AWS Compute Optimizer

(1)

AWS Compute Optimizer

User Guide

(2)

AWS Compute Optimizer: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is AWS Compute Optimizer?

AWS Compute Optimizer is a service that analyzes the conﬁguration and utilization metrics of your AWS resources. It reports whether your resources are optimal, and generates optimization recommendations to reduce the cost and improve the performance of your workloads. Compute Optimizer also provides graphs showing recent utilization metric history data, as well as projected utilization for recommendations, which you can use to evaluate which recommendation provides the best price-performance trade-oﬀ. The analysis and visualization of your usage patterns can help you decide when to move or resize your running resources, and still meet your performance and capacity requirements.

Compute Optimizer provides a console experience, and a set of APIs that allows you to view the findings of the analysis and recommendations for your resources across multiple AWS Regions. You can also view findings and recommendations across multiple accounts, if you opt in the management account of an organization. The findings from the service are also reported in the consoles of the supported services, such as the Amazon EC2 console.

Supported resources and requirements

Compute Optimizer generates recommendations for the following resources:

• Amazon Elastic Compute Cloud (Amazon EC2) instances

• Amazon EC2 Auto Scaling groups

• Amazon Elastic Block Store (Amazon EBS) volumes

• AWS Lambda functions

For Compute Optimizer to generate recommendations for these resources, they must meet a speciﬁc set of requirements, and must have accumulated suﬃcient metric data. For more information, see Supported resources and requirements (p. 3).

Opting in

You must opt in to have Compute Optimizer analyze your AWS resources. The service supports standalone AWS accounts, member accounts of an organization, and the management account of an organization. For more information, see Getting started with AWS Compute Optimizer (p. 5).

Analyzing metrics

After you opt in, Compute Optimizer begins analyzing the speciﬁcations and the utilization metrics of

(7)

Enhancing recommendations

After you opt in, you can enhance your recommendations by activating recommendation preferences, such as the enhanced infrastructure metrics paid feature. It extends the metrics analysis look-back period for EC2 instances, including instances in Auto Scaling groups, to three months (compared to the 14-day default). For more information, see Activating recommendation preferences (p. 25).

Viewing ﬁndings and recommendations

Optimization ﬁndings for your resources are displayed on the Compute Optimizer dashboard. For more information, see Viewing the AWS Compute Optimizer dashboard (p. 41).

The top optimization recommendations for each of your resources are listed on the recommendations page. The top 3 optimization recommendations and utilization graphs for a speciﬁc resource are listed on the resource details page. For more information, see Viewing resource recommendations (p. 47).

Export your optimization recommendations to record them over time, and share the data with others.

For more information, see Exporting recommendations (p. 73).

Availability

To view the currently supported AWS Regions and endpoints for Compute Optimizer, see Compute Optimizer Endpoints and Quotas in the AWS General Reference.

(8)

Supported resources and requirements

AWS Compute Optimizer generates recommendations for Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon EC2 Auto Scaling groups, Amazon Elastic Block Store (Amazon EBS) volumes, AWS Lambda functions that meet the following Amazon CloudWatch (CloudWatch) metric and resource- speciﬁc requirements.

Contents

• CloudWatch metric requirements (p. 3)

• Amazon EC2 instance requirements (p. 3)

• Auto Scaling group requirements (p. 4)

• Amazon EBS volume requirements (p. 4)

• Lambda function requirements (p. 4)

CloudWatch metric requirements

To generate recommendations, Compute Optimizer requires at least 30 consecutive hours of CloudWatch metric data from your resource. For more information about the metrics that are analyzed, see Metrics analyzed by AWS Compute Optimizer (p. 22). If your resources have not accumulated suﬃcient metric data, then allow more time for resource recommendations to begin appearing in the Compute Optimizer console.

NoteLambda functions don't require 30 consecutive hours of metric data. For more information about the Lambda function requirements, see Lambda function requirements (p. 4).

If your resources have accumulated suﬃcient metric data, but recommendations are not yet showing up in the Compute Optimizer console, then the service might still be performing its analysis. It could take up to 12 hours to complete the analysis, after which time resource recommendations will begin appearing in the Compute Optimizer console.

Amazon EC2 instance requirements

Compute Optimizer generates recommendations for instance types in the C, D, H, I, M, R, T, X, and z instance families, in AWS Regions where Compute Optimizer and these instance families are available.

Compute Optimizer also generates recommendations for storage optimized instances (-d), network optimized instances (-n), and Graviton2 instances (-g).

(9)

Auto Scaling group requirements

Compute Optimizer generates recommendations for Auto Scaling groups that run instance types from the supported instance families, which are listed in the Amazon EC2 instance requirements (p. 3) section of this guide.

