AWS Permissions
The names and descriptions of the AWS permissions needed by OtterTune for monitoring and tuning.
OtterTune needs certain AWS permissions to monitor and tune your database. We describe the permissions requested by OtterTune for both of these activities below.

AWS Permissions for Monitoring

The following table describes the read-only permissions requested by OtterTune to monitor your database.
Permission
Description
budgets:Describe*
ce:Describe*
ce:Get*
ce:List*
Used to get cost, usage, and budget data for OtterTune's cost-savings recommendations.
cloudwatch:Describe*
cloudwatch:Get*
cloudwatch:List*
Used to collect CloudWatch metric data.
iam:SimulatePrincipalPolicy
Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
pi:DescribeDimensionKeys
pi:GetResourceMetrics
Used to collect database load metric data.
rds:Describe*
rds:List*
Used to collect information about provisioned RDS instances.
rds-db:connect
Used to connect to your RDS database when using AWS IAM Database Authentication. Not required when connecting your database using the Agent. Note that we only grant permissions for the OtterTune user. See here for details.

AWS Permissions for Tuning

The following table shows the write permissions needed by OtterTune to tune your database and describes how they are used.
OtterTune only needs these write permissions to tune your database. To monitor your database, OtterTune only requires the read-only permissions listed above.
Permission
Description
rds:ModifyDBParameterGroup
Used to modify the AWS DB Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user. See here for details.
rds:ModifyDBClusterParameterGroup
(Aurora only) Used to modify the AWS DB Cluster Parameter Group when optimizing a database's configuration. This permission is only enabled for resources specified by the user. See here for details.

Minimum Required Permissions

Concerned about giving away too much? We've got you covered.
Below are the minimum required permissions to run OtterTune for monitoring your database. Please note, you may not receive the full benefit of OtterTune without all recommended permissions enabled.
Permission
Description
cloudwatch:Describe*
cloudwatch:Get*
cloudwatch:List*
Used to collect CloudWatch metric data.
iam:SimulatePrincipalPolicy
Used to verify that OtterTune's AWS IAM role has the correct permissions for monitoring and tuning activities.
pi:DescribeDimensionKeys
pi:GetResourceMetrics
Used to collect database load metric data.
rds:Describe*
rds:List*
Used to collect information about provisioned RDS instances.
rds-db:connect
Used to connect to your RDS database when using AWS IAM Database Authentication. Not required when connecting your database using the Agent. Note that we only grant permissions for the OtterTune user. See here for details.
Copy link
On this page
AWS Permissions for Monitoring
AWS Permissions for Tuning
Minimum Required Permissions