In order to utilize Cloud Optimizer, you must have at least one cloud added to your account. You may add a cloud through the Clouds screen by clicking on the “Add Cloud” button.
Cloud Optimizer currently supports AWS clouds.
In order to query your AWS account for data, Cloud Optimizer needs an IAM role with read permissions to various AWS services. We provide an Amazon CloudFormation template that you can use to set everything up.
To add a cloud:
Launch the CloudFormation template.
Wait for the stack to complete.
While we tried to make the entire role permissions read-only, we did have to add write permissions around creating a Cost And Usage Report, since CloudFormation does not provide the capability to create one at this time.
All of write permissions are limited to a single resource (a Cost And Usage Report with a particular name).
If “Access” is set to “Read-write” (default), a second role will be created that will be used to allow you to automate the recommendations.
You may set this to “Read-only” to avoid granting this access, but Cloud Optimizer will not be able to automate any recommendations.
We allow you to modify the External ID value.
Cloud Optimizer uses an External ID when assuming the IAM role to connect to your cloud as outlined in this document.
When you add a new cloud, Cloud Optimizer generates a random External ID.
You may change this ID if you like; note that you must change it both in Cloud Optimizer and in the CloudFormation stack (you may do so in the same place where you name the new stack).
Once the new cloud has been added, its status will be set to pending.
The cloud will automatically be scheduled for mining and analysis; this process can take some time, depending on the quantity of resources that your cloud has.
Once analysis has completed, Cloud Optimizer will provide you with a series of recommendations to reduce cost and increase performance.
In order to analyze your cloud and costs, Cloud Optimizer needs some specific permissions on your cloud. These permissions fall into two categories:
During the Cloudformation setup process, there is a dropdown box you can use to select between the above two options. If you choose the read-only permissions, then CloudOptimizer will only have permission to read your utilization.
Read-only permissions are required to determine what/where your cloud costs are.
Note that we create an S3 bucket to store cost-and-usage reports, generated by Amazon. We add permissions for the purpose of accessing only that bucket. We do not have access to look at any filenames or file contents in S3, except for the bucket holding cost-and-usage reports.
Cloudwatch permissions below only apply to utilization metrics collection. They do not enable access to Cloudwatch logs.
CloudOptimizer only collects metadata about your infrastructure and never even attempts to read sensitive information from the underlying services. Our CloudFormation template is public and you may audit the list of permissions here.
Here is a detailed list of read-only permissions:
| Action | Feature |
|---|---|
| ce:Get* | Cost Explorer queries for determining costs |
| cloudformation:Describe* | Keeping our CloudFormation stack up to date |
| cloudformation:List* | Keeping our CloudFormation stack up to date |
| cloudtrail:LookupEvents | Analysis of changes to EC2 Instance running state |
| cloudwatch:Get* | Analysis of CloudWatch costs |
| cloudwatch:List* | Analysis of CloudWatch costs |
| cur:Describe* | Cost and Usage Reports for determining costs |
| cur:DeleteReportDefinition | Requesting that Cost and Usage Reports be generated |
| cur:ModifyReportDefinition | Requesting that Cost and Usage Reports be generated |
| cur:PutReportDefinition | Requesting that Cost and Usage Reports be generated |
| ebs:List* | Analysis of EBS Volume and Snapshot costs |
| ec2:Describe* | Analysis of EC2 costs |
| elasticloadbalancing:Describe* | Analysis of Load Balancer costs |
| organizations:Describe* | Determination of sub-accounts |
| organizations:List* | Determination of sub-accounts |
| rds:Describe* | Analysis of RDS costs |
| rds:List* | Analysis of RDS costs |
| s3:ListAllMyBuckets | Analysis of S3 costs |
| s3:Get* (only for cost and usage bucket) | Accessing generated Cost and Usage Reports |
| s3:List* (only for cost and usage bucket) | Accessing generated Cost and Usage Reports |
| savingsplans:Describe* | Analysis of Savings Plan coverage |
| sts:GetCallerIdentity | Accessing the MonitorRole to analyze cloud |
| workspaces:Describe* | Analysis of Workspaces utilization |
| workspaces:List* | Analysis of Workspaces utilization |
Read-write permissions are required to automatically apply recommendations we make to reduce your costs.
Specific API actions can be found in our CloudFormation template. Our CloudFormation template is public and you may audit the list of permissions here.