AWS Continuous Efficiency IAM Role and policies:
What is Continuous Efficiency?
CE provides insight and visibility into your cloud infrastructure costs. CE provides the following benefits:
- Cost Visibility: Insights into the costs of your Harness Applications and clusters. Provides granular cost details of your cluster namespaces, workloads, label, nodes, pods, and labels.
- Cost Optimization: Details of total cost vs. utilized, idle, and unallocated cost. Forecasts future spend based on historical data.
- Cost Governance: Enables you to set a budget and configure notifications based on thresholds.
CE on AWS:
Continuous Efficiency (CE) Achieves the cloud cost reports in AWS via the Cost and Usage Reports (CUR). Once You start a trial or paid version of CE, a CloudFormation stack is created which runs on your AWS master account which in turn creates an IAM role called harnessContinuousEfficiencyRole (by default). This role is further extended to all the linked accounts to this master account under an AWS organization.
The harnessContinuousEfficiencyRole has by default the following custom policies attached to required by harness to monitor the cost utilization across cloud resources including your deployed Kubernetes clusters on EKS or ECS.
Associated IAM policies required by harness
- harnessCustomResourceMonitoring on master account
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cur:DescribeReportDefinitions",
"eks:Describe*",
"eks:List*",
"organizations:Describe*",
"organizations:List*",
"ecs:ListClusters",
"ecs:ListServices",
"ec2:DescribeInstances",
"cloudwatch:GetMetricData",
"ecs:ListTasks",
"ecs:ListContainerInstances",
"ecs:DescribeTasks"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "HarnessResourceMonitoring20200505"
}
]
}
- harnessCustomResourceMonitoring on Linked accounts account
On the linked AWS accounts (to the same organization as master account) the IAM policies do not require the CUR and Organization permissions and neither the harnessCustomS3Policy. Thus on these accounts the harnessCustomResourceMonitoring IAM policy only requires following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"eks:Describe*",
"eks:List*",
"ecs:ListClusters",
"ecs:ListServices",
"ec2:DescribeInstances",
"cloudwatch:GetMetricData",
"ecs:ListTasks",
"ecs:ListContainerInstances",
"ecs:DescribeTasks"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "HarnessCustomResourceMonitoringSid"
}
]
}
- harnessCustomS3Policy (Only on master account)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::harness-cs-root",
"arn:aws:s3:::harness-cs-root/*"
],
"Effect": "Allow",
"Sid": "harnessCustomerS3Policyxxxxxxx"
},
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::ce-customer-billing-data-prod",
"arn:aws:s3:::ce-customer-billing-data-prod/*"
],
"Effect": "Allow",
"Sid": "harnessS3Policyxxxxxxx"
}
]
}
The combination of the mentioned roles and associated policies gives Harness CE the required permissions to enable customers to keep a track on their overall cloud infrastructure cost and deployed cluster costs.