Parameters: VegaExternalIdParameter: Type: String Description: Vega Cloud's ExternalId for your environments (helps to authenticate role assumption). Get this from your Vega Representative. Default: "vega:" Resources: VegaDiscoveryReader: Properties: RoleName: VegaDiscoveryReader AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Condition: StringEquals: "sts:ExternalId": !Ref VegaExternalIdParameter Effect: Allow Principal: # 955075715928 This one of the Vega Data Collection Accounts # 549829454055 This one of the Vega Data Collection Accounts # 933023916684 This is the Vega Saas Platform Account AWS: ["arn:aws:iam::955075715928:root", "arn:aws:iam::549829454055:root", "arn:aws:iam::933023916684:root"] - Action: "sts:AssumeRole" Effect: Allow Principal: Service: ["cloudformation.amazonaws.com"] Version: 2012-10-17 Type: "AWS::IAM::Role" DiscoveryPolicy: DependsOn: VegaDiscoveryReader Type: "AWS::IAM::Policy" Properties: PolicyName: VegaDiscoveryReaderPolicy Roles: - VegaDiscoveryReader PolicyDocument: Statement: # AWS Batch Discovery - Sid: VegDiscoveryReaderBatchDiscovery Effect: Allow Resource: "*" Action: - "batch:Describe*" - "batch:List*" # CloudWatch Metrics Discovery - Sid: VegDiscoveryReaderCloudWatchDiscovery Effect: Allow Resource: "*" Action: - "cloudwatch:GetMetricData" - "cloudwatch:GetMetricStatistics" - "cloudwatch:ListMetrics" - "cloudwatch:ListTagsForResource" # EC2 Resource Discovery - Sid: VegDiscoveryReaderEC2Discovery Effect: Allow Resource: "*" Action: - "ec2:Describe*" - "ec2:GetCapacityReservationUsage" - "ec2:GetGroupsForCapacityReservation" - "ec2:GetHostReservationPurchasePreview" # RDS Resource Discovery - Sid: VegDiscoveryReaderRDSDiscovery Effect: Allow Resource: "*" Action: - "rds:DescribeDBClusterSnapshots" - "rds:DescribeDBClusters" - "rds:DescribeRecommendationGroups" - "rds:DescribeRecommendations" - "rds:DescribeReservedDBInstances" - "rds:DescribeReservedDBInstancesOfferings" - "rds:DescribeDBInstances" - "rds:DescribeDBSnapshots" - "rds:ListTagsForResource" # Elastic Container Service (ECS) - Sid: VegDiscoveryReaderECSDiscovery Effect: Allow Resource: "*" Action: - "ecs:Describe*" - "ecs:List*" # Elastic Kubernetes Service (EKS) - Sid: VegDiscoveryReaderEKSDiscovery Effect: Allow Resource: "*" Action: - "eks:Describe*" - "eks:List*" # ElastiCache Resource Discovery - Sid: VegDiscoveryReaderElastiCacheDiscovery Effect: Allow Resource: "*" Action: - "elasticache:Describe*" - "elasticache:List*" # Redshift Resource Discovery - Sid: VegDiscoveryReaderRedshiftDiscovery Effect: Allow Resource: "*" Action: - "redshift:DescribeReservedNodes" - "redshift:DescribeReservedNodeExchangeStatus" - "redshift:DescribeReservedNodeOfferings" - "redshift:DescribeClusters" - "redshift:DescribeClusterSnapshots" - "redshift:DescribeStorage" - "redshift:DescribeTags" - "redshift:GetReservedNodeExchangeOfferings" - "redshift:GetReservedNodeExchangeConfigurationOptions" # DynamoDB Resource Discovery - Sid: VegDiscoveryReaderDynamoDBDiscovery Effect: Allow Resource: "*" Action: - "dynamodb:DescribeReservedCapacity" - "dynamodb:DescribeReservedCapacityOfferings" - "dynamodb:ListTagsOfResource" # Opensearch Resource Discovery - Sid: VegDiscoveryReaderOpensearchDiscovery Effect: Allow Resource: "*" Action: - "es:DescribeReservedElasticsearchInstances" - "es:DescribeReservedElasticsearchInstanceOfferings" - "es:DescribeReservedInstances" - "es:DescribeReservedInstanceOfferings" - "es:ListTags" # Medialive Resource Discovery - Sid: VegDiscoveryReaderMedialiveDiscovery Effect: Allow Resource: "*" Action: - "medialive:DescribeReservation" - "medialive:ListReservations" - "medialive:ListTagsForResource" # Trusted Advisor Resource Discovery - Sid: VegDiscoveryReaderTrustedAdvisorDiscovery Effect: Allow Resource: "*" Action: - "support:DescribeTrustedAdvisorCheckRefreshStatuses" - "support:DescribeTrustedAdvisorCheckResult" - "support:DescribeTrustedAdvisorChecks" - "support:DescribeTrustedAdvisorCheckSummaries" - "support:RefreshTrustedAdvisorCheck" - "trustedadvisor:Describe*" # Savings Plan Resource Discovery - Sid: VegDiscoveryReaderSavingsPlanDiscovery Effect: Allow Resource: "*" Action: - "savingsplans:*" # Compute Optimizer Resource Discovery - Sid: VegDiscoveryReaderComputeOptimizerDiscovery Effect: Allow Resource: "*" Action: - "compute-optimizer:GetAutoScalingGroupRecommendations" - "compute-optimizer:GetEBSVolumeRecommendations" - "compute-optimizer:GetEC2InstanceRecommendations" - "compute-optimizer:GetEC2RecommendationProjectedMetrics" - "compute-optimizer:GetEffectiveRecommendationPreferences" - "compute-optimizer:GetEnrollmentStatus" - "compute-optimizer:GetEnrollmentStatusesForOrganization" - "compute-optimizer:GetLambdaFunctionRecommendations" - "compute-optimizer:GetRecommendationPreferences" - "compute-optimizer:GetRecommendationSummaries" # S3 Resource Discovery - Sid: VegDiscoveryReaderS3Discovery Effect: Allow Resource: "*" Action: # Note: Get* is filtered with an explicit deny on GetObject below. - "s3:Get*" - "s3:List*" - Action: - "s3:GetObject" Effect: Deny Resource: "*" VegaOptimizer: # This role and policy are used by the Vega Platform discover, tag resources, and optimize yoour account(s) # Optimize includes actions such as starting/stopping instances, modifying instance types, deleting snapshots # and purchasing Reserved Instance offerings. Properties: RoleName: VegaOptimizer AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Condition: StringEquals: "sts:ExternalId": !Ref VegaExternalIdParameter Effect: Allow Principal: # 955075715928 This one of the Vega Data Collection Accounts # 549829454055 This one of the Vega Data Collection Accounts # 933023916684 This is the Vega Saas Platform Account AWS: ["arn:aws:iam::955075715928:root", "arn:aws:iam::549829454055:root", "arn:aws:iam::933023916684:root"] - Action: "sts:AssumeRole" Effect: Allow Principal: Service: ["cloudformation.amazonaws.com"] Version: 2012-10-17 Type: "AWS::IAM::Role" OptimizerPolicy: DependsOn: VegaOptimizer Type: "AWS::IAM::Policy" Properties: PolicyDocument: Statement: # CloudWatch Metrics Discovery - Sid: VegaOptimizerCloudWatchDiscovery Effect: Allow Resource: "*" Action: - "cloudwatch:GetMetricData" - "cloudwatch:GetMetricStatistics" - "cloudwatch:ListMetrics" - "cloudwatch:ListTagsForResource" # EC2 Resource Discovery - Sid: VegaOptimizerEC2Discovery Effect: Allow Resource: "*" Action: - "ec2:Describe*" - "ec2:GetCapacityReservationUsage" - "ec2:GetGroupsForCapacityReservation" - "ec2:GetHostReservationPurchasePreview" - "ec2:List*" # EC2 Operate - Sid: VegaOptimizerEC2Optimize Effect: Allow Resource: "*" Action: - "ec2:ModifyInstanceAttribute" - "ec2:ModifyInstanceCreditSpecification" - "ec2:ModifyInstancePlacement" - "ec2:ModifyReservedInstances" - "ec2:ModifySnapshotAttribute" - "ec2:ModifyVolumeAttribute" - "ec2:PurchaseHostReservation" - "ec2:PurchaseReservedInstancesOffering" - "ec2:PurchaseScheduledInstances" - "ec2:RequestSpotInstances" - "ec2:RunInstances" - "ec2:StartInstances" - "ec2:StopInstances" - "kms:CreateGrant" - "ec2:DeregisterImage" - "ec2:ModifyImageAttribute" - "ec2:EnableImageDeprecation" - "ec2:DeleteSnapshot" # RDS Resource Discovery - Sid: VegaOptimizerRDSDiscovery Effect: Allow Resource: "*" Action: - "rds:DescribeDBClusterSnapshots" - "rds:DescribeDBClusters" - "rds:DescribeRecommendationGroups" - "rds:DescribeRecommendations" - "rds:DescribeReservedDBInstances" - "rds:DescribeReservedDBInstancesOfferings" - "rds:DescribeDBInstances" - "rds:DescribeDBSnapshots" - "rds:ListTagsForResource" - "rds:List*" # RDS FinOps Optimize - Sid: VegaOptimizerRDSOptimize Effect: Allow Resource: "*" Action: - "rds:DeleteDBClusterSnapshot" - "rds:DeleteDBSnapshot" - "rds:DeleteDBInstanceAutomatedBackup" - "rds:ModifyDBCluster" - "rds:ModifyDBClusterSnapshotAttribute" - "rds:ModifyDBClusterSnapshot" - "rds:ModifyDBInstance" - "rds:ModifyDBSnapshot" - "rds:ModifyDBSnapshotAttribute" - "rds:PurchaseReservedDBInstancesOffering" - "rds:RebootDBInstance" - "rds:StartDBCluster" - "rds:StartDBInstance" - "rds:StopDBCluster" - "rds:StopDBInstance" - "rds:upgradeDBInstance" - "rds:ModifyCurrentDBClusterCapacity" - "rds:DeleteBlueGreenDeployment" # Elastic Container Service (ECS) - Sid: VegaOptimizerECSDiscovery Effect: Allow Resource: "*" Action: - "ecs:Describe*" - "ecs:List*" # Elastic Container Service (ECS) Optimize - Sid: VegaOptimizerECSOptimize Effect: Allow Resource: "*" Action: - "ecs:UpdateService" - "ecs:RunTask" - "ecs:StartTask" - "ecs:StopTask" - "ecs:DeleteService" - "ecs:CreateService" - "ecs:DeleteCluster" - "ecs:DeleteTaskSet" - "ecs:UpdateTaskSet" - "ecs:UpdateClusterSettings" - "ecs:UpdateContainerAgent" - "ecs:UpdateContainerInstancesState" - "ecs:UpdateServicePrimaryTaskSet" # Elastic Kubernetes Service (EKS) - Sid: VegaOptimizerEKSDiscovery Effect: Allow Resource: "*" Action: - "eks:Describe*" - "eks:List*" # Elastic Kubernetes Service (EKS) Optimize - Sid: VegaOptimizerEKSOptimize Effect: Allow Resource: "*" Action: - "eks:CreateNodegroup" - "eks:DeleteNodegroup" - "eks:UpdateNodegroupConfig" - "eks:UpdateNodegroupVersion" - "eks:UpdateClusterConfig" - "eks:UpdateClusterVersion" - "eks:CreateFargateProfile" - "eks:DeleteFargateProfile" - "eks:UpdateFargateProfile" - "eks:CreateAddon" - "eks:DeleteAddon" - "eks:UpdateAddon" - "eks:CreateCluster" - "eks:DeleteCluster" - "eks:TagResource" - "eks:UntagResource" - "eks:AssociateEncryptionConfig" - "eks:DisassociateEncryptionConfig" - "eks:CreateClusterConfig" - "eks:DeleteClusterConfig" - "eks:CreateClusterVersion" - "eks:DeleteClusterVersion" - "eks:CreateNodegroupConfig" - "eks:DeleteNodegroupConfig" - "eks:CreateNodegroupVersion" - "eks:DeleteNodegroupVersion" - "eks:CreateAddonConfig" - "eks:DeleteAddonConfig" - "eks:CreateAddonVersion" - "eks:DeleteAddonVersion" - "eks:CreateFargateProfileConfig" - "eks:DeleteFargateProfileConfig" - "eks:CreateFargateProfileVersion" - "eks:DeleteFargateProfileVersion" # ElastiCache Resource Discovery - Sid: VegaOptimizerElastiCacheDiscovery Effect: Allow Resource: "*" Action: - "elasticache:Describe*" - "elasticache:List*" # ElastiCache Operate - Sid: VegaOptimizerElastiCacheOptimize Effect: Allow Resource: "*" Action: - "elasticache:DecreaseReplicaCount" - "elasticache:DeleteCacheCluster" - "elasticache:DeleteSnapshot" - "elasticache:ModifyCacheCluster" - "elasticache:ModifyCacheParameterGroup" - "elasticache:ModifyCacheSubnetGroup" - "elasticache:ModifyReplicationGroup" - "elasticache:PurchaseReservedCacheNodesOffering" - "elasticache:RebootCacheCluster" - "elasticache:RebalanceSlotsInGlobalReplicationGroup" - "elasticache:StartMigration" # Redshift Resource Discovery - Sid: VegaOptimizerRedshiftDiscovery Effect: Allow Resource: "*" Action: - "redshift:DescribeReservedNodes" - "redshift:DescribeReservedNodeExchangeStatus" - "redshift:DescribeReservedNodeOfferings" - "redshift:DescribeClusters" - "redshift:DescribeClusterSnapshots" - "redshift:DescribeStorage" - "redshift:DescribeTags" - "redshift:GetReservedNodeExchangeOfferings" - "redshift:GetReservedNodeExchangeConfigurationOptions" - "redshift:List*" # Redshift Operate - Sid: VegaOptimizerRedshiftOptimize Effect: Allow Resource: "*" Action: - "redshift:PauseCluster" - "redshift:ResizeCluster" - "redshift:ResumeCluster" - "redshift:DeleteClusterSnapshot" - "redshift:DeleteSnapshotCopyGrant" - "redshift:DeleteSnapshotSchedule" - "redshift:DisableSnapshotCopy" - "redshift:ModifyClusterSnapshot" - "redshift:ModifyClusterSnapshotSchedule" - "redshift:ModifySnapshotCopyRetentionPeriod" - "redshift:ModifySnapshotSchedule" - "redshift:AcceptReservedNodeExchange" - "redshift:PurchaseReservedNodeOffering" # DynamoDB Resource Discovery - Sid: VegaOptimizerDynamoDBDiscovery Effect: Allow Resource: "*" Action: - "dynamodb:DescribeReservedCapacity" - "dynamodb:DescribeReservedCapacityOfferings" - "dynamodb:ListTagsOfResource" - "dynamodb:Describe*" - "dynamodb:List*" # DynamoDB Operate - Sid: VegaOptimizerDynamoDBOptimize Effect: Allow Resource: "*" Action: - "dynamodb:PurchaseReservedCapacityOfferings" - "dynamodb:DeleteBackup" - "dynamodb:UpdateContinuousBackups" # Opensearch Resource Discovery - Sid: VegaOptimizerOpensearchDiscovery Effect: Allow Resource: "*" Action: - "es:DescribeReservedElasticsearchInstances" - "es:DescribeReservedElasticsearchInstanceOfferings" - "es:DescribeReservedInstances" - "es:DescribeReservedInstanceOfferings" - "es:ListTags" # Opensearch Operate - Sid: VegaOptimizerOpensearchOptimize Effect: Allow Resource: "*" Action: - "es:PurchaseReservedElasticsearchInstanceOffering" - "es:PurchaseReservedInstanceOffering" # Medialive Resource Discovery - Sid: VegaOptimizerMedialiveDiscovery Effect: Allow Resource: "*" Action: - "medialive:DescribeReservation" - "medialive:ListReservations" - "medialive:ListTagsForResource" # Medialive Operate - Sid: VegaOptimizerMedialiveOptimize Effect: Allow Resource: "*" Action: - "medialive:PurchaseOffering" - "medialive:UpdateReservation" # Trusted Advisor Resource Discovery - Sid: VegaOptimizerTrustedAdvisorDiscovery Effect: Allow Resource: "*" Action: - "support:DescribeTrustedAdvisorCheckRefreshStatuses" - "support:DescribeTrustedAdvisorCheckResult" - "support:DescribeTrustedAdvisorChecks" - "support:DescribeTrustedAdvisorCheckSummaries" - "support:RefreshTrustedAdvisorCheck" - "trustedadvisor:Describe*" # Savings Plan Operate - Sid: VegaOptimizerSavingsPlanOptimize Effect: Allow Resource: "*" Action: - "savingsplans:*" # Compute Optimizer Resource Discovery - Sid: VegaOptimizerComputeOptimizerDiscovery Effect: Allow Resource: "*" Action: - "compute-optimizer:GetAutoScalingGroupRecommendations" - "compute-optimizer:GetEBSVolumeRecommendations" - "compute-optimizer:GetEC2InstanceRecommendations" - "compute-optimizer:GetEC2RecommendationProjectedMetrics" - "compute-optimizer:GetEffectiveRecommendationPreferences" - "compute-optimizer:GetEnrollmentStatus" - "compute-optimizer:GetEnrollmentStatusesForOrganization" - "compute-optimizer:GetLambdaFunctionRecommendations" - "compute-optimizer:GetRecommendationPreferences" - "compute-optimizer:GetRecommendationSummaries" # S3 Resource Discovery - Sid: VegaOptimizerS3Discovery Effect: Allow Resource: "*" Action: # Note: Get* is filtered with an explicit deny on GetObject below. - "s3:Get*" - "s3:List*" - Action: - "s3:GetObject" Effect: Deny Resource: "*" # s3 FinOps Operate - Sid: VegaOptimizerS3Optimize Effect: Allow Resource: "*" Action: - "s3:PutLifecycleConfiguration" - "s3:DeleteLifecycleConfiguration" - "s3:PutBucketVersioning" - "s3:PutBucketLifecycleConfiguration" - "s3:PutBucketReplication" - "s3:PutBucketLogging" - "s3:PutBucketRequestPayment" - "s3:PutBucketTagging" PolicyName: VegaOptimizerPolicy Roles: - VegaOptimizer