This topic lists the AWS IAM permissions required for Zesty products.
Click a selection to see its permissions.
Baseline permissions
These permissions are required when no products are selected.
Linked account permissions - no product
{
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2Access"
},
{
"Action": [
"organizations:List*",
"organizations:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "OrganizationsAccess"
},
{
"Action": [
"servicequotas:ListServiceQuotas",
"servicequotas:GetServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccess"
},
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "MetricsAccess"
},
{
"Action": [
"savingsplans:List*",
"savingsplans:Describe*",
"savingsplans:CreateSavingsPlan"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccess"
},
{
"Action": [
"ce:List*",
"ce:Describe*",
"ce:Get*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostExplorerAccess"
},
{
"Action": [
"eks:List*",
"eks:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EKSAccess"
}
]
},
"PolicyName": {
"Fn::Sub": "Zesty-Policy_${AWS::AccountId}"
}
}
]
}Management account permissions - no product
{
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2Access"
},
{
"Action": [
"organizations:List*",
"organizations:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "OrganizationsAccess"
},
{
"Action": [
"servicequotas:ListServiceQuotas",
"servicequotas:GetServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccess"
},
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "MetricsAccess"
},
{
"Action": [
"savingsplans:List*",
"savingsplans:Describe*",
"savingsplans:CreateSavingsPlan"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccess"
},
{
"Action": [
"ce:List*",
"ce:Describe*",
"ce:Get*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostExplorerAccess"
},
{
"Action": [
"eks:List*",
"eks:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EKSAccess"
},
{
"Action": [
"cur:DescribeReportDefinitions"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostandUsageReportsAccess"
},
{
"Action": [
"bcm-data-exports:ListExports",
"bcm-data-exports:GetExport"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "BCMDataExportsAccess"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::${BucketName}"
},
"Sid": "CURBucketAccess"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::${BucketName}/*"
},
"Sid": "CURBucketObjectsAccess"
}
]
},
"PolicyName": {
"Fn::Sub": "Zesty-Policy_${AWS::AccountId}"
}
}
]
}Zesty Disk permissions
Zesty Disk Linked account permissions
{
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2Access"
},
{
"Action": [
"organizations:List*",
"organizations:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "OrganizationsAccess"
},
{
"Action": [
"servicequotas:ListServiceQuotas",
"servicequotas:GetServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccess"
},
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "MetricsAccess"
},
{
"Action": [
"savingsplans:List*",
"savingsplans:Describe*",
"savingsplans:CreateSavingsPlan"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccess"
},
{
"Action": [
"ce:List*",
"ce:Describe*",
"ce:Get*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostExplorerAccess"
},
{
"Action": [
"eks:List*",
"eks:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EKSAccess"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKeyPairWithoutPlaintext",
"ec2:EnableVolumeIO",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:DeleteSnapshot",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2AccessZD"
}
]
},
"PolicyName": {
"Fn::Sub": "Zesty-Policy_${AWS::AccountId}"
}
}
]
}Zesty Disk Management account permissions
{
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2Access"
},
{
"Action": [
"organizations:List*",
"organizations:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "OrganizationsAccess"
},
{
"Action": [
"servicequotas:ListServiceQuotas",
"servicequotas:GetServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccess"
},
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "MetricsAccess"
},
{
"Action": [
"savingsplans:List*",
"savingsplans:Describe*",
"savingsplans:CreateSavingsPlan"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccess"
},
{
"Action": [
"ce:List*",
"ce:Describe*",
"ce:Get*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostExplorerAccess"
},
{
"Action": [
"eks:List*",
"eks:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EKSAccess"
},
{
"Action": [
"cur:DescribeReportDefinitions"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostandUsageReportsAccess"
},
{
"Action": [
"bcm-data-exports:ListExports",
"bcm-data-exports:GetExport"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "BCMDataExportsAccess"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::<cur-bucket-name>"
