents the corresponding YAML files, along with a brief explanation of the template stack definition and our required policies.

Estimation

While getting an estimate, you can use the value of the Template URL field in the AWS Console to download the YAML file and view it yourself.

The YAML file looks like this:

Description: This template creates a Cross-Account-Role that will grant DoiT Flexsave permissions to get your AWS recommendations
Parameters:
  CustomerId:
    Type: String
    Description: Customer ID for Cross-Account-Role
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: 'Cross-Account Role Configuration.  *Do Not Modify*'
        Parameters:
          - CustomerId
Resources:
  CrossAccountRole:
    Properties:
      Description: DoiT International Flexsave
      RoleName: 'doitintl_cmp'
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - 'sts:AssumeRole'
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::068664126052:root
            Sid: 'Estimations'
        Version: '2012-10-17'
      Path: '/'
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - 'ce:GetSavingsPlansPurchaseRecommendation'
                  - 'ce:GetCostAndUsage'
                Effect: Allow
                Resource: '*'
            Version: '2012-10-17'
          PolicyName: FlexsaveGetRecommendationsPolicy
    Type: 'AWS::IAM::Role'
  DoitCmpHook:
    Type: Custom::DoitCmpHook
    Properties:
      ServiceToken: 'arn:aws:sns:us-east-1:068664126052:doitintl-aws-connect'
      RoleArn: !GetAtt CrossAccountRole.Arn
      AccountID: !Ref 'AWS::AccountId'
      ExternalID: !Ref CustomerId
      NotificationUrl: 'https://scheduled-tasks-dot-me-doit-intl-com.uc.r.appspot.com/webhooks/v1/flexsave-standalone-aws/update-recommendations'
    Version: '1.0'
Outputs:
  RoleName:
    Value: !Ref CrossAccountRole
  RoleArn:
    Value: !GetAtt CrossAccountRole.Arn

In summary, this stack creates:

• A Cross-Account role named doitintl_cmp with read-only permissions to:
  • Get AWS savings plans purchase recommendations
  • Get AWS cost and usage metrics
• A webhook that tells us when the stack is created

This configuration allows Flexsave to get the information it needs to determine the optimal way to reduce your monthly cloud spend.

See also

Security and Compliance

Activation

While activating Flexsave, you can use the value of the Template URL field in the AWS Console to download the YAML file and view it yourself.

The YAML file looks like this:

Description: This template creates a policy to allow Flexsave to manage savings plans.
Parameters:
  CustomerId:
    Type: String
    Description: Customer ID for Cross-Account-Role
  S3Bucket:
    Type: String
    Description: CUR S3 Bucket URL
  CurPath:
    Type: String
    Description: CUR S3 Bucket Path
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: 'Cross-Account Role Configuration.  *Do Not Modify*'
        Parameters:
          - CustomerId
          - S3Bucket
          - CurPath
Resources:
  OrgBillingPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: doitintl_cmp
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Sid: Management
            Action:
              - organizations:ListAccounts*
              - organizations:ListHandshakes*
              - organizations:DescribeOrganization
              - organizations:DescribeAccount
              - organizations:DescribeHandshake
              - organizations:InviteAccountToOrganization
            Resource: '*'
          - Effect: Allow
            Sid: CostAndUsage
            Action:
              - ec2:DescribeReservedInstances
              - savingsplans:DescribeSavingsPlans
              - ce:Get*
              - cur:DescribeReportDefinitions
            Resource: '*'
          - Effect: Allow
            Sid: Onboarding
            Action:
              - iam:GetRole
              - iam:GetPolicy
            Resource:
              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/doitintl_cmp'
              - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/doitintl_cmp'
          - Effect: Allow
            Sid: S3Bucket
            Action:
              - s3:ListBucket
            Resource: !Sub
              - 'arn:aws:s3:::${BucketName}'
              - BucketName: !Ref S3Bucket
          - Effect: Allow
            Sid: S3Object
            Action:
              - s3:GetObject
            Resource: !Sub
              - 'arn:aws:s3:::${BucketName}/*'
              - BucketName: !Ref S3Bucket
      Roles:
        - 'doitintl_cmp'
  DoitCmpHook:
    Type: Custom::DoitCmpHook
    Properties:
      ServiceToken: 'arn:aws:sns:us-east-1:068664126052:doitintl-aws-connect'
      RoleArn: 'doitintl_cmp'
      AccountID: !Ref 'AWS::AccountId'
      ExternalID: !Ref CustomerId
      NotificationUrl: 'https://scheduled-tasks-dot-me-doit-intl-com.uc.r.appspot.com/webhooks/v1/flexsave-standalone-aws/update-billing'
      S3Bucket: !Ref S3Bucket
      CurPath: !Ref CurPath
    Version: '1.0'
Outputs:
  RoleName:
    Value: 'doitintl_cmp'

In summary, this stack creates:

• Role name doitintl_cmp
• Policy name doitintl_cmp
• A Management group for adding, removing, and overseeing our account inventory of Flexsave Plans
• A CostAndUsage group to track cost and recommendations
• An Onboarding group to periodically check permissions on our roles and policies
• The S3Bucket and S3Object groups to get CURs

This configuration allows Flexsave to get the information it needs to determine the optimal way to reduce your monthly cloud spend.

See also

Security and Compliance