Additionally, the Auto Scaling groups must:

• Be conﬁgured to run a single instance type (i.e., no mixed instance types)

• Have the same values for desired, minimum, and maximum capacity (i.e., an Auto Scaling group with a ﬁxed number of instances)

• Not have a scaling policy attached

• Not have overrides conﬁgured

Compute Optimizer generates recommendations for instances in Auto Scaling groups that meet all of these conﬁguration requirements.

Amazon EBS volume requirements

Compute Optimizer generates recommendations for General Purpose SSD (gp2 and gp3), and

Provisioned IOPS SSD (io1 and io2) EBS volume types that are attached to an instance. It also generates recommendations from General Purpose SSD (gp2) volumes to General Purpose SSD (gp3) volumes from the aforementioned volume types.

Data is only reported to CloudWatch when the volume is attached to an instance. Therefore, the volume must be attached to an instance for at least 30 consecutive hours to meet the 30 consecutive hour metric data requirement described earlier in this guide.

Lambda function requirements

Compute Optimizer generates memory size recommendations only for Lambda functions that have configured memory less than or equal to 1,792 MB, and that have been invoked at least 50 times in the last 14 days. Functions that don't match these requirements are given a finding of Unavailable, with a reason code of Inconclusive for functions that have configured memory greater than 1,792 MB, and Insufficient data for functions that have been invoked less than 50 times in the last 14 days.

Functions with a ﬁnding of Unavailable are not listed in the Compute Optimizer console, and Compute Optimizer does not generate recommendations for them.

(10)

Getting started with AWS Compute Optimizer

When you access the AWS Compute Optimizer console for the ﬁrst time, you are asked to opt in, using the account that you’re signed in with, before you can use the service. You can also opt in, and opt out using the Compute Optimizer API, AWS Command Line Interface (AWS CLI), or SDKs.

By opting in, you are authorizing Compute Optimizer to analyze the speciﬁcations and utilization metrics of your AWS resources, such as EC2 instances and Auto Scaling groups.

Accounts supported by Compute Optimizer

The following AWS account types can opt in to Compute Optimizer:

• Standalone AWS account - A standalone AWS account that does not have AWS Organizations enabled.

If you opt in to Compute Optimizer while signed in to a standalone account, the service analyzes resources that are in the account, and generates optimization recommendations for those resources.

• Member account of an organization - An AWS account that is a member of an organization. If you opt in to Compute Optimizer while signed in to a member account of an organization, the service analyzes resources that are in the member account only, and generates optimization recommendations for those resources.

• Management account of an organization - An AWS account that administers an organization. If you opt in to Compute Optimizer while signed in to a management account of an organization, the service gives you the option to opt in only the management account, or the management account and all member accounts of the organization.

Important

To successfully opt in all member accounts of an organization, the organization must have all features enabled. For more information, see Enabling All Features in Your Organization in the AWS Organizations User Guide.

Trusted access for Compute Optimizer is automatically enabled in your organization account when you opt in using your organization's management account and include all member accounts within the organization. For more information, see Compute Optimizer and AWS Organizations trusted access (p. 8).

Required permissions

You must have the appropriate permissions to opt in to Compute Optimizer, to view its

recommendations, and to opt out. For more information, see Controlling access with AWS Identity and

(11)

Opting in your account

Use the following procedure to opt in your account using the Compute Optimizer console or the AWS CLI.

NoteIf your account is already opted in but you want to opt in again to re-enable trusted access for Compute Optimizer in your organization, then you must use the AWS CLI to opt in. Specify the --include-member-accounts parameter when opting in with the update-enrollment- status command. You can also enable trusted access using the AWS Organizations console, its AWS CLI, or API. For more information, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.

Console

1. Open the Compute Optimizer console at https://console.aws.amazon.com/compute-optimizer/.

If this is your ﬁrst time using the Compute Optimizer console, the Compute Optimizer landing page is displayed.

2. Choose Get started.

3. On the Account setup page, review the Getting started and Setting up your account sections.

4. The following options are displayed if the account that you're signed in to is a management account of an organization. Choose one before continuing to the next step.

• Only this account - Choose this option to opt in only the account that you’re currently signed in to. If you choose this option, Compute Optimizer analyzes resources that are in the individual account, and generates optimization recommendations for those resources.

• All accounts within this organization - Choose this option to opt in the account you’re currently signed in to, and all of its member accounts. If you choose this option, Compute Optimizer analyzes resources that are in all accounts in the organization, and generates optimization recommendations for those resources.

5. Choose Opt in. By opting in, you indicate that you agree to and understand the requirements to opt in to Compute Optimizer.

After you opt in, you are redirected to the dashboard in the Compute Optimizer console, and the service begins analyzing the conﬁguration and utilization metrics of your AWS resources. For more information, see Metrics analyzed by AWS Compute Optimizer (p. 22).

