# Getting started with AWS Compute Optimizer
When you access the AWS Compute Optimizer console for the first time, you're asked to opt in using the account that you’re signed in with. Before you can use the service, you must opt in or out. In addition, you can also opt in or opt out using the Compute Optimizer API, AWS Command Line Interface (AWS CLI), or SDKs.
By opting in, you're authorizing Compute Optimizer to analyze the specifications and utilization metrics of your AWS resources. Examples include EC2 instances and EC2 Auto Scaling groups.
**Note**
To improve the recommendation quality of Compute Optimizer, Amazon Web Services might use your CloudWatch metrics and configuration data. This includes up to three months (93 days) of metrics analysis when you activate the enhanced infrastructure metrics feature. Contact [AWS Support](https://console.aws.amazon.com/support) to request that AWS stop using your CloudWatch metrics and configuration data to improve the recommendation quality of Compute Optimizer.
## Required permissions
You must have the appropriate permissions to opt in to Compute Optimizer, to view its recommendations, and to opt out. For more information, see [Identity and Access Management for AWS Compute Optimizer](security-iam.md).
When you opt in, Compute Optimizer automatically creates a Service-Linked Role in your account to access its data. For more information, see [Using service-linked roles for AWS Compute Optimizer](using-service-linked-roles.md).
## Accounts supported by Compute Optimizer
The following AWS account types can opt in to Compute Optimizer:
+ **Standalone AWS account**
A standalone AWS account that doesn't have AWS Organizations enabled. If you opt in to Compute Optimizer while signed in to a standalone account, Compute Optimizer analyzes the resources in the account and generates optimization recommendations for those resources.
+ **Member account of an organization**
An AWS account that's a member of an organization. If you opt in to Compute Optimizer while signed in to a member account of an organization, Compute Optimizer only analyzes the resources in the member account and generates optimization recommendations for those resources.
+ **Management account of an organization**
An AWS account that administers an organization. If you opt in to Compute Optimizer while signed in to a management account of an organization, Compute Optimizer gives you the option to opt in the management account only, or the management account and all member accounts of the organization.
**Important**
To opt in all member accounts for an organization, make sure that the organization has all features enabled. For more information, see [Enabling All Features in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in the *AWS Organizations User Guide*.
When you opt in using your organization's management account and include all member accounts within the organization, trusted access for Compute Optimizer is enabled in your organization account. For more information, see [Trusted access for AWS Organizations](security-iam.md#trusted-service-access).
## Next steps
For instructions on how to opt in your account, or the accounts within your organization, to AWS Compute Optimizer, see [Opting in to AWS Compute Optimizer](account-opt-in.md).
## Additional resources
+ [Identity and Access Management for AWS Compute Optimizer](security-iam.md)
+ [AWS managed policies for AWS Compute Optimizer](managed-policies.md)
+ [Using service-linked roles for AWS Compute Optimizer](using-service-linked-roles.md)
# Opting in to AWS Compute Optimizer
Use the following procedure to opt in your account, or the accounts within your organization, to AWS Compute Optimizer. You can opt in using the Compute Optimizer console or the AWS Command Line Interface (AWS CLI).
**Note**
If your account is already opted in, but you want to opt in again to re-enable trusted access for Compute Optimizer in your organization. You can opt in again, but this must be done using the AWS CLI. When you opt in using the AWS CLI, run the `update-enrollment-status` command and specify the `--include-member-accounts` parameter. Alternatively, you can enable trusted access directly in the AWS Organizations console or by using AWS CLI or API. For more information, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) in the *AWS Organizations User Guide*.
## Prerequisites
Make sure your IAM identity has appropriate permissions to opt in to AWS Compute Optimizer. The suggested policy that grants this permission is [Policy to opt in to Compute Optimizer](security-iam.md#opting-in-access).
## Procedure
------
#### [ Console ]
**To opt in to Compute Optimizer**
1. Open the Compute Optimizer console at [https://console.aws.amazon.com/compute-optimizer/](https://console.aws.amazon.com/compute-optimizer/).
If this is your first time using the Compute Optimizer console, the **Compute Optimizer landing page** is displayed.
1. Choose **Get started**.
1. On the **Account setup** page, review the **Getting started** and **Setting up your account** sections.
1. The following options are displayed if the account that you're signed in to is the management account of your organization. Choose one before continuing to the next step.
+ **Only this account** - Choose this option to opt in only the account that you’re currently signed in to. If you choose this option, Compute Optimizer analyzes resources that are in the individual account, and generates optimization recommendations for those resources.
+ **All accounts within this organization** - Choose this option to opt in the account you’re currently signed in to, and all of its member accounts. If you choose this option, Compute Optimizer analyzes resources that are in all accounts in the organization, and generates optimization recommendations for those resources.
**Note**
If you add any new member accounts to your organization after you opt in, Compute Optimizer automatically opts in those accounts.
