Capacity Planner ["Capacity Planner"]
["Capacity Planner > Data Collector"]["User Guide"]

Create an AWS user for Data Collection

Overview

Capacity Planner Cloud Cost Optimization analyses your AWS EC2 and other service estates to identify opportunities to remove costs and optimise the running of your AWS cloud.

To do this, read-only access is acquired to various components within AWS in order to understand the configuration of instances, the utilisation of the resources, pre-configured reserved instances, and savings plans, and tagging.

Note: When extracting data from cloud providers, the Capacity Planner data collectors are run from ITRS environment using secure read-only credentials provided by the customer. This avoids unnecessary network transfer, the need to upgrade and maintain on-premise data collectors, and ensures that data collection is always at the most up-to-date release.

The preferred way to access data is to set up an IAM role in each AWS account to be analysed, and allow the Data Collector to assume that role in order to collect data.

The steps below should be carried out for each AWS account that is to be analysed:

  1. Create a new permissions policy to allow access to the correct information. See Create an AWS user for Data Collection

  2. Create the role that the Data Collector will assume when collecting data. See Create an AWS user for Data Collection

Set up CostExplorerReadAccess policy

The Data Collector requires a new permissions policy to access data. To set up CostExplorerReadAccess policy, follow the steps:

  1. Open the AWS Console for the account.
  2. Go to IAM > Policies and click Create policy.
  3. Open the JSON tab.
  4. Copy the code into the text box:
  5. Copy
    {
        "Version": "2012-10-17",
        "Statement": 
        [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": 
                [
                    "ce:GetReservationUtilization",
                    "ce:GetDimensionValues",
                    "ce:GetCostAndUsage",
                    "ce:GetTags"
                ],
                "Resource": "*"
            }
        ]
    }
  6. Name the policy CostExplorerReadAccess, and save.

Set up DataCollectorAccess role

You need to create a new IAM AWS user with read-only access to the following:

  • AWS Cloud Watch to collect CPU utilisation metrics and other metrics that inform resource utilisation of instances.
  • EC2 to collect instance configuration, tags, properties, reserved instances, and savings plans.
  • Cost Explorer to collect cost metrics such as hourly rates, instance types, or available regions. This requires the creation of a new policy.

Select one or more AWS accounts that are to be analysed using Capacity Planner. Each account must have active EC2 instances.

  1. In AWS Services, type "IAM" to get access to Manage access to AWS resources. Open this service.
  2. Click Users and then click the Add User button.
  3. Type the new user name.
  4. Under Access type, tick Programmatic access.
  5. Click Next: Permissions to assign permissions.
  6. In the Permissions window, click Create policy.
  7. Open the JSON tab.
  8. Copy the code into the text box:
  9. Copy
    {
        "Version": "2012-10-17",
        "Statement": 
        [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": 
                [
                    "ce:GetReservationUtilization",
                    "ce:GetDimensionValues",
                    "ce:GetCostAndUsage",
                    "ce:GetTags"
                ],
                "Resource": "*"
            }
        ]
    }
  10. Name the policy CostExplorerReadAccess, and save.

Next, you need to assign the remaining existing AWS policies:

  1. Search for the policies and assign them by selecting the check box:

    • AmazonEC2ReadOnlyAccess

    • AmazonRDSReadOnlyAccess

    • AWSCloudTrailReadOnlyAccess

    • AWSSavingsPlansReadOnlyAccess

    • CloudWatchReadOnlyAccess

    screenshot

  2. Click Next and add tags. This is not mandatory but this can help you with ongoing management.

  3. Click Next-Review, check that your setup is correct, and click Create user.

Once the user is created, you can download its details as a CSV file and share that file with ITRS in a manner compliant with your company’s information security policy.

If there is a requirement to assign additional permission policies in the future, follow the steps:

  1. Go to IAM in AWS.

  2. Search for the user

  3. Click Permissions and follow the same steps as above to attach AWS managed policies or to create a new one.

A maximum of 10 individual policies can be attached to a user, but you can also create groups with permissions, and add the user to that group.

For more information about IAM policies, see AWS documentation.