Single AWS Account access policies for LHO

This policies are required by Lakehouse Optimizer App being deployed on an AWS EC2 instance running on same AWS account where monitored Databricks Workspaces belong to.

Instance Profile IAM Role (of the LHO Application VM) with at least the following policies assigned:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BplmAWSCostReader",
            "Effect": "Allow",
            "Action": "ce:GetCostAndUsage",
            "Resource": "*"
        }
    ]
}

Allow Read of created secret

You will need to update this policy definition with your aws account ID and secret name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BplmSecretsReader",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}*"
        }
    ]
}

Allow management of DynamoDB and Simple Queue Service

You will need to update this policy definition with your aws account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BplmDynamoPolicy",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:UpdateTable",
                "dynamodb:UpdateTimeToLive",
                "dynamodb:DescribeTable",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:BatchGetItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:{AWS Account ID}:table/*bplm*"
            ]
        },
        {
            "Sid": "BplmSqsPolicy",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "sqs:ReceiveMessage",
                "sqs:CreateQueue"
            ],
            "Resource": [
                "arn:aws:sqs:*:{AWS Account ID}:*bplm*"
            ]
        }
    ]
}

Allow s3 bucket tag get\set used for reporting workspace storage cost

Allow EC2 tag management for reporting workspace Nat Gateway costs

Delivered billable usage logs:

Blueprint Lakehouse Optimizer Documentation

Single AWS Account access policies for LHO

Analytics

Instance Profile IAM Role (of the LHO Application VM) with at least the following policies assigned:

Final template for IAM Role for Lakehouse Optimizer App EC2 VM

Related content