1. Choose **Opt in**. By opting in, you indicate that you agree to and understand the requirements to opt in to Compute Optimizer.
After you opt in, you're redirected to the dashboard in the Compute Optimizer console. At the same time, the service immediately starts analyzing the configuration and utilization metrics of your AWS resources. For more information, see [Metrics analyzed by AWS Compute Optimizer](metrics.md).
**Note**
When you complete the opt in process, it can up to 24 hours for the opted-in accounts to appear in the Compute Optimizer console.
------
#### [ CLI ]
**To opt in to Compute Optimizer**
1. Open a terminal or command prompt window.
If you didn't already install the AWS CLI already, install and configure it to work with Compute Optimizer. For more information, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) and [Quickly Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration) in the *AWS Command Line Interface User Guide*.
1. Enter one of the following commands. Choose if you want to opt in your individual account or the management account of your organization and all its member accounts.
+ To opt in your individual account:
```
aws compute-optimizer update-enrollment-status --status Active
```
+ To opt in the management account of an organization and include all member accounts within the organization:
```
aws compute-optimizer update-enrollment-status --status Active --include-member-accounts
```
After you opt in to Compute Optimizer using the previous command, the service begins analyzing the configuration and utilization metrics of your AWS resources. For more information, see [Metrics analyzed by AWS Compute Optimizer](metrics.md).
------
## Next steps
+ Make sure that your AWS resources meet the necessary requirements for Compute Optimizer to generate your receommendations. And allow for at least 24 hours for your optimization recommendations to be generated. be generated. For more information, see [Resource requirements](requirements.md).
+ View the findings and recommendations in the dashboard and recommendation pages of the Compute Optimizer console. For more information, see [Using the AWS Compute Optimizer dashboard](viewing-dashboard.md) and [Viewing resource recommendations](viewing-recommendations.md).
+ Consider extending the lookback period from the 14-day default period to 93 days by activating the enhanced infrastructure metrics feature. For more information, see [Enhanced infrastructure metrics](enhanced-infrastructure-metrics.md).
+ Using the management account of your organization, you can delegate a member account as an administrator for Compute Optimizer. For more information, see [Delegating an administrator account](delegate-administrator-account.md).
## Additional resources
+ [Identity and Access Management for AWS Compute Optimizer](security-iam.md)
+ [AWS managed policies for AWS Compute Optimizer](managed-policies.md)
+ [Using service-linked roles for AWS Compute Optimizer](using-service-linked-roles.md)
+ Troubleshooting — [Troubleshooting in Compute Optimizer](troubleshooting-account-opt-in.md)
# Opting out of Compute Optimizer
Use the following procedure to opt your account out of Compute Optimizer using the AWS CLI. This procedure also deletes your account's recommendations and related metrics data from Compute Optimizer. For more information, see [update-enrollment-status](https://docs.aws.amazon.com/cli/latest/reference/compute-optimizer/update-enrollment-status.html) in the *AWS CLI Command Reference*.
**Note**
You can't opt out using the Compute Optimizer console.
## Procedure
**To opt an account out of Compute Optimizer**
1. Open a terminal or command prompt window.
If you haven't already, install the AWS CLI and configure it to work with Compute Optimizer. For more information, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) and [Quickly Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration) in the *AWS Command Line Interface User Guide*.
1. Enter the following command.
```
aws compute-optimizer update-enrollment-status --status Inactive
```
**Note**
You can't specify the `--include-member-accounts` parameter when opting out with the `update-enrollment-status` command. If you specify this parameter when opting out with this command, an error occurs.
Your account is opted out of Compute Optimizer after running the previous command. At the same time, your account's recommendations and related metrics data are deleted from Compute Optimizer. If you access the Compute Optimizer console, the option to opt in again should be displayed.
# Identity and Access Management for AWS Compute Optimizer
You can use AWS Identity and Access Management (IAM) to create identities (users, groups, or roles), and give those identities permissions to access the AWS Compute Optimizer console and APIs.
By default, IAM users don't have access to the Compute Optimizer console and APIs. You give users access by attaching IAM policies to a single user, a group of users, or a role. For more information, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) and [Overview of IAM Policies in the IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html).
After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view Compute Optimizer information by using an account-specific sign-in page. For more information, see [How Users Sign In to Your Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_how-users-sign-in.html).
**Important**
To view recommendations for EC2 instances, an IAM user requires the `ec2:DescribeInstances` permission.
To view recommendations for EBS volumes, an IAM user requires the `ec2:DescribeVolumes` permission.
To view recommendations for EC2 Auto Scaling groups, an IAM user requires the `autoscaling:DescribeAutoScalingGroups` and `autoscaling:DescribeAutoScalingInstances` permissions.
To view recommendations for Lambda functions, an IAM user requires the `lambda:ListFunctions` and `lambda:ListProvisionedConcurrencyConfigs` permissions.
