Policies often fail to execute in AWS because of the IAM permissions associated to the role or user assigned to the account. 

To identify if this is the case, go to Dashboards -> Notifications.  Look for the policy of interest where the status is Failed and click View (eye icon on the left).

If in the Failed Actions portion of the Details it says "Unable to..." or that "You are unable to perform this operation", the IAM permissions need to be adjusted so the account/user can perform the actions in the policy.

IAM permissions must be granted via IAM Policy in the target AWS Account for the desired action(s).  The desired Actions must also be enabled in the Cost platform for the Account(s)for the actionable assets.  Policy Action must be enabled to select the Action in a Policy. 


In order to enable permissions, navigate to the AWS Account (Settings=>Accounts=>AWS) that the asset for which the Action is failing belongs to and select the Account edit page for the correct account. 



(You must have permissions to view and update this page and have access to the IAM role settings in the AWS console or API.  Contact your administrator if needed).  

Scroll down and expand the Automation section.  Enable the desired operations. 

Select "Generate Policy" and copy the updated policy to your clipboard.  Note that in this example "Delete Amazon EC2 Instances" was enabled.  The IAM policy has been updated to allow the action ec2:TerminateInstances


Close the IAM Access Policy dialog (after saving the contents to your clipboard) and click "Save Account" to persist your changes.

Update the IAM Policy for the desired Accounts.  This is done in the AWS Console.  Permissions are required.

1. Log in to the AWS Console for the targeted account as a user who has permission to create an IAM role.
2. Navigate to Services > Security, Identity, & Compliance > IAM. From the left menu, select Policies and select the policy used for this account.  
3. Switch to the JSON tab.
4. Update or replace the existing IAM Policy with the contents of your clipboard.  Save this change.  Your IAM policy should now allow the desired action. 

In the Cost Application navigate to "Governance=>Actions" and enable the desired actions to make them available for your Policy (if not already done).