Required and Optional Permissions
Caliper is capable of providing analysis with minimal access to your AWS accounts. However, there are optional permissions that can enable additional functionality.
The permissions Caliper takes advantage of are listed below. To control Caliper’s access to your AWS account, update the AWS Identity and Access Management (IAM) role created for Caliper.
It is not harmful to provide Caliper with additional permissions. Caliper does not currently use any permissions not listed below, but additional functionality may be added in the future. This page will be updated.
Caliper does not modify any of your AWS account data at any time.
Required Permissions
Amazon S3
| Action | Resource | Details |
|---|---|---|
s3:ListBucket | arn:aws:s3:::<CUR_BUCKET> | Required for Caliper to find AWS CUR files. This permission must be provided at the whole bucket level as AWS does not support finer levels. Replace <CUR_BUCKET> with the S3 bucket where your CUR is located. |
s3:GetObject | arn:aws:s3:::<CUR_BUCKET>/* | Required for Caliper to read AWS CUR files. Caliper does not recommend placing your CUR data in the same bucket as non-CUR data. However, you may restrict this permission to paths under the report path prefix provided to AWS if you are using the same bucket for other objects. Replace <CUR_BUCKET> with the S3 bucket where your CUR is located. |
Optional Permissions
AWS Organizations
| Action | Resource | Details |
|---|---|---|
organizations:DescribeOrganizationalUnitorganizations:ListAccountsorganizations:ListAccountsForParentorganizations:ListOrganizationalUnitsForParentorganizations:ListParentsorganizations:ListRoots | * | Used to retrieve account names and organizational units (OUs). Also requires the IAM role to be attached to an AWS Organizations management account. |