To view recommendations for Amazon ECS services on Fargate, an IAM user requires the `ecs:ListServices` and `ecs:ListClusters` permissions.
To view current CloudWatch metrics data in the Compute Optimizer console, an IAM user requires the `cloudwatch:GetMetricData` permission.
To view recommendations commercial software licenses, certain Amazon EC2 instance roles and IAM user permissions are required. For more information see, [Policies to enable commercial software license recommendations](#license-access).
To view recommendations for Amazon RDS, an IAM user requires the `rds:DescribeDBInstances` and `rds:DescribeDBClusters` permissions.
If the user or group that you want to give permissions to already has a policy, you can add one of the Compute Optimizer specific policy statements illustrated here to that policy.
**Topics**
+ [
## Trusted access for AWS Organizations
](#trusted-service-access)
+ [
## Policy examples for Compute Optimizer
](#CO-policy-examples)
+ [
## Policy examples for Automation
](#COA-policy-example)
+ [
## Additional resources
](#iam-resources)
## Trusted access for AWS Organizations
When you opt in using your organization's management account and include all member accounts within the organization, trusted access for Compute Optimizer is automatically enabled in your organization account. This allows Compute Optimizer to analyze compute resources in those member accounts, and generate recommendations for them.
Every time that you access recommendations for member accounts, Compute Optimizer verifies that trusted access is enabled in your organization account. If you disable Compute Optimizer trusted access after you opt in, Compute Optimizer denies access to recommendations for your organization's member accounts. Moreover, the member accounts within the organization aren't opted in to Compute Optimizer. To re-enable trusted access, opt in to Compute Optimizer again using your organization's management account and include all the member accounts within the organization. For more information, see [Opting in to AWS Compute Optimizer](account-opt-in.md). For more information about AWS Organizations trusted access, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) in the *AWS Organizations User Guide*.
## Policy examples for Compute Optimizer
**Topics**
+ [
### Policy to opt in to Compute Optimizer
](#opting-in-access)
+ [
### Policies to grant access to Compute Optimizer for standalone AWS accounts
](#standalone-account-access)
+ [
### Policies to grant access to Compute Optimizer for a management account of an organization
](#organization-account-access)
+ [
### Policies to grant access to manage Compute Optimizer recommendation preferences
](#enhanced-infrastructure-metrics-permissions)
+ [
### Policies to enable commercial software license recommendations
](#license-access)
+ [
### Policy to deny access to Compute Optimizer
](#deny-access)
### Policy to opt in to Compute Optimizer
This policy statement grants the following:
+ Access to opt in to Compute Optimizer.
+ Access to create a service-linked role for Compute Optimizer. For more information, see [Using service-linked roles for AWS Compute Optimizer](using-service-linked-roles.md).
+ Access to update the enrollment status to the Compute Optimizer service.
**Important**
This IAM role is required to opt in to AWS Compute Optimizer.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
"Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
},
{
"Effect": "Allow",
"Action": "compute-optimizer:UpdateEnrollmentStatus",
"Resource": "*"
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
"Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
},
{
"Effect": "Allow",
"Action": "compute-optimizer:UpdateEnrollmentStatus",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:DescribeOrganization",
"Resource": "*"
}
]
}
```
------
### Policies to grant access to Compute Optimizer for standalone AWS accounts
The following policy statement grants full access to Compute Optimizer for standalone AWS accounts.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:*",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
```
------
The following policy statement grants read-only access to Compute Optimizer for standalone AWS accounts.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
"compute-optimizer:GetRDSDatabaseRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics",
"compute-optimizer:GetIdleRecommendations",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": "*"
}
]
}
```
------
### Policies to grant access to Compute Optimizer for a management account of an organization
The following policy statement grants full access to Compute Optimizer for a management account of your organization.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:*",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:EnableAWSServiceAccess",
"organizations:ListDelegatedAdministrators",
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "*"
}
]
}
```
------
The following policy statement grants read-only access to Compute Optimizer for a management account of an organization.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetEnrollmentStatusesForOrganization",
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
"compute-optimizer:GetRDSDatabaseRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics",
"compute-optimizer:GetIdleRecommendations",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListDelegatedAdministrators",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": "*"
}
]
}
```
------
### Policies to grant access to manage Compute Optimizer recommendation preferences
The following policy statements grant access to view and edit recommendation preferences.
**Grant access to manage recommendation preferences for EC2 instances only**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DeleteRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:PutRecommendationPreferences"
],
"Resource": "*",
"Condition" : {
"StringEquals" : {
"compute-optimizer:ResourceType" : "Ec2Instance"
}
}
}
]
}
```
------
**Grant access to manage recommendation preferences for EC2 Auto Scaling groups only**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DeleteRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:PutRecommendationPreferences"
],
"Resource": "*",
"Condition" : {
"StringEquals" : {
"compute-optimizer:ResourceType" : "AutoScalingGroup"
}
}
}
]
}
```
------
**Grant access to manage recommendation preferences for RDS instances only**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DeleteRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:PutRecommendationPreferences"
],
"Resource": "*",
"Condition" : {
"StringEquals" : {
"compute-optimizer:ResourceType" : "RdsDBInstance"
}
}
}
]
}
```
------
### Policies to enable commercial software license recommendations
For Compute Optimizer to generate license recommendations, attach the following Amazon EC2 instance roles and policies.
