IAM Permission & Deployment

As of December 5, 2024 we are combining the default and premier permissions into our onboarding, making the premier features available for all customers.

North requires an IAM permission for our app to read spending data that powers our ML engine to automate your FinOps.

North CAN NOT:

Read sensitive data
View or edit network rules
Create, change, alter, stop or pause instances or machines
Change or copy any development, test or production data

North's read-only baseline IAM permission and details are listed below. Baseline permissions allow basic functionality of our app and management system in order to fully benefit from the best savings posture. However, additional permissions may be required for some products. See product pages for more details.

Note to the community: It has come to our attention that various third-party services frequently grant themselves excessive permissions. We urge you to exercise caution and thoroughly review these permissions before implementation. For instance, a broad permission like "ec2:Describe*" permits third-party services to access your security groups. Such access is not required for cloud cost optimization and poses an increased security risk to your servers. Please ensure that permissions are appropriately limited to maintain optimal security and functionality.

Baseline - Default read only cost and usage data


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
               "ce:Get*" 
               "ce:Describe*" 
               "ce:List*" 
               "ce:Start*"
               "account:GetAccountInformation" 
               "billing:Get*"
               "payments:List*"
               "payments:Get*"
               "tax:List*"
               "tax:Get*"
               "consolidatedbilling:Get*"
               "consolidatedbilling:List*"
               "invoicing:List*"
               "invoicing:Get*"
               "cur:Get*" 
               "cur:Validate*"
               "freetier:Get*"
               "ec2:DescribeCapacity*"
               "ec2:DescribeReservedInstances*" 
               "ec2:DescribeSpot*"
               "rds:DescribeReserved*" 
               "rds:DescribeDBRecommendations"
               "rds:DescribeAccountAttributes"
               "ecs:DescribeCapacityProviders" #fargate
               "es:DescribeReserved*" #opensearch/elastic search
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "NorthCostAndUsageReadOnlyPolicyID"
        }
    ]
}

Premier Baseline - Read only compute optimizer and CloudWatch metric data.

{
    "Version": "2012-10-17",
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy1",
          "Action": "iam:CreateServiceLinkedRole",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "compute-optimizer.amazonaws.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy2",
          "Action": "iam:PutRolePolicy",
          "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy3",
          "Action": [
            "compute-optimizer:*",
            "ec2:DescribeInstances",
            "ec2:DescribeVolumes",
            "ecs:List*",
            "autoscaling:DescribeAutoScalingGroups",
            "lambda:ListFunctions",
            "lambda:ListProvisionedConcurrencyConfigs",
            "organizations:ListAccounts",
            "cloudwatch:GetMetricStatistics",
            "rds:DescribeDBRecommendations",
            "rds:DescribeReservedDBInstances*",
            "rds:DescribeDBInstances",
            "rds:DescribeDBClusters"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Sid": "NorthPremiumPolicy4",
          "Action": "organizations:EnableAWSServiceAccess",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "organizations:ServicePrincipal": "compute-optimizer.amazonaws.com"
            }
          }
        }
      ]
    }
 }

Advanced Permissions - Creates cross-account, cross-region CloudWatch get metrics and creation of readonly CUR file.

{
  "Permissions": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::${AWS::AccountId}:root",
        "arn:aws:iam::${AWS::AccountId}:role/NorthCloudWatchCrossAccountAccessRole"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Principal": {
        "Service": "cloudwatch-crossaccount.amazonaws.com"
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Principal": {
        "AWS": "arn:aws:iam::480850768557:role/NorthCURReadOnly"
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": "arn:aws:iam::*:role/NorthCloudWatchCrossAccountSharingRole"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::${CURBucket}",
        "arn:aws:s3:::${CURBucket}/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::${CURBucket}/*",
        "arn:aws:s3:::${CURBucket}"
      ]
    }
  ]
}

PreviousGCP Onboarding NextSecurity

Last updated 2 months ago

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ce:Get*" "ce:Describe*" "ce:List*" "ce:Start*" "account:GetAccountInformation" "billing:Get*" "payments:List*" "payments:Get*" "tax:List*" "tax:Get*" "consolidatedbilling:Get*" "consolidatedbilling:List*" "invoicing:List*" "invoicing:Get*" "cur:Get*" "cur:Validate*" "freetier:Get*" "ec2:DescribeCapacity*" "ec2:DescribeReservedInstances*" "ec2:DescribeSpot*" "rds:DescribeReserved*" "rds:DescribeDBRecommendations" "rds:DescribeAccountAttributes" "ecs:DescribeCapacityProviders" #fargate "es:DescribeReserved*" #opensearch/elastic search ], "Resource": "*", "Effect": "Allow", "Sid": "NorthCostAndUsageReadOnlyPolicyID" } ] }

{ "Version": "2012-10-17", { "Statement": [ { "Effect": "Allow", "Sid": "NorthPremiumPolicy1", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": { "StringLike": { "iam:AWSServiceName": "compute-optimizer.amazonaws.com" } } }, { "Effect": "Allow", "Sid": "NorthPremiumPolicy2", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Sid": "NorthPremiumPolicy3", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:List*", "autoscaling:DescribeAutoScalingGroups", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "organizations:ListAccounts", "cloudwatch:GetMetricStatistics", "rds:DescribeDBRecommendations", "rds:DescribeReservedDBInstances*", "rds:DescribeDBInstances", "rds:DescribeDBClusters" ], "Resource": "*" }, { "Effect": "Allow", "Sid": "NorthPremiumPolicy4", "Action": "organizations:EnableAWSServiceAccess", "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "compute-optimizer.amazonaws.com" } } } ] } }

{ "Permissions": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::${AWS::AccountId}:root", "arn:aws:iam::${AWS::AccountId}:role/NorthCloudWatchCrossAccountAccessRole" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": "cloudwatch-crossaccount.amazonaws.com" } }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "AWS": "arn:aws:iam::480850768557:role/NorthCURReadOnly" } }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam::*:role/NorthCloudWatchCrossAccountSharingRole" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::${CURBucket}", "arn:aws:s3:::${CURBucket}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::${CURBucket}/*", "arn:aws:s3:::${CURBucket}" ] } ] }