Cloud Commitment Management AWS Policy
Deploy this read-only policy when evaluating Cloud Commitment Management (before signing a contract with Cloud Commitment Management). Use the Cloud Commitment Management template for new deployments. If you already deployed a Spot or Eco role (such as SpotByNetApp_Finops_ReadOnly), no change is needed.
After signing a contract, contact Support to get the full production policy.
What the policy does:
- Provides read-only access to Cost Explorer and Cost & Usage Reports (CUR) metadata. This is required for analysis purposes and cannot be removed.
- Reads your CUR from your S3 bucket and synchronizes data to Flexera's
sc-customer-*S3 bucket. This is required for data analysis and processing, and cannot be removed. - Reads inventory and reservation details for EC2, RDS, Redshift, DynamoDB, ElastiCache. These can optionally be removed, depending on what services are in scope for commitment management.
- Accesses AWS Organizations account structure, and AWS Support/Trusted Advisor insights through AWS managed policies attached to the role. This is optional but important for understanding the AWS account structure.
- Uses an optional External ID to harden the cross‑account trust. This is a required security implementation and should not be skipped.
You can create a policy:
Parameters
-
CostAndUsageBucket(string, required) is the name of the S3 bucket where your hourly CUR is delivered. You can get the name of your S3 bucket from connect your AWS account. -
EcoExternalId(string, optional) is required by the role's trust policy ID (sts:ExternalId) if you have an External ID from Flexera. This is a security best practice to prevent confused deputy issues. You can get your External ID from connect your AWS account.If you do not have an External ID from Flexera, leave this parameter blank. You can contact Support to get an External ID for your tenant or integration.
Outputs
CCMFinOpsRoleArn is the ARN of the IAM role to be used by Flexera CCM. This Amazon resource name is used in the onboarding flow.
IAM role
-
Trust
Allows CCM AWS accounts
arn:aws:iam::884866656237:rootandarn:aws:iam::627743545735:rootto assume the role. IfEcoExternalIdis provided, the trust policy requiressts:ExternalId = <value>. -
Attached AWS managed policies
arn:aws:iam::aws:policy/job-function/Billingfor cost and usage analysis.arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccessfor troubleshooting any access issues Cloud Commitment Management may have. Allows inspection of the permissions given to the deployed role for Cloud Commitment Management's use.arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccessfor cost and usage analysis.arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccessfor understanding quotas like regional reserved instance limits and AWS reserved instance marketplace limits.arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccessfor cost and usage analysis.arn:aws:iam::aws:policy/AWSSupportAccessto access Trusted Advisor cost optimization checks which do include recommendations for commitment purchases.arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccessto better understand the AWS account hierarchy.
-
Custom managed policy
CCMFinOpsManagedPolicyis scoped least‑privilege.
Cost Explorer permissions
Used to analyze spend, utilization, coverage, and recommendations.
ce:GetCostAndUsage
ce:GetDimensionValues
ce:GetReservationCoverage
ce:GetReservationPurchaseRecommendation
ce:GetReservationUtilization
ce:GetRightsizingRecommendation
ce:GetSavingsPlansCoverage
ce:GetSavingsPlansPurchaseRecommendation
ce:GetSavingsPlansUtilization
ce:GetSavingsPlansUtilizationDetails
Cost & Usage Reports (CUR) permissions
Reads CUR definitions so Cloud Commitment Management can locate and interpret your report.
cur:DescribeReportDefinitions
S3 permissions
Flexera sync bucket arn:aws:s3:::sc-customer-* allows read/write necessary to synchronize Cloud Commitment Management data (get/put object, multipart, and minimal bucket listing).
Your CUR bucket CostAndUsageBucket has read-only access to list the bucket, get bucket location, and read objects (including object ACLs when needed).
S3 (Flexera sync bucket)
Synchronizes report data to Flexera’s controlled and encrypted bucket.
