Create an AWS user for Data Collection

Overview

Capacity Planner Cloud Cost Optimization analyses your AWS EC2 and other service estates to identify opportunities to remove costs and optimise the running of your AWS cloud.

To do this, read-only access is acquired to various components within AWS in order to understand the configuration of instances, the utilisation of the resources, pre-configured reserved instances, and savings plans, and tagging.

To enable this, you need to create a new IAM AWS user with read-only access to the following:

  • AWS Cloud Watch to collect CPU utilisation metrics and other metrics that inform resource utilisation of instances.
  • EC2 to collect instance configuration, tags, properties, reserved instances, and savings plans.
  • Cost Explorer to collect cost metrics such as hourly rates, instance types, or available regions. This requires the creation of a new policy.

The following is a step by step guide to configuring a user in your AWS environment with the appropriate credentials to allow Capacity Planner to extract data. These credentials should be provided to your ITRS representative to schedule regular collection.

Select one or more AWS accounts that are to be analysed using Capacity Planner. Each account must have active EC2 instances.

Create IAM user and assign permissions

Select one or more AWS accounts that are to be analysed using Capacity Planner. Each account must have active EC2 instances.

  1. In AWS Services, type "IAM" to get access to Manage access to AWS resources. Open this service.
  2. Click Users and then click the Add User button.
  3. Type the new user name.
  4. Under Access type, tick Programmatic access.
  5. Click Next: Permissions to assign permissions.

There are some policy permissions that you need to assign to the user. Some of these policies already exist and some must be created.

For Cloud Cost Optimisation, a new policy that must be created is CostExplorerReadAccess. To do this:

  1. In the Permissions window, click Create policy.
  2. Open the JSON tab.
  3. Copy the code into the text box:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "ce:GetReservationUtilization",
            "ce:GetDimensionValues",
            "ce:GetCostAndUsage",
            "ce:GetTags"
          ],
          "Resource": "*"
        }
      ]
    }		

  4. Name the policy CostExplorerReadAccess, and save. The new policy is automatically assigned to the newly created user.

Next, you need to assign the remaining existing AWS policies:

  1. Search for the policies and assign them by selecting the check box:
    • AmazonEC2ReadOnlyAccess
    • AWSCloudTrailReadOnlyAccess
    • CloudWatchReadOnlyAccess
    • AWSSavingsPlansReadOnlyAccess
  2. Click Next and add tags. This is not mandatory but this can help you with ongoing management.
  3. Click Next-Review, check that your setup is correct, and click Create user.

Once the user is created, you can download its details as a CSV file and share that file with ITRS in a manner compliant with your company’s information security policy.

If there is a requirement to assign additional permission policies in the future, go to IAM in AWS, search for the user, click Permissions and follow the same steps as above to attach AWS managed policies or to create a new one. A maximum of 10 individual policies can be attached to a user, but you can also create groups with permissions, and add the user to that group.

For more information about IAM policies, see AWS documentation.