Skip to main content
Documentation - HPE Consumption Analytics

AWS permissions needed by the HPE Consumption Analytics platform

This article details the credentials and permissions that you set up in your Amazon Web Services (AWS) accounts to give the HPE Consumption Analytics platform the ability to collect data and, in limited cases, make changes for you.

For each AWS user to whom you grant permissions, you must provide AWS credentials.

Usage and cost data

The permissions in this section are needed for the HPE Consumption Analytics platform to collect detailed billing reports, which are the primary source of the data you see in HPE Consumption Analytics platform reports and analytics.

The following permissions are required on the billing (payer) account for each AWS collection that you create. You cannot create a collection without them.

Because you enter the credentials for usage and billing data into the HPE Consumption Analytics platform separately from credentials for other access, you can use separate AWS user accounts for these two purposes.

Specific user permissions needed

  • Access to billing information on the account from which the HPE Consumption Analytics platform will collect usage and billing information. If you use consolidated billing, this is the billing account.
  • You also need to add permission for AWS Organizations (list accounts), to enable the HPE Consumption Analytics platform to locate the linked accounts associated with the collection.
  • The Amazon S3 Read Only policy. If you do not want this policy to provide access to all S3 buckets, you can restrict it to the bucket where this account's detailed billing reports are placed. For the JSON version of the Amazon S3 Read Only policy, see Amazon S3 Read Only in the AWS documentation. 

Utilization and other metrics

The permissions in this section are needed for the HPE Consumption Analytics platform to collect resource utilization, application performance, and operational health data available through the Amazon CloudWatch service. This not only provides richer reporting, but also enables Insights to alert users to take action based on these metrics, such as when a resource is underutilized. 

Specific user permissions needed

For each applicable account, the CloudWatchReadOnlyAccess policy is required. If this policy does not exist in your cloud, you must create a role with the CloudWatch Read Only policy.  

The resources HPE Consumption Analytics platform attempts to read are the ARNs that appear in the billing reports that support CloudWatch metrics.  The tool only needs access to metrics, not logs. Also, the account owner can limit the resources we are allowed to access if desired. 

A sample policy is shown in the next section.

For the JSON version of the CloudWatch Read Only policy, see CloudWatch Read Only in the AWS documentation.

For general information about IAM roles, see Managing IAM Roles in the AWS documentation

Sample policies

Following is a sample policy for the billing account: 
image (19).png

Following is a sample policy with the minimum actions required to gather the CloudWatch data on the linked accounts:

image (18).png