+ The `AmazonSSMManagedInstanceCore` role to enable Systems Manager. For more information, see [AWS Systems Manager identity-based policy examples](https://docs.aws.amazon.com//systems-manager/latest/userguide/security_iam_id-based-policy-examples) in the *AWS Systems Manager User Guide*.
+ The `CloudWatchAgentServerPolicy` policy to enable the release of instance metrics and logs to CloudWatch. For more information, see [ Create IAM roles and users for use with the CloudWatch agent](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent) in the *Amazon CloudWatch User Guide*.
+ The following IAM inline policy statement to read the secret Microsoft SQL Server connection string stored in AWS Systems Manager. For more information about inline policies, see [ Managed policies and inline policies](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-vs-inline) in the *AWS Identity and Access Management User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ApplicationInsights-*"
}
]
}
```
------
Additionally, to enable and receive license recommendations, attach the following IAM policy to your user, group or role. For more information, [ IAM policy](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/appinsights-iam) in the *Amazon CloudWatch User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"applicationinsights:*",
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"resource-groups:ListGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
### Policy to deny access to Compute Optimizer
The following policy statement denies access to Compute Optimizer.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "compute-optimizer:*",
"Resource": "*"
}
]
}
```
------
## Policy examples for Automation
**Topics**
+ [
### Policy to enable Automation for your account
](#policy-automation-enable)
+ [
### Policy to enable Automation across your organization
](#automation-enable-org)
+ [
### Policy to grant full access to Compute Optimizer Automation for standalone AWS accounts
](#automation-account-full)
+ [
### Policy to grant read-only access to Compute Optimizer Automation for standalone AWS accounts
](#automation-account-read)
+ [
### Policy to grant full access to Compute Optimizer Automation for a management account of an organization
](#automation-account-mgmt)
+ [
### Policy to grant read-only access to Compute Optimizer Automation for a management account of an organization
](#automation-account-mgmt-readonly)
### Policy to enable Automation for your account
The following policy statement enables Automation for your account.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
},
{
"Effect": "Allow",
"Action": "aco-automation:UpdateEnrollmentConfiguration",
"Resource": "*"
}
]
}
```
### Policy to enable Automation across your organization
The following policy statement enables Automation across your organization.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
},
{
"Effect": "Allow",
"Action": "aco-automation:UpdateEnrollmentConfiguration",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:AssociateAccounts",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:DisassociateAccounts",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:ListAccounts",
"Resource": "*"
}
]
}
```
### Policy to grant full access to Compute Optimizer Automation for standalone AWS accounts
The following policy grants full access to Compute Optimizer Automation for standalone AWS accounts.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:*",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
### Policy to grant read-only access to Compute Optimizer Automation for standalone AWS accounts
The following policy grants read-only access to Compute Optimizer Automation for standalone AWS accounts.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:GetEnrollmentConfiguration",
"aco-automation:GetAutomationEvent",
"aco-automation:GetAutomationRule",
"aco-automation:ListAutomationEvents",
"aco-automation:ListAutomationEventSteps",
"aco-automation:ListAutomationEventSummaries",
"aco-automation:ListAutomationRules",
"aco-automation:ListAutomationRulePreview",
"aco-automation:ListAutomationRulePreviewSummaries",
"aco-automation:ListRecommendedActions",
"aco-automation:ListRecommendedActionSummaries",
"aco-automation:ListTagsForResource",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
### Policy to grant full access to Compute Optimizer Automation for a management account of an organization
The following policy grants full access to Compute Optimizer Automation for a management account of an organization.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:*",
"ec2:DescribeVolumes",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:EnableAWSServiceAccess",
"organizations:ListDelegatedAdministrators",
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "*"
}
]
}
```
### Policy to grant read-only access to Compute Optimizer Automation for a management account of an organization
The following policy grants read-only access to Compute Optimizer Automation for a management account of an organization.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:GetEnrollmentConfiguration",
"aco-automation:GetAutomationEvent",
"aco-automation:GetAutomationRule",
"aco-automation:ListAccounts",
"aco-automation:ListAutomationEvents",
"aco-automation:ListAutomationEventSteps",
"aco-automation:ListAutomationEventSummaries",
"aco-automation:ListAutomationRules",
"aco-automation:ListAutomationRulePreview",
