Reviewing your AWS service control policies
Before connecting Turbonomic to your AWS environment, verify that there are no service control policies that block access to the AWS services and endpoints listed in this topic.
AWS Organization service
Turbonomic connects to the AWS Organization service in the following regions:
-
us-east-1for standard AWS -
us-gov-west-1for AWS GovCloud
Once a connection is established, Turbonomic makes the necessary API calls to the endpoints for the AWS Organization service to discover your AWS accounts. If access to the AWS Organization service in these regions is blocked, Turbonomic fails to discover your accounts and the workloads in these accounts.
To verify access to the AWS Organization service in the required regions, open the AWS CLI and run the following command:
aws organizations list-accountsThe result should include all AWS accounts in your organization, as shown in the following example.
"Accounts": [
{
"Id": "xxx",
"Arn": "xxx,
"Email": "xxx@xxx.com",
"Name": "xxx",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2018-05-23T09:41:43.942000-04:00"
}]If access is blocked, you may see the following errors:
Could not connect to the endpoint URL: "https://organizations.us-east-1.amazonaws.com/"Could not connect to the endpoint URL: "https://organizations.us-gov-west-1.amazonaws.com/"To resolve the errors:
-
Update any service control policy that is blocking access to the AWS Organization service in the regions. The following example shows a service control policy that unblocks access.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOrganizationReadOperations", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListTagsForResource" ], "Resource": "*" } ] } -
Run the following command to verify that access is now unblocked.
aws organizations list-accounts
AWS Billing and Cost Management service endpoints
Turbonomic connects to the AWS Billing and Cost Management service endpoints in the following regions to discover pricing data:
-
us-east-1 -
ap-south-1 -
eu-central-1
Be sure to set up access to the service endpoints in the us-east-1, ap-south-1, or eu-central-1 regions. The following example sets up access in us-east-1.
aws configure
AWS Access Key ID [****************S7MP]:
AWS Secret Access Key [****************zGSO]:
Default region name [ca-central-1]: us-east-1
Default output format [json]:To verify access to the service endpoints in the required regions, open the AWS CLI and run the following command:
aws pricing describe-servicesThe result should be similar to the following example.
"Services": [
{
"ServiceCode": "A4B",
"AttributeNames": [
"termType",
"productFamily",
"servicecode",
"location",
"locationType",
"usagetype",
"deploymentModel",
"deploymentModelDescription",
"regionCode",
"servicename"
]
},]If access is blocked, you may see an error similar to the following example:
Could not connect to the endpoint URL: "https://api.pricing.us-east-1.amazonaws.com"To resolve the error:
-
Update any service control policy that is blocking access to the service endpoints in the regions. The following example shows a service control policy that unblocks access to the service endpoints in
us-east-1.{ "Effect": "Allow", "Action": [ "pricing:DescribeServices", "pricing:GetAttributeValues" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-1" } } }, -
Run the following command to verify that access is now unblocked.
aws pricing describe-services
AWS S3 bucket for your data export
The AWS Billing target grants Turbonomic access to billing data from a data export stored in an S3 bucket. Turbonomic uses this data to optimize workloads with full cost awareness, discover discounts and billing family relationships, and visualize historical cloud expenses.
Verify that no service control policy blocks access to the S3 bucket when you set up the data export. For more information, see Setting up an AWS data export.