Cloud Cruiser became HPE Consumption Analytics on Nov. 1, 2018. You'll still see the old name in places while we update this site.



Consumption Analytics Documentation

Home > HPE Consumption Analytics Portal Documentation > Configuring the HPE Consumption Analytics Portal > Creating Collections > Collecting data from Amazon Web Services (AWS) > AWS permissions needed by the HPE Consumption Analytics Portal

AWS permissions needed by the HPE Consumption Analytics Portal

This article details the credentials and permissions that you set up in your Amazon Web Services (AWS) accounts to give HPE Consumption Analytics Portal the ability to collect data and, in limited cases, make changes for you.

For each AWS user to whom you grant permissions, you must provide AWS credentials to HPE Consumption Analytics Portal.

Usage and cost data

The permissions in this section are needed for HPE Consumption Analytics Portal to collect detailed billing reports, which are the primary source of the data you see in HPE Consumption Analytics Portal reports and analytics.

The following permissions are required on the billing (payer) account for each AWS collection that you create. You cannot create a collection without them.

Because you enter the credentials for usage and billing data into HPE Consumption Analytics Portal separately from credentials for other access, you can use separate AWS user accounts for these two purposes.

Specific user permissions needed

  • Access to billing information on the account from which HPE Consumption Analytics Portal will collect usage and billing information. If you use consolidated billing, this is the billing account.
  • You also need to add permission for AWS Organizations (list accounts), to enable HPE Consumption Analytics Portal to locate the linked accounts associated with the collection.
  • The Amazon S3 Read Only policy. If you do not want this policy to provide access to all S3 buckets, you can restrict it to the bucket where this account's detailed billing reports are placed. For the JSON version of the Amazon S3 Read Only policy, see Amazon S3 Read Only in the AWS documentation.

Utilization and other metrics

The permissions in this section are needed for HPE Consumption Analytics Portal to collect resource utilization, application performance, and operational health data available through the Amazon CloudWatch service. This not only provides richer reporting, but also enables Insights to alert users to take action based on these metrics, such as when a resource is underutilized.

Specific user permissions needed

For each applicable account, the CloudWatchReadOnlyAccess policy is required. If this policy does not exist in your cloud, you must create a role with the CloudWatch Read Only policy.  

The resources HPE Consumption Analytics Portal attempts to read are the ARNs that appear in the billing reports that support CloudWatch metrics.  The tool only needs access to metrics, not logs. Also, the account owner can limit the resources we are allowed to access if desired. 

A sample policy is shown in the next section.

For the JSON version of the CloudWatch Read Only policy, see CloudWatch Read Only in the AWS documentation.

For general information about IAM roles, see Managing IAM Roles in the AWS documentation

Sample policies

Following is a sample policy for the billing account:



Following is a sample policy with the minimum actions required to gather the CloudWatch data on the linked accounts:




Last modified


This page has no custom tags.


This page has no classifications.

 (c) Copyright 2017-2020 Hewlett Packard Enterprise Development LP