AWS Permissions

The names and descriptions of the AWS permissions needed by OtterTune for monitoring and tuning.

OtterTune needs certain AWS permissions to monitor and tune your database. We describe the permissions requested by OtterTune for both of these activities below.
AWS Permissions for Monitoring
The following table describes the read-only permissions requested by OtterTune to monitor your database.
Permission
Description
aws-portal:ViewBilling
budgets:Describe*
ce:Describe*
ce:Get*
ce:List*
Used to get cost, usage, and budget data for OtterTune's cost-savings recommendations.
cloudwatch:Describe*
cloudwatch:Get*
cloudwatch:List*
Used to collect CloudWatch metric data.
iam:SimulatePrincipalPolicy
Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
pi:DescribeDimensionKeys
pi:GetResourceMetrics
Used to collect database load metric data.
pricing:Describe*
pricing:Get*
Used to collect AWS service, product, and pricing information.
rds:Describe*
rds:List*
Used to collect information about provisioned RDS instances.
rds-db:connect
Used to connect to your RDS database when using AWS IAM Database Authentication. Note that we only grant permissions for the OtterTune user. See here for details.
AWS Permissions for Tuning
The following table shows the write permissions needed by OtterTune to tune your database and describes how they are used.
OtterTune only needs these write permissions to tune your database. To monitor your database, OtterTune only requires the read-only permissions listed above.
Permission
Description
rds:ModifyDBParameterGroup
Used to modify the AWS DB Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user. See here for details.
rds:ModifyDBClusterParameterGroup
(Aurora only) Used to modify the AWS DB Cluster Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user. See here for details.

Permission	Description
`aws-portal:ViewBilling` `budgets:Describe` `ce:Describe` `ce:Get` `ce:List`	Used to get cost, usage, and budget data for OtterTune's cost-savings recommendations.
`cloudwatch:Describe` `cloudwatch:Get` `cloudwatch:List*`	Used to collect CloudWatch metric data.
`iam:SimulatePrincipalPolicy`	Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
`pi:DescribeDimensionKeys` `pi:GetResourceMetrics`	Used to collect database load metric data.
`pricing:Describe` `pricing:Get`	Used to collect AWS service, product, and pricing information.
`rds:Describe` `rds:List`	Used to collect information about provisioned RDS instances.
`rds-db:connect`	Used to connect to your RDS database when using AWS IAM Database Authentication. Note that we only grant permissions for the OtterTune user. See here for details.

Permission	Description
`rds:ModifyDBParameterGroup`	Used to modify the AWS DB Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user. See here for details.
`rds:ModifyDBClusterParameterGroup`	(Aurora only) Used to modify the AWS DB Cluster Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user. See here for details.

Table Health

Next - Documentation

Troubleshooting

Last modified 1mo ago