AWS Permissions

The names and descriptions of the AWS permissions needed by OtterTune for monitoring and tuning.

OtterTune needs certain AWS permissions to monitor and tune your database. We describe the permissions requested by OtterTune for both of these activities below.
AWS Permissions for Monitoring
The following table describes the read-only permissions requested by OtterTune to monitor your database.
Permission
Description
budgets:Describe*
ce:Describe*
ce:Get*
ce:List*
Used to get cost, usage, and budget data for OtterTune's cost-savings recommendations.
cloudwatch:Describe*
cloudwatch:Get*
cloudwatch:List*
Used to collect CloudWatch metric data.
iam:SimulatePrincipalPolicy
Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
pi:DescribeDimensionKeys
pi:GetResourceMetrics
Used to collect database load metric data.
rds:Describe*
rds:List*
Used to collect information about provisioned RDS instances.
rds-db:connect
Used to connect to your RDS database when using AWS IAM Database Authentication. Note that we only grant permissions for the OtterTune user.
AWS Permissions for Tuning
The following table shows the write permissions needed by OtterTune to tune your database and describes how they are used.
OtterTune only needs these write permissions to tune your database. To monitor your database, OtterTune only requires the read-only permissions listed above.
Permission
Description
rds:ModifyDBParameterGroup
Used to modify the AWS DB Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user. 
rds:ModifyDBClusterParameterGroup
(Aurora only) Used to modify the AWS DB Cluster Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user.
Minimum Required Permissions
Concerned about giving away too much? We've got you covered. 
Below are the minimum required permissions to run OtterTune for monitoring your database. Please note, you may not receive the full benefit of OtterTune without all recommended permissions enabled. 
Permission
Description
cloudwatch:Describe*
cloudwatch:Get*
cloudwatch:List*
Used to collect CloudWatch metric data.
iam:SimulatePrincipalPolicy
Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
pi:DescribeDimensionKeys
pi:GetResourceMetrics
Used to collect database load metric data.
rds:Describe*
rds:List*
Used to collect information about provisioned RDS instances.
rds-db:connect
Used to connect to your RDS database when using AWS IAM Database Authentication. Not required when connecting your database using the Agent. Note that we only grant permissions for the OtterTune user.

Permission	Description
`budgets:Describe` `ce:Describe` `ce:Get` `ce:List`	Used to get cost, usage, and budget data for OtterTune's cost-savings recommendations.
`cloudwatch:Describe` `cloudwatch:Get` `cloudwatch:List*`	Used to collect CloudWatch metric data.
`iam:SimulatePrincipalPolicy`	Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
`pi:DescribeDimensionKeys` `pi:GetResourceMetrics`	Used to collect database load metric data.
`rds:Describe` `rds:List`	Used to collect information about provisioned RDS instances.
`rds-db:connect`	Used to connect to your RDS database when using AWS IAM Database Authentication. Note that we only grant permissions for the OtterTune user.

Permission	Description
`rds:ModifyDBParameterGroup`	Used to modify the AWS DB Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user.
`rds:ModifyDBClusterParameterGroup`	(Aurora only) Used to modify the AWS DB Cluster Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user.

Permission	Description
`cloudwatch:Describe` `cloudwatch:Get` `cloudwatch:List*`	Used to collect CloudWatch metric data.
`iam:SimulatePrincipalPolicy`	Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
`pi:DescribeDimensionKeys` `pi:GetResourceMetrics`	Used to collect database load metric data.
`rds:Describe` `rds:List`	Used to collect information about provisioned RDS instances.
`rds-db:connect`	Used to connect to your RDS database when using AWS IAM Database Authentication. Not required when connecting your database using the Agent. Note that we only grant permissions for the OtterTune user.

DOCUMENTATION - Previous

Slack Integration

Next - DOCUMENTATION

Release Notes

Last modified 1mo ago