IAM Permission & Deployment

North requires an IAM permission for our app to read spending data that powers our ML engine to automate your FinOps.

North CAN NOT:

  • Read sensitive data

  • View or edit network rules

  • Create, change, alter, stop or pause instances or machines

  • Change or copy any development, test or production data

North's read-only baseline IAM permission and details are listed below. Baseline permissions allow basic functionality of our app and management system in order to fully benefit from the best savings posture. However, additional permissions may be required for some products. See product pages for more details.

Note to the community: It has come to our attention that various third-party services frequently grant themselves excessive permissions. We urge you to exercise caution and thoroughly review these permissions before implementation. For instance, a broad permission like "ec2:Describe*" permits third-party services to access your security groups. Such access is not required for cloud cost optimization and poses an increased security risk to your servers. Please ensure that permissions are appropriately limited to maintain optimal security and functionality.

North Baseline IAM Permission (Free + Startup Version)


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
               "ce:Get*" 
               "ce:Describe*" 
               "ce:List*" 
               "ce:Start*"
               "account:GetAccountInformation" 
               "billing:Get*"
               "payments:List*"
               "payments:Get*"
               "tax:List*"
               "tax:Get*"
               "consolidatedbilling:Get*"
               "consolidatedbilling:List*"
               "invoicing:List*"
               "invoicing:Get*"
               "cur:Get*" 
               "cur:Validate*"
               "freetier:Get*"
               "ec2:DescribeCapacity*"
               "ec2:DescribeReservedInstances*" 
               "ec2:DescribeSpot*"
               "rds:DescribeReserved*" 
               "rds:DescribeDBRecommendations"
               "rds:DescribeAccountAttributes"
               "ecs:DescribeCapacityProviders" #fargate
               "es:DescribeReserved*" #opensearch/elastic search
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "NorthCostAndUsageReadOnlyPolicyID"
        }
    ]
}

Only needed for customers taking advantage of our premier version. Separate sign up for premier is required in the app.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Sid": "NorthPremiumPolicy3",
            "Action": [
                "compute-optimizer:*",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ecs:List*",
                "autoscaling:DescribeAutoScalingGroups",
                "lambda:ListFunctions",
                "lambda:ListProvisionedConcurrencyConfigs",
                "organizations:ListAccounts",
                "cloudwatch:GetMetricStatistics",
                "rds:DescribeDBRecommendations",
                "rds:DescribeReservedDBInstances*"
            ],
            "Resource": "*"
        }
    ]
}

Deploying North IAM Permissions (Base IAM Permission)

It is suggested that all customer manage permission deployment from the app console. If you would like to deploy the permission(s) independently from the console, please see below.

CloudFormation

  1. Click on this link ot direct link below:

https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https%3A%2F%2Fnorth-cloudformation-template-public.s3.amazonaws.com%2Fbilling-and-usage-read-only-cf-stack%2Fnorth-read-only-access.yaml&stackName=NorthCostAndUsageReadOnlyCloudFormationStack
  1. Acknowledge and click “Create stack”

Terraform

  1. Deploy the following file:

provider "aws" {
	region = "us-east-1" # Adjust the region as needed
}
	
resource "aws_iam_role" "MyIAMRole" {
	name = "NorthCostAndUsageRole"
	
	assume_role_policy = jsonencode ({
		Version = "2012-10-17"
		Statement = 	[
		{
			Effect = "Allow"
			Principal = {
			AWS = "arn:aws:iam::480850768557:root" # Specify the AWS account ID where the trusted account resides
			}
			Action = "sts:AssumeRole"
			}
			]
		}) 
	}
	
	resource "aws_iam_policy" "MyIAMPolicy" {
	name        = "NorthCostAndUsageReadOnlyPolicy"
	description = "Read-only policy for North Inc. cost and usage"
	
	policy = jsonencode ({
		Version = "2012-10-17"
		Statement = 	[
		{
			Sid    = "NorthCostAndUsageReadOnlyPolicyID"
			Effect = "Allow"
			Action = 	[
			"ce:Get*",
			"ce:Describe*",
			"ce:List*",
			"ce:Start*",
			"account:GetAccountInformation",
			"billing:Get*",
			"payments:List*",
			"payments:Get*",
			"tax:List*",
			"tax:Get*",
			"consolidatedbilling:Get*",
			"consolidatedbilling:List*",
			"invoicing:List*",
			"invoicing:Get*",
			"cur:Get*",
			"cur:Validate*",
			"freetier:Get*",
			"ec2:DescribeCapacity*",
			"ec2:DescribeReservedInstances*",
			"ec2:DescribeSpot*",
			"rds:DescribeReserved*",
			"rds:DescribeDBRecommendations",
			"rds:DescribeAccountAttributes",
			"ecs:DescribeCapacityProviders",
			"es:DescribeReserved*"
			]
			Resource = "*"
			}
		]
	})
	
	roles = 	[aws_iam_role.MyIAMRole.name]
}
	
output "RoleARNOutput" {
	value = aws_iam_role.MyIAMRole.arn
}
  1. Run the following command in your terminal of choice:

aws cloudformation create-stack \
--stack-name NorthCostAndUsageReadOnlyCloudFormationStack \
--template-url https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml \
--region us-east-1
  1. In the AWS Management Console, select CloudFormation and “Create Stack”

  2. Select the "Specify an Amazon S3 template URL" and copy:

https://north-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/north-read-only-access.yaml// Some code
  1. On the "Specify stack details" page, enter the following information: - Stack name: Enter "NorthCostAndUsageReadOnlyCloudFormationStack" (or your desired stack name)

  2. Click the "Next" until you are able to “Create stack”

Last updated