Resource: arn:aws:s3:::sc-customer-*
Actions: s3:AbortMultipartUpload, s3:GetBucketLocation, s3:GetObject,
s3:ListBucket, s3:ListBucketMultipartUploads,
s3:ListMultipartUploadParts, s3:PutObject, s3:PutObjectAcl
S3 (your CUR bucket)
Reads your CUR objects and bucket metadata.
ec2:AcceptReservedInstancesExchangeQuote
ec2:GetReservedInstancesExchangeQuote
ec2:DescribeInstances
ec2:DescribeRegions
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesListings
ec2:DescribeReservedInstancesModifications
ec2:DescribeReservedInstancesOfferings
EC2 reservation and instance permissions
Gathers instance and reservation inventory and pricing/exchange options.
ec2:AcceptReservedInstancesExchangeQuote
ec2:GetReservedInstancesExchangeQuote
ec2:DescribeInstances
ec2:DescribeRegions
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesListings
ec2:DescribeReservedInstancesModifications
ec2:DescribeReservedInstancesOfferings
RDS, Redshift, DynamoDB, and ElastiCache permissions
Used to understand engine footprints and reservation opportunities.
note
Remove references to ElasticSearch and OpenSearch. No es:* actions are configured in the new policy.
RDS
rds:DescribeDBInstances
rds:DescribeReservedDBInstances
rds:DescribeReservedDBInstancesOfferings
Redshift
redshift:DescribeClusters
redshift:DescribeReservedNodes
redshift:DescribeReservedNodeOfferings
DynamoDB
dynamodb:ListTables
dynamodb:DescribeTable
dynamodb:DescribeReservedCapacity
dynamodb:DescribeReservedCapacityOfferings
ElastiCache
elasticache:DescribeCacheClusters
CloudFormation, savings plans, service quotas, support, organizations, billing permissions
These are granted using AWS managed policies attached to the role:
- CloudFormation read-only
- Savings Plans read-only
- Service Quotas read-only
- AWS Support grants access to Trusted Advisor APIs (a business or enterprise support plan is required)
- AWS Organizations read-only
- Billing job-function (console billing visibility)
Create policy as part of account onboarding
Use this policy if you are creating a Cloud Commitment Management policy as part of connecting your AWS account.
Read policy for analysis
{
"AWSTemplateFormatVersion": "2010-09-09",
"Outputs": {
"CCMFinOpsRoleArn": {
"Value": {
"Fn::GetAtt": [
"CCMFinOpsRole",
"Arn"
]
}
}
},
"Parameters": {
"CostAndUsageBucket": {
"Type": "String",
"Description": "The bucket name of where the *HOURLY* Cost and Usage Report is located. https://console.aws.amazon.com/billing/home?#/reports"
},
"EcoExternalId": {
"Type": "String",
"Description": "The External ID to be configured in the role's trust policy condition element",
"Default": ""
}
},
"Conditions": {
"HasEcoExternalId": {
"Fn::Not": [
{
"Fn::Equals": [
"",
{
"Ref": "EcoExternalId"
}
]
}
]
}
},
"Resources": {
"CCMFinOpsManagedPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "SC Account Policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CostExplorerAccess",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails"
],
"Resource": "*"
},
{
"Sid": "CURAccess",
"Effect": "Allow",
"Action": [
"cur:DescribeReportDefinitions"
],
"Resource": "*"
},
{
"Sid": "DynamoDBReservedCapacity",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings"
],
"Resource": "*"
},
{
"Sid": "RDSReservedInstances",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings"
],
"Resource": "*"
},
{
"Sid": "RedshiftReservedNodes",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:DescribeReservedNodes",
"redshift:DescribeReservedNodeOfferings"
],
"Resource": "*"
},
{
"Sid": "ElastiCacheReservedInstances",
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheClusters"
],
"Resource": "*"
},
{
"Sid": "ReadOnlyPolicy",
"Effect": "Allow",
"Action": [
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:GetReservedInstancesExchangeQuote",
"trustedadvisor:DescribeAccount",
"trustedadvisor:ListRoots"
],
"Resource": [
"*"
]
},
{
"Sid": "S3SyncPermissions",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::sc-customer-*"
},
{
"Sid": "S3BillingDBR",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket"
],
"Resource": [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CostAndUsageBucket" },""]]},
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CostAndUsageBucket" },"/*"]]}
]
}
]
}
}
},
"CCMFinOpsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Description" :"This role supports functionality of Flexera Cloud Commitment Management (CCM), formerly known as Spot Eco. If you have any questions, please contact us at: support@flexera.com.",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::884866656237:root",
"arn:aws:iam::627743545735:root"]
},
"Action": "sts:AssumeRole",
"Condition": {
"Fn::If": [
"HasEcoExternalId",
{
"StringEquals": {
"sts:ExternalId": {
"Ref": "EcoExternalId"
}
}
},
{
"Ref": "AWS::NoValue"
}
]
}
}
]
},
"ManagedPolicyArns": [
{
"Ref": "CCMFinOpsManagedPolicy"
},
"arn:aws:iam::aws:policy/job-function/Billing",
"arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSSupportAccess",
"arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess"
]
}
}
}
}
Create policy using CloudFormation
Use this policy if you are creating a Cloud Commitment Management policy using CloudFormation.
CloudFormation read policy for analysis
{
"AWSTemplateFormatVersion": "2010-09-09",
"Outputs": {
"CCMFinOpsRoleArn": {
"Value": {
"Fn::GetAtt": [
"CCMFinOpsRole",
"Arn"
]
}
}
},
"Parameters": {
"CostAndUsageBucket": {
"Type": "String",
"Description": "The bucket name of where the *HOURLY* Cost and Usage Report is located. https://console.aws.amazon.com/billing/home?#/reports"
},
"EcoExternalId": {
"Type": "String",
"Description": "The External ID to be configured in the role's trust policy condition element",
"Default": ""
}
},
"Conditions": {
"HasEcoExternalId": {
"Fn::Not": [
{
"Fn::Equals": [
"",
{
"Ref": "EcoExternalId"
}
]
}
]
}
},
"Resources": {
"CCMFinOpsManagedPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "SC Account Policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CostExplorerAccess",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails"
],
"Resource": "*"
},
{
"Sid": "CURAccess",
"Effect": "Allow",
"Action": [
"cur:DescribeReportDefinitions"
],
"Resource": "*"
},
{
"Sid": "DynamoDBReservedCapacity",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings"
],
"Resource": "*"
},
{
"Sid": "RDSReservedInstances",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings"
],
"Resource": "*"
},
{
"Sid": "RedshiftReservedNodes",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:DescribeReservedNodes",
"redshift:DescribeReservedNodeOfferings"
],
"Resource": "*"
},
{
"Sid": "ElastiCacheReservedInstances",
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheClusters"
],
"Resource": "*"
},
{
"Sid": "ReadOnlyPolicy",
"Effect": "Allow",
"Action": [
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:GetReservedInstancesExchangeQuote",
"trustedadvisor:DescribeAccount",
"trustedadvisor:ListRoots"
],
"Resource": [
"*"
]
},
{
"Sid": "S3SyncPermissions",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::sc-customer-*"
},
{
"Sid": "S3BillingDBR",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket"
],
"Resource": [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CostAndUsageBucket" },""]]},
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CostAndUsageBucket" },"/*"]]}
]
}
]
}
}
},
"CCMFinOpsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Description" :"This role supports functionality of Flexera Cloud Commitment Management (CCM), formerly known as Spot Eco. If you have any questions, please contact us at: support@flexera.com.",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::884866656237:root",
"arn:aws:iam::627743545735:root"]
},
"Action": "sts:AssumeRole",
"Condition": {
"Fn::If": [
"HasEcoExternalId",
{
"StringEquals": {
"sts:ExternalId": {
"Ref": "EcoExternalId"
}
}
},
{
"Ref": "AWS::NoValue"
}
]
}
}
]
},
"ManagedPolicyArns": [
{
"Ref": "CCMFinOpsManagedPolicy"
},
"arn:aws:iam::aws:policy/job-function/Billing",
"arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSSupportAccess",
"arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess"
]
}
}
}
}