},
"Sid": "CURBucketAccess"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::<cur-bucket-name>/*"
},
"Sid": "CURBucketObjectsAccess"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKeyPairWithoutPlaintext",
"ec2:EnableVolumeIO",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:DeleteSnapshot",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2AccessZD"
}
]
},
"PolicyName": {
"Fn::Sub": "Zesty-Policy_${AWS::AccountId}"
}
}
]
}Commitment Manager permissions
Commitment Manager Management account permissions
{
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2Access"
},
{
"Action": [
"organizations:List*",
"organizations:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "OrganizationsAccess"
},
{
"Action": [
"servicequotas:ListServiceQuotas",
"servicequotas:GetServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccess"
},
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "MetricsAccess"
},
{
"Action": [
"savingsplans:List*",
"savingsplans:Describe*",
"savingsplans:CreateSavingsPlan"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccess"
},
{
"Action": [
"ce:List*",
"ce:Describe*",
"ce:Get*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostExplorerAccess"
},
{
"Action": [
"eks:List*",
"eks:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EKSAccess"
},
{
"Action": [
"cur:DescribeReportDefinitions"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostandUsageReportsAccess"
},
{
"Action": [
"bcm-data-exports:ListExports",
"bcm-data-exports:GetExport"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "BCMDataExportsAccess"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::<cur-bucket-name>"
},
"Sid": "CURBucketAccess"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::<cur-bucket-name>/*"
},
"Sid": "CURBucketObjectsAccess"
},
{
"Action": [
"ec2:CreateReservedInstancesListing",
"ec2:PurchaseReservedInstancesOffering",
"ec2:PurchaseHostReservation",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:CancelReservedInstancesListing",
"ec2:ModifyReservedInstances"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2AccessCM"
},
{
"Action": [
"servicequotas:RequestServiceQuotaIncrease"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccessCM"
},
{
"Action": [
"savingsplans:*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccessCM"
}
]
},
"PolicyName": {
"Fn::Sub": "Zesty-Policy_${AWS::AccountId}"
}
}
]
}Kompass permissions
Kompass Linked account permissions
{
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2Access"
},
{
"Action": [
"organizations:List*",
"organizations:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "OrganizationsAccess"
},
{
"Action": [
"servicequotas:ListServiceQuotas",
"servicequotas:GetServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccess"
},
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "MetricsAccess"
},
{
"Action": [
"savingsplans:List*",
"savingsplans:Describe*",
"savingsplans:CreateSavingsPlan"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccess"
},
{
"Action": [
"ce:List*",
"ce:Describe*",
"ce:Get*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostExplorerAccess"
},
{
"Action": [
"eks:List*",
"eks:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EKSAccess"
}
]
},
"PolicyName": {
"Fn::Sub": "Zesty-Policy_${AWS::AccountId}"
}
}
]
}Kompass Management account permissions
{
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EC2Access"
},
{
"Action": [
"organizations:List*",
"organizations:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "OrganizationsAccess"
},
{
"Action": [
"servicequotas:ListServiceQuotas",
"servicequotas:GetServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "ServiceQuotasAccess"
},
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "MetricsAccess"
},
{
"Action": [
"savingsplans:List*",
"savingsplans:Describe*",
"savingsplans:CreateSavingsPlan"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "SavingsPlansAccess"
},
{
"Action": [
"ce:List*",
"ce:Describe*",
"ce:Get*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "CostExplorerAccess"
},
{
"Action": [
"eks:List*",
"eks:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "EKSAccess"
},
{
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AthenaAccess"
},
{
"Action": [
"glue:GetDatabase*",
"glue:GetTable*",
"glue:GetPartition*",
"glue:GetUserDefinedFunction",
"glue:BatchGetPartition"
],
"Effect": "Allow",
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:table/*/*"
],
"Sid": "ReadAccessToAthenaCurDataViaGlue"
},
{
"Action": [
"pricing:ListPriceLists"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowPricingListPriceLists"
}
]
},
"PolicyName": {
"Fn::Sub": "Zesty-Policy_${AWS::AccountId}"
}
}
]
}