"aco-automation:ListAutomationRulePreviewSummaries",
"aco-automation:ListRecommendedActions",
"aco-automation:ListRecommendedActionSummaries",
"aco-automation:ListTagsForResource",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
## Additional resources
+ Troubleshooting — [Troubleshooting in Compute Optimizer](troubleshooting-account-opt-in.md)
+ [Opting in to AWS Compute Optimizer](account-opt-in.md)
+ [AWS managed policies for AWS Compute Optimizer](managed-policies.md)
+ [Using service-linked roles for AWS Compute Optimizer](using-service-linked-roles.md)
+ [Using service-linked roles for Automation](using-service-linked-roles-automation.md)
# AWS managed policies for AWS Compute Optimizer
To add permissions to users, groups, and roles, consider using AWS managed policies rather than to writing your own policies. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services don't remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, Amazon Web Services supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
**Topics**
+ [
## AWS managed policy: ComputeOptimizerServiceRolePolicy
](#security-iam-awsmanpol-ComputeOptimizerServiceRolePolicy)
+ [
## AWS managed policy: ComputeOptimizerReadOnlyAccess
](#security-iam-awsmanpol-ComputeOptimizerReadOnlyAccess)
+ [
## AWS managed policy: ComputeOptimizerAutomationServiceRolePolicy
](#security-iam-awsmanpol-ComputeOptimizerAutomationServiceRolePolicy)
+ [
## Compute Optimizer updates to AWS managed policies
](#security-iam-awsmanpol-updates)
## AWS managed policy: ComputeOptimizerServiceRolePolicy
The `ComputeOptimizerServiceRolePolicy` managed policy is attached to a service-linked role that allows Compute Optimizer to perform actions on your behalf. For more information, see [Using service-linked roles for AWS Compute Optimizer](using-service-linked-roles.md).
**Note**
You can't attach `ComputeOptimizerServiceRolePolicy` to your IAM entities.
**Permissions details**
This policy includes the following permissions.
+ `compute-optimizer` – Grants full administrative permissions to all resources in Compute Optimizer.
+ `organizations` – Allows the management account of an AWS organization to opt in member accounts of the organization to Compute Optimizer.
+ `cloudwatch` – Grants access to CloudWatch resource metrics for the purpose of analyzing them and generating Compute Optimizer resource recommendations.
+ `autoscaling` – Grants access to EC2 Auto Scaling groups and the instances in EC2 Auto Scaling groups for validation purposes.
+ `Ec2` – Grants access to Amazon EC2 instances and volumes.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ComputeOptimizerFullAccess",
"Effect": "Allow",
"Action": [
"compute-optimizer:*"
],
"Resource": "*"
},
{
"Sid": "AwsOrgsAccess",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:ListDelegatedAdministrators"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudWatchAccess",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:DescribeAlarms"
],
"Resource": "*"
},
{
"Sid": "AutoScalingAccess",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions"
],
"Resource": "*"
},
{
"Sid": "Ec2Access",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ComputeOptimizerFullAccess",
"Effect": "Allow",
"Action": [
"compute-optimizer:*"
],
"Resource": "*"
},
{
"Sid": "AwsOrgsAccess",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudWatchAccess",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: ComputeOptimizerReadOnlyAccess
You can attach the `ComputeOptimizerReadOnlyAccess` policy to your IAM identities.
This policy grants read-only permissions that allow IAM users to view Compute Optimizer resource recommendations.
**Permissions details**
This policy includes the following:
+ `compute-optimizer` – Grants read-only access to Compute Optimizer resource recommendations.
+ `ec2` – Grants read-only access to Amazon EC2 instances and Amazon EBS volumes.
+ `autoscaling` – Grants read-only access to EC2 Auto Scaling groups.
+ `lambda` – Grants read-only access to AWS Lambda functions and their configurations.
+ `cloudwatch` – Grants read-only access to Amazon CloudWatch metric data for resource types that are supported by Compute Optimizer.
+ `organizations` – Grants read-only access to member accounts of an AWS organization.
+ `ecs` – Grants access to Amazon ECS services on Fargate.
+ `rds` – Grants read-only access to Amazon RDS instances and clusters.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetEnrollmentStatusesForOrganization",
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
"compute-optimizer:GetLicenseRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics",
"compute-optimizer:GetIdleRecommendations",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": "*"
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetEnrollmentStatusesForOrganization",
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
"compute-optimizer:GetLicenseRecommendations",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount"
],
"Resource": "*"
}
]
}
```
------
**Note**
The following policy statement only grants read-only access to Compute Optimizer for a management account of an organization to view org-level recommendations. If you're the delegated administrator and you want to view org-level recommendations, see [ Policies to grant access to Compute Optimizer for a management account of an organization](https://docs.aws.amazon.com//compute-optimizer/latest/ug/security-iam.html#organization-account-access).
## AWS managed policy: ComputeOptimizerAutomationServiceRolePolicy
The `ComputeOptimizerAutomationServiceRolePolicy` managed policy is attached to a service-linked role that allows Compute Optimizer to to implement optimization recommendations by managing AWS resources in your account. . For more information, see [Using service-linked roles for AWS Compute Optimizer](using-service-linked-roles.md).
**Note**
You can't attach `ComputeOptimizerAutomationServiceRolePolicy` to your IAM entities.
**Permissions details**
This policy includes the following permissions:
+ `ec2:DescribeVolumes`, `ec2:DescribeSnapshots`, `ec2:DescribeVolumesModifications` – Grants read-only access to view Amazon EBS volumes, snapshots, and volume modification status for monitoring and validation purposes.
+ `ec2:ModifyVolume`, `ec2:DeleteVolume` – Allows modification and deletion of Amazon EBS volumes, but only for resources that do not have the `exclude-from-compute-optimizer-automation`tag. This allows you to exclude resources from automated optimization actions.
+ `ec2:CreateSnapshot` – Grants permission to create snapshots of Amazon EBS volumes for backup purposes before performing optimization actions.
+ `ec2:CreateVolume` – Allows creation of Amazon EBS volumes from snapshots to support rollback operations in case optimization actions need to be reverted.
+ `ec2:CreateTags` – Grants permission to add tags to Amazon EBS resources for tracking automation events and maintaining resource metadata.
To view the permissions for this policy, see [ComputeOptimizerAutomationServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ComputeOptimizerAutomationServiceRolePolicy.html) in the in the *AWS Managed Policy Reference*.
## Compute Optimizer updates to AWS managed policies
View details about updates to AWS managed policies for Compute Optimizer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed for this guide.
| Change | Description | Date |
| --- | --- | --- |
| Added new `ComputeOptimizerAutomationServiceRolePolicy` managed policy | Added a new `ComputeOptimizerAutomationServiceRolePolicy` service-linked role policy. | November 19, 2025 |
| Edit to the `ComputeOptimizerServiceRolePolicy` managed policy | Added the `cloudwatch:DescribeAlarms`, `autoscaling:DescribePolicies`, and `autoscaling:DescribeScheduledActions` actions to the `ComputeOptimizerServiceRolePolicy` managed policy. | January 9, 2025 |
| Edit to the `ComputeOptimizerReadOnlyAccess` managed policy | Added the `compute-optimizer:GetIdleRecommendations` actions to the `ComputeOptimizerReadOnlyAccess` managed policy. | November 20, 2024 |
| Edit to the `ComputeOptimizerReadOnlyAccess` managed policy | Added the `compute-optimizer:GetRDSDatabaseRecommendations`, `compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics`, `rds:DescribeDBInstances`, and `rds:DescribeDBClusters` actions to the `ComputeOptimizerReadOnlyAccess` managed policy. | June 20, 2024 |
| Edit to the `ComputeOptimizerReadOnlyAccess` managed policy | Added the `compute-optimizer:GetLicenseRecommendations` actions to the `ComputeOptimizerReadOnlyAccess` managed policy. | July 26, 2023 |
| Edit to the `ComputeOptimizerReadOnlyAccess` managed policy | Added the `compute-optimizer:GetECSServiceRecommendations`, `compute-optimizer:GetECSServiceRecommendationProjectedMetrics`, `ecs:ListServices`, and `ecs:ListClusters` actions to the `ComputeOptimizerReadOnlyAccess` managed policy. | December 22, 2022 |
| Edit to the ComputeOptimizerServiceRolePolicy managed policy | Added the ec2:DescribeInstances, ec2:DescribeVolumes, and organizations:ListDelegatedAdministrators actions to the ComputeOptimizerServiceRolePolicy managed policy. | July 25, 2022 |
| Edit to the `ComputeOptimizerServiceRolePolicy` managed policy | Added the `autoscaling:DescribeAutoScalingInstances` and `autoscaling:DescribeAutoScalingGroups` actions to the `ComputeOptimizerServiceRolePolicy` managed policy. | November 29, 2021 |
| Edit to the `ComputeOptimizerReadOnlyAccess` managed policy | Added the `compute-optimizer:GetRecommendationPreferences`, `compute-optimizer:GetEffectiveRecommendationPreferences`, and `autoscaling:DescribeAutoScalingInstances` actions to the `ComputeOptimizerReadOnlyAccess` managed policy. | November 29, 2021 |
| Edit to the `ComputeOptimizerReadOnlyAccess` managed policy | Added the `GetEnrollmentStatusesForOrganization` action to the `ComputeOptimizerReadOnlyAccess` managed policy. | August 26, 2021 |
| Compute Optimizer started tracking changes | Compute Optimizer started tracking changes for its AWS managed policies. | May 18, 2021 |
# Using service-linked roles for AWS Compute Optimizer
AWS Compute Optimizer uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that's linked directly to Compute Optimizer. Service-linked roles are predefined by Compute Optimizer and include all of the permissions that the service requires to call other on your behalf.
With a service-linked role,setting up Compute Optimizer doesn't require manually adding the necessary permissions. Compute Optimizer defines the permissions of its service-linked roles, and unless defined otherwise, only Compute Optimizer can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes ** in the ** Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
**Topics**
+ [
## Service-linked role permissions for Compute Optimizer
](#slr-permissions)
+ [
## Service-linked role permissions
](#service-linked-role-permissions)
+ [
## Creating a Service-Linked Role for Compute Optimizer
](#create-slr)
+ [
## Editing a Service-Linked Role for Compute Optimizer
](#edit-slr)
+ [
## Deleting a Service-Linked Role for Compute Optimizer
](#delete-slr)
+ [
## Supported Regions for Compute Optimizer service-linked Roles
](#slr-regions)
+ [
## Additional resources
](#slr-resources)
## Service-linked role permissions for Compute Optimizer
Compute Optimizer uses the service-linked role that's named **AWSServiceRoleForComputeOptimizer** to access Amazon CloudWatch metrics for AWS resources in the account.
The AWSServiceRoleForComputeOptimizer service-linked role trusts the following services to assume the role:
+ `compute-optimizer.amazonaws.com`
The role permissions policy allows Compute Optimizer to complete the following actions on the specified resources:
+ Action: `cloudwatch:GetMetricData` on all AWS resources.
+ Action: `cloudwatch:DescribeAlarms` on all AWS resources.
+ Action: `organizations:DescribeOrganization` on all AWS resources.
+ Action: `organizations:ListAccounts` on all AWS resources.
+ Action: `organizations:ListAWSServiceAccessForOrganization` on all AWS resources.
+ Action: `organizations:ListDelegatedAdministrators` on all AWS resources.
+ Action: `autoscaling:DescribeAutoScalingInstances` on all AWS resources.
+ Action: `autoscaling:DescribeAutoScalingGroups` on all AWS resources.
+ Action: `autoscaling:DescribePolicies` on all AWS resources.
+ Action: `autoscaling:DescribeScheduledActions` on all AWS resources.
+ Action: `ec2:DescribeInstances` on all AWS resources.
+ Action: `ec2:DescribeSnapshots` on all AWS resources.
+ Action: `ec2:DescribeVolumesModifications` on all AWS resources.
+ Action: `ec2:CreateVolume` on all AWS resources.
+ Action: `ec2:ModifyVolume` on all AWS resources.
+ Action: `ec2:DeleteVolume` on all AWS resources.
+ Action: `ec2:CreateSnapshot` on all AWS resources.
+ Action: `ec2:createTags` on all AWS resources.
## Service-linked role permissions
To create a service-linked role for Compute Optimizer, configure permissions to allow an IAM entity (such as a user, group, or role) to create the service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
**To allow an IAM entity to create a specific service-linked role for Compute Optimizer**
Add the following policy to the IAM entity that needs to create the service-linked role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
"Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
},
{
"Effect": "Allow",
"Action": "compute-optimizer:UpdateEnrollmentStatus",
"Resource": "*"
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
"Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
},
{
"Effect": "Allow",
"Action": "compute-optimizer:UpdateEnrollmentStatus",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:DescribeOrganization",
"Resource": "*"
}
]
}
```
------
**To allow an IAM entity to create any service-linked role**
Add the following statement to the permissions policy for the IAM entity that needs to create a service-linked role, or any service role that includes the needed policies. This policy attaches a policy to the role.
```
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
}
```
**To allow Compute Optimizer to perform recommended actions on behalf of customers**
Add a statement to the permissions policy for the IAM entity that needs to create a service-linked role, or any service role that includes the needed policies. This policy attaches a policy to the role. For more information, see [AWS managed policy: ComputeOptimizerAutomationServiceRolePolicy](managed-policies.md#security-iam-awsmanpol-ComputeOptimizerAutomationServiceRolePolicy) on the managed policy page.
## Creating a Service-Linked Role for Compute Optimizer
You don't need to manually create a service-linked role. When you opt in to the Compute Optimizer service in the AWS Management Console, the AWS CLI, or the AWS API, Compute Optimizer creates the service-linked role for you.
**Important**
If you completed an action in another service that uses the features supported by the service-linked role, the role can appear in your account. For more information, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you opt in to the Compute Optimizer service, Compute Optimizer creates the service-linked role for you again.
## Editing a Service-Linked Role for Compute Optimizer
Compute Optimizer doesn't allow you to edit the AWSServiceRoleForComputeOptimizer service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a Service-Linked Role for Compute Optimizer
We recommend that, if you no longer need to use Compute Optimizer, you delete the AWSServiceRoleForComputeOptimizer service-linked role. That way you don’t have an unused entity that's not actively monitored or maintained. However, before you can manually delete the service-linked role, you must opt out of Compute Optimizer.
**To opt out of Compute Optimizer**
For information about opting out of Compute Optimizer, see [Opting out of Compute Optimizer](account-opt-out.md).
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForComputeOptimizer service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for Compute Optimizer service-linked Roles
Compute Optimizer supports using service-linked roles in all of the Regions where the service is available. To view the currently supported AWS Regions and endpoints for Compute Optimizer, see [Compute Optimizer Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/compute-optimizer.html) in the *AWS General Reference*.
## Additional resources
+ Troubleshooting — [Troubleshooting in Compute Optimizer](troubleshooting-account-opt-in.md)
+ [AWS managed policies for AWS Compute Optimizer](managed-policies.md)
+ [Opting in to AWS Compute Optimizer](account-opt-in.md)
+ [Identity and Access Management for AWS Compute Optimizer](security-iam.md)
# Using service-linked roles for Automation
AWS Compute Optimizer uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) named AWSServiceRoleForComputeOptimizerAutomation. A service-linked role is a unique type of IAM role that's linked directly to Compute Optimizer Automation. Service-linked roles are predefined by Compute Optimizer Automation and include all of the permissions that the service requires to call other on your behalf.
With a service-linked role, setting up Compute Optimizer Automation doesn't require manually adding the necessary permissions. Compute Optimizer Automation defines the permissions of its service-linked roles, and unless defined otherwise, only Compute Optimizer Automation can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes ** in the ** Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
**Topics**
+ [
## Service-linked role permissions for Compute Optimizer Automation
](#slr-permissions-automation)
+ [
## Service-linked role permissions
](#service-linked-role-permissions-automation)
+ [
## Creating a Service-Linked Role for Compute Optimizer Automation
](#create-slr-automation)
+ [
## Editing a Service-Linked Role for Compute Optimizer Automation
](#edit-slr-automation)
+ [
## Deleting a Service-Linked Role for Compute Optimizer Automation
](#delete-slr-automation)
+ [
## Supported Regions for Compute Optimizer Automation service-linked Roles
](#slr-regions)
## Service-linked role permissions for Compute Optimizer Automation
Compute Optimizer Automation uses the service-linked role that's named **AWSServiceRoleForComputeOptimizerAutomation** which enables access to AWS services and resources used or managed by Compute Optimizer Automation. This service-linked role allows Compute Optimizer Automation to implement optimization recommendations by performing tasks such as creating, modifying, and deleting resources through other AWS services.
The AWSServiceRoleForComputeOptimizerAutomation service-linked role trusts the `aco-automation.amazonaws.com` services to assume the role.
The `AWSServiceRoleForComputeOptimizerAutomation` service-linked role uses the managed policy `AWSComputeOptimizerAutomationRolePolicy`.
## Service-linked role permissions
To create a service-linked role for Compute Optimizer Automation, configure permissions to allow an IAM entity (such as a user, group, or role) to create the service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
Add the following policy to the IAM entity that needs to create the service-linked role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
}
]
}
```
## Creating a Service-Linked Role for Compute Optimizer Automation
The AWSServiceRoleForComputeOptimizerAutomation service-linked role is created automatically when you enable Compute Optimizer Automation. You can enable the AWSServiceRoleForComputeOptimizerAutomation manually in the AWS CLI or the IAM API.
The service-linked role created for a Compute Optimizer Automation management account does not apply to member accounts. Compute Optimizer Automation creates a separate service-linked role for each account when the feature is enabled. When a management account enables Automation for a member account, Compute Optimizer Automation creates the service-linked role on-demand the first time it implements a recommended action for that account. This occurs either when the management account or member account initiates the action directly or when an automation rule executes an action for that member account.
## Editing a Service-Linked Role for Compute Optimizer Automation
Compute Optimizer Automation doesn't allow you to edit the AWSServiceRoleForComputeOptimizerAutomation service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a Service-Linked Role for Compute Optimizer Automation
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way, you don't have an unused entity that isn't actively monitored or maintained.
When you disable Compute Optimizer Automation, Compute Optimizer Automation doesn't automatically delete the AWSServiceRoleForComputeOptimizerAutomation service-linked role for you. If you enable Compute Optimizer Automation again, the service can then start using the existing service-linked role again. If you no longer need to use Compute Optimizer Automation, you can manually delete the service-linked role.
**Important**
Before you delete the AWSServiceRoleForComputeOptimizerAutomation service-linked role, you must first disable Compute Optimizer Automation. If Compute Optimizer Automation isn't disabled when you try to delete the service-linked role, the deletion fails.
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForComputeOptimizerAutomation service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for Compute Optimizer Automation service-linked Roles
Compute Optimizer Automation supports using service-linked roles in all of the Regions where the service is available. To view the currently supported AWS Regions and endpoints for Compute Optimizer, see [Compute Optimizer Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/compute-optimizer.html) in the *AWS General Reference*.