CLI

1. Open a Terminal or Command Prompt window.

If you haven't already, install the AWS CLI and conﬁgure it to work with Compute Optimizer. For more information, see Installing the AWS CLI and Quickly Conﬁguring the AWS CLI in the AWS Command Line Interface User Guide.

2. Enter one of the following commands depending on whether you want to opt in your individual account or the management account of an organization and all its member accounts.

• To opt in your individual account:

aws compute-optimizer update-enrollment-status --status Active

• To opt in the management account of an organization and include all member accounts within the organization:

(12)

aws compute-optimizer update-enrollment-status --status Active --include-member- accounts

After you opt in to Compute Optimizer using the previous command, the service begins analyzing the conﬁguration and utilization metrics of your AWS resources. For more information, see Metrics analyzed by AWS Compute Optimizer (p. 22).

NoteTo improve the recommendation quality of Compute Optimizer, AWS may use your CloudWatch metrics and conﬁguration data. This includes up to three months (93 days) of metrics analysis when you activate the enhanced infrastructure metrics feature. Contact AWS Support to request that AWS stop using your CloudWatch metrics and conﬁguration data to improve the recommendation quality of Compute Optimizer.

Consider the following after opting in:

• After you opt in, ﬁndings and optimization recommendations can take up to 12 hours to be generated.

Suﬃcient metric data must also be accumulated. For more information, see CloudWatch metric requirements (p. 3).

• Findings and recommendations are displayed in the dashboard and recommendation pages of the Compute Optimizer console. For more information, see Viewing the AWS Compute Optimizer dashboard (p. 41) and Viewing resource recommendations (p. 47).

• Activate recommendation preferences, such as the enhanced infrastructure metrics paid feature. It extends the metrics analysis look-back period for EC2 instances, including instances in Auto Scaling groups, up to three months (compared to the 14-day default). For more information, see Activating recommendation preferences (p. 25).

Opting out your account

Use the following procedure to opt out your account from Compute Optimizer using the AWS CLI, and delete your account's recommendations and related metrics data from Compute Optimizer. For more information, see update-enrollment-status in the AWS CLI Command Reference. You cannot opt out using the Compute Optimizer console.

To opt out an account

1. Open a Terminal or Command Prompt window.

If you haven't already, install the AWS CLI and conﬁgure it to work with Compute Optimizer. For more information, see Installing the AWS CLI and Quickly Conﬁguring the AWS CLI in the AWS Command Line Interface User Guide.

2. Enter the following command.

aws compute-optimizer update-enrollment-status --status Inactive

Note

(13)

Your account is opted out of Compute Optimizer after running the previous command, and your account's recommendations and related metrics data will be deleted from Compute Optimizer. If you access the Compute Optimizer console, you should see the option to opt in again.

Controlling access with AWS Identity and Access Management

You can use AWS Identity and Access Management (IAM) to create identities (users, groups, or roles), and then give those identities permissions to access the AWS Compute Optimizer console and APIs.

By default, IAM users do not have access to the Compute Optimizer console and APIs. You give users access by attaching IAM policies to a single user, a group of users, or a role. For more information, see Identities (Users, Groups, and Roles) and Overview of IAM Policies in the IAM User Guide.

After you create IAM users, you can give those users individual passwords. Then, they can sign in to your account and view Compute Optimizer information by using an account-speciﬁc sign-in page. For more information, see How Users Sign In to Your Account.

Important

To view recommendations for EC2 instances, an IAM user must have ec2:DescribeInstances permission. To view recommendations for EBS volumes, an IAM user must have

ec2:DescribeVolumes permission. To view recommendations for Auto Scaling groups, an IAM user must have autoscaling:DescribeAutoScalingGroups and autoscaling:DescribeAutoScalingInstances permission. To view

recommendations for Lambda functions, an IAM user must have lambda:ListFunctions and lambda:ListProvisionedConcurrencyConfigs permission. To view current CloudWatch metrics data in the Compute Optimizer console, an IAM user must have cloudwatch:GetMetricData permissions.

If the user or group that you want to give permissions to already has a policy, you can add one of the Compute Optimizer-speciﬁc policy statements illustrated here to that policy.

Compute Optimizer and AWS Organizations trusted access

Trusted access for Compute Optimizer is automatically enabled in your organization account when you opt in using your organization's management account and include all member accounts within the organization. This allows Compute Optimizer to analyze compute resources in those member accounts, and generate recommendations for them.

Compute Optimizer veriﬁes that trusted access is enabled in your organization account every time you access recommendations for member accounts. If you disable Compute Optimizer trusted access after you opt in, Compute Optimizer will deny access to recommendations for your organization's member accounