Prerequisites

Table 1-1 Permissions to View Metrics, Events and Billing

Task Cloud Persona Permissions

Task	Cloud	Persona	Permissions
View Metrics	AWS	CloudOps	`{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchOperations", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Effect": "Allow", "Resource": "*" } ] }` For the managed policy granting full access to CloudWatch, see CloudWatchFullAccess.
View Billing	AWS	FinOps Administrator	For billing and invoices: `{ "Version": "2012-10-17", "Statement": [ { "Sid": "BillingAndInvoices", "Action": [ "ce:GetCostAndUsage", "ce:GetCostForecast", "billing:GetBillingData", "billing:GetBillingDetails", "billing:GetBillingNotifications", "account:GetAccountInformation", "ce:DescribeReport", "ce:GetDimensionValues", "ce:GetTags", "ce:ListCostAllocationTags", "ce:UpdateCostAllocationTagsStatus" ], "Effect": "Allow", "Resource": "*" } ] }` For read-only policies about billing that includes payments and invoices, see AWSBillingReadOnlyAccess.
Events Exporter	AWS	CloudOps	{ "Version": "2012-10-17", "Statement": [ { "Sid": "EventBridgePermissions", "Effect": "Allow", "Action": [ "events:ListPartnerEventSources", "events:ListEventSources", "events:DescribeEventSource", "events:CreateEventBus", "events:DescribeEventBus", "events:ListEventBuses", "events:AssociateWithPartnerEventSource", "events:ListRules", "events:PutRule", "events:DeleteRule", "events:DescribeRule", "events:EnableRule", "events:DisableRule", "events:ListTargetsByRule", "events:PutTargets", "events:RemoveTargets", "events:TestEventPattern", "events:PutPermission", "events:TagResource", "events:UntagResource", "events:ListTagsForResource", "events:CreateArchive", "events:DescribeArchive", "events:ListArchives", "events:DeleteArchive", "events:StartReplay", "events:StopReplay", "events:DescribeReplay", "events:ListReplays" ], "Resource": "" }, { "Sid": "LogsPermissions", "Effect": "Allow", "Action": "logs:", "Resource": "" } ] } For these permissions, AWS CloudWatch* is used as target service in the event bus configuration. To learn about managed policy for full access to Amazon EventBridge, see AmazonEventBridgeFullAccess.

View Metrics

AWS

CloudOps

{
    "Version": "2012-10-17",
    "Statement": [
        {

            "Sid": "CloudWatchOperations",
            "Action": [
                "cloudwatch:GetMetricData",
                "cloudwatch:ListMetrics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

For the managed policy granting full access to CloudWatch, see CloudWatchFullAccess.

View Billing

AWS

FinOps Administrator

For billing and invoices:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BillingAndInvoices",
            "Action": [
                "ce:GetCostAndUsage",
                "ce:GetCostForecast",
                "billing:GetBillingData",
                "billing:GetBillingDetails",
                "billing:GetBillingNotifications",
                "account:GetAccountInformation",
                "ce:DescribeReport",
                "ce:GetDimensionValues",
                "ce:GetTags",
                "ce:ListCostAllocationTags",
                "ce:UpdateCostAllocationTagsStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

For read-only policies about billing that includes payments and invoices, see AWSBillingReadOnlyAccess.

Events Exporter

AWS

CloudOps

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EventBridgePermissions",
            "Effect": "Allow",
            "Action": [
                "events:ListPartnerEventSources",
                "events:ListEventSources",
                "events:DescribeEventSource",
                "events:CreateEventBus",
                "events:DescribeEventBus",
                "events:ListEventBuses",
                "events:AssociateWithPartnerEventSource",
                "events:ListRules",
                "events:PutRule",
                "events:DeleteRule",
                "events:DescribeRule",
                "events:EnableRule",
                "events:DisableRule",
                "events:ListTargetsByRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "events:TestEventPattern",
                "events:PutPermission",
                "events:TagResource",
                "events:UntagResource",
                "events:ListTagsForResource",
                "events:CreateArchive",
                "events:DescribeArchive",
                "events:ListArchives",
                "events:DeleteArchive",
                "events:StartReplay",
                "events:StopReplay",
                "events:DescribeReplay",
                "events:ListReplays"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LogsPermissions",
            "Effect": "Allow",
            "Action": "logs:*",
            "Resource": "*"
        }
    ]
}

For these permissions, AWS CloudWatch is used as target service in the event bus configuration.
To learn about managed policy for full access to Amazon EventBridge, see AmazonEventBridgeFullAccess.

For more information on how to grant the required permissions, see the following:

Oracle Cloud Infrastructure Documentation

Prerequisites