Capacity Planner ["Capacity Planner"]
["Capacity Planner > Data Collector"]["User Guide"]

Set up IAM role based Data Collector access

Overview

Capacity Planner Cloud Cost Optimization analyses your AWS EC2 and other service estates to identify opportunities to remove costs and optimise the running of your AWS cloud.

To do this, read-only access is acquired to various components within AWS in order to understand the configuration of instances, the utilisation of the resources, preconfigured reserved instances, savings plans, and tagging.

Note: When extracting data from cloud providers, the Capacity Planner data collectors are run from ITRS environment using secure read-only credentials provided by the customer. This avoids unnecessary network transfer, the need to upgrade and maintain on-premise data collectors, and ensures that data collection is always at the most up-to-date release.

The preferred way to access data is to set up an IAM role in each AWS account to be analysed, and allow the Data Collector to assume that role in order to collect data.

The steps below should be carried out for each AWS account that is to be analysed:

  1. Create a new permissions policy to allow access to the correct information. See Set up CostExplorerReadAccess policy.

  2. Create the role that the Data Collector will assume when collecting data. See Set up DataCollectorAccess role.

Before starting, ask ITRS to supply you with the account number to be used by the DataCollectorAccess role. You will need this account number to allow access to the Data Collector.

Set up CostExplorerReadAccess policy

The Data Collector requires a new permissions policy to access data. To set up the CostExplorerReadAccess policy, follow the steps:

  1. Open the AWS Console for the account.
  2. Go to IAM > Policies and click Create policy.
  3. Open the JSON tab.
  4. Copy the code into the text box:
  5. Copy
    {
        "Version": "2012-10-17",
        "Statement": 
        [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": 
                [
                    "ce:GetReservationUtilization",
                    "ce:GetDimensionValues",
                    "ce:GetCostAndUsage",
                    "ce:GetTags"
                ],
                "Resource": "*"
            }
        ]
    }
  6. Name the policy CostExplorerReadAccess, and save.

Set up DataCollectorAccess role

The DataCollectorAccess role allows the Data Collector on the ITRS estate to access the required data on your estate. Access can be controlled by deauthorising the role for the ITRS account, or by deleting it altogether.

To create the DataCollectorAccess role, follow the steps:

  1. Go to IAM > Roles and click Create role.
  2. Select Another AWS Account and for the Account ID, provide the ITRS account number.
  3. Under Options, select Require external ID, and enter a suitable external ID of your choice. Make a note of the external ID as you will need to provide it to ITRS.
    Do not select Require MFA.
  4. Click Next: Permissions to assign permissions.
  5. In the Permissions window, assign the following permissions to the role by selecting the check box:

    • AmazonEC2ReadOnlyAccess

    • AmazonRDSReadOnlyAccess

    • AWSCloudTrailReadOnlyAccess

    • AWSSavingsPlansReadOnlyAccess

    • CloudWatchReadOnlyAccess

    • CostExplorerReadAccess

  6. Click Next and add tags. This is not mandatory but this can help you with ongoing management.

  7. Click Next-Review, check that your setup is correct, and click Create role.

  8. Name the role DataCollectorAccess, and save.

Note: You need to send the account number and external ID for the role to your ITRS representative in a secure way.