If CloudHealth is not granted the appropriate permissions accounts will show as "UNKNOWN", "Critical", or "Warning".  The platform cannot accurately reflect cost and usage reporting, gather performance metrics and asset-specific metadata, or provide accurate recommendations.

If IAM permissions are not configured or misconfigured, the following may occur:

• CloudHealth may over-recommend RI or Savings Plan purchases, since RI/SP purchases made at the Linked Account level are not available to the recommendation engine
• CloudHealth cannot gather descriptive data for assets, such as EBS Volume status, timestamps, and all tags applied to the assets themselves
  • Note: Tags enabled for billing will be extracted from the Cost and Usage Report (CUR), but are often only a handful of the total key/value tag pairs applied to an asset within AWS
• CloudHealth cannot poll for metrics data, such as CPU and network usage, which are often needed for wasted infrastructure and rightsizing policies

For these reasons and more, CloudHealth recommends read-only permissions, at minimum.

For more advanced automation and actions using our Recommendations and Policy Engine, you may optionally grant additional IAM permissions to CloudHealth to be able to perform actions on your behalf.  Authorizer and Approver workflows can be optionally configured to have the benefit of automation, but still have a "human-in-the-loop".

To view documentation within the CloudHealth Help Center on how to properly configure your IAM Roles and Permissions, click the link below for your corresponding AWS account type:

• Standalone
• Consolidated
• Linked Account
• GovCloud Account 

CloudHealth Permissions Comparison (AWS)

For best results, all AWS accounts should appear as "Healthy" within CloudHealth*

* IAM permissions should be configured at the Consolidated and Linked Account levels to reflect "Healthy" status within CloudHealth