Prerequisites

Table 1-1 Permissions to view Metrics, Events and Billing

Task Cloud Persona Permissions

Task	Cloud	Persona	Permissions
View Metrics, Events & Billing	AWS	FinOps Administrator	For connectivity: Managed policy to AmazonVPCFullAccess to create VPC/Subnet. Managed policy to AmazonEC2FullAccess to create EC2. For observability: `{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateRoute", "Action": [ "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "" } ] }` For billing and invoices: `{ "Version": "2012-10-17", "Statement": [ { "Sid": "BillingAndInvoices", "Action": [ "ce:GetCostAndUsage", "ce:GetCostForecast", "billing:GetBillingData", "billing:GetBillingDetails", "billing:GetBillingNotifications", "account:GetAccountInformation", "ce:DescribeReport", "ce:GetDimensionValues", "ce:GetTags", "ce:ListCostAllocationTags", "ce:UpdateCostAllocationTagsStatus" ], "Effect": "Allow", "Resource": "" } ] }` For read-only policies about billing that includes payments and invoices, see AWSBillingReadOnlyAccess.
Events Exporter	AWS	Infrastructure administrator or Database administrator	{ "Version": "2012-10-17", "Statement": [ { "Sid": "EventBridgePermissions", "Effect": "Allow", "Action": [ "events:ListPartnerEventSources", "events:ListEventSources", "events:DescribeEventSource", "events:CreateEventBus", "events:DescribeEventBus", "events:ListEventBuses", "events:AssociateWithPartnerEventSource", "events:ListRules", "events:PutRule", "events:DeleteRule", "events:DescribeRule", "events:EnableRule", "events:DisableRule", "events:ListTargetsByRule", "events:PutTargets", "events:RemoveTargets", "events:TestEventPattern", "events:PutPermission", "events:TagResource", "events:UntagResource", "events:ListTagsForResource", "events:CreateArchive", "events:DescribeArchive", "events:ListArchives", "events:DeleteArchive", "events:StartReplay", "events:StopReplay", "events:DescribeReplay", "events:ListReplays" ], "Resource": "" }, { "Sid": "LogsPermissions", "Effect": "Allow", "Action": "logs:", "Resource": "" } ] } For these permissions, AWS CloudWatch* is used as target service in the event bus configuration. To learn about managed policy for full access to Amazon EventBridge, see AmazonEventBridgeFullAccess.

View Metrics, Events & Billing

AWS

FinOps Administrator

For connectivity:

Managed policy to AmazonVPCFullAccess to create VPC/Subnet.
Managed policy to AmazonEC2FullAccess to create EC2.

For observability:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateRoute",
            "Action": [
                "ec2:DescribeRouteTables",
                "ec2:CreateRoute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

For billing and invoices:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BillingAndInvoices",
            "Action": [
                "ce:GetCostAndUsage",
                "ce:GetCostForecast",
                "billing:GetBillingData",
                "billing:GetBillingDetails",
                "billing:GetBillingNotifications",
                "account:GetAccountInformation",
                "ce:DescribeReport",
                "ce:GetDimensionValues",
                "ce:GetTags",
                "ce:ListCostAllocationTags",
                "ce:UpdateCostAllocationTagsStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

For read-only policies about billing that includes payments and invoices, see AWSBillingReadOnlyAccess.

Events Exporter

AWS

Infrastructure administrator or Database administrator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EventBridgePermissions",
            "Effect": "Allow",
            "Action": [
                "events:ListPartnerEventSources",
                "events:ListEventSources",
                "events:DescribeEventSource",
                "events:CreateEventBus",
                "events:DescribeEventBus",
                "events:ListEventBuses",
                "events:AssociateWithPartnerEventSource",
                "events:ListRules",
                "events:PutRule",
                "events:DeleteRule",
                "events:DescribeRule",
                "events:EnableRule",
                "events:DisableRule",
                "events:ListTargetsByRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "events:TestEventPattern",
                "events:PutPermission",
                "events:TagResource",
                "events:UntagResource",
                "events:ListTagsForResource",
                "events:CreateArchive",
                "events:DescribeArchive",
                "events:ListArchives",
                "events:DeleteArchive",
                "events:StartReplay",
                "events:StopReplay",
                "events:DescribeReplay",
                "events:ListReplays"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LogsPermissions",
            "Effect": "Allow",
            "Action": "logs:*",
            "Resource": "*"
        }
    ]
}

For these permissions, AWS CloudWatch is used as target service in the event bus configuration.
To learn about managed policy for full access to Amazon EventBridge, see AmazonEventBridgeFullAccess.

For more information on how to grant the required permissions, see the following:

Oracle Cloud Infrastructure Documentation

Prerequisites