Reserved Instance Only IAM Policy

Purchasing Reserved Instances within AWS is a great way to keep your usage costs low.  Hourly costs for Reserved Instances are substantially lower than their On-Demand counterparts.

However, managing your Reserved Instances within AWS can be a challenge.  It’s very difficult to verify that your Reserved Instance purchases are all aligned with running instances.  It’s equally difficult to know the exact criteria needed to purchase new Reserved Instances to align with your already-running On-Demand instances.

CloudCheckr covers both of these scenarios, and more, to ensure proper use of Reserved Instances within your AWS account. The IAM permissions needed to only perform Reserved Instance Management are below.

If you have any questions about this, or need assistance adding these permissions to AWS please contact support@cloudcheckr.com.

You can download the full Reserved Instance policy here, or copy below.

IMPORTANT: Please note that using this policy will limit many of the modules that CloudCheckr has to offer.

Updated on 2017-08-18

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReservedInstancePolicy",
            "Action": [
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeHostReservationOfferings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeHostReservations",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeRegions",
                "ec2:DescribeKeyPairs",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeAddresses",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumes",
                "ec2:DescribeTags",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeVolumeStatus",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:DescribeReservedCacheNodesOfferings",
                "iam:GetAccountAuthorizationDetails",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "redshift:DescribeReservedNodes",
                "redshift:DescribeReservedNodeOfferings",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:DescribeDBInstances"]
            ,
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}