AWSTemplateFormatVersion: '2010-09-09' Description: Kubecost Management Account Template Parameters: S3CURBucket: Description: The bucket created to receive CUR data upon CUR creation. Type: String SpotDataFeedBucketName: Description: Optional. The bucket created to receive spot data feed. Type: String Conditions: HasSpotFeedBucketName: !Not [ !Equals [ !Ref SpotDataFeedBucketName, "" ] ] Resources: KubecostUser: Type: 'AWS::IAM::User' Properties: UserName: 'KubecostUser' KubecostRole: Type: 'AWS::IAM::Role' Properties: RoleName: 'KubecostRole' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - 'ec2.amazonaws.com' Action: - 'sts:AssumeRole' SpotFeedPolicy: Type: 'AWS::IAM::Policy' Condition: HasSpotFeedBucketName Properties: Users: - !Ref KubecostUser Roles: - !Ref KubecostRole PolicyName: 'kubecost-spot-data-feed-access' PolicyDocument: Version: '2012-10-17' Statement: - Sid: SpotDataAccess Effect: Allow Action: - s3:ListAllMyBuckets - s3:ListBucket - s3:HeadBucket - s3:HeadObject - s3:List* - s3:Get* Resource: "*" AthenaPolicy: Type: 'AWS::IAM::Policy' Properties: Users: - !Ref KubecostUser Roles: - !Ref KubecostRole PolicyName: 'kubecost-athena-access' PolicyDocument: Version: '2012-10-17' Statement: - Sid: AthenaAccess Effect: Allow Action: - athena:* Resource: - "*" - Sid: ReadAccessToAthenaCurDataViaGlue Effect: Allow Action: - glue:GetDatabase* - glue:GetTable* - glue:GetPartition* - glue:GetUserDefinedFunction - glue:BatchGetPartition Resource: - arn:aws:glue:*:*:catalog - arn:aws:glue:*:*:database/athenacurcfn* - arn:aws:glue:*:*:table/athenacurcfn*/* - Sid: AthenaQueryResultsOutput Effect: Allow Action: - s3:GetBucketLocation - s3:GetObject - s3:ListBucket - s3:ListBucketMultipartUploads - s3:ListMultipartUploadParts - s3:AbortMultipartUpload - s3:CreateBucket - s3:PutObject Resource: - arn:aws:s3:::aws-athena-query-results-* - Sid: S3ReadAccessToAwsBillingData Effect: Allow Action: - s3:Get* - s3:List* Resource: - !Sub 'arn:aws:s3:::${S3CURBucket}*' - Sid: ReadAccessToAccountTags Effect: Allow Action: - organizations:ListAccounts - organizations:ListTagsForResource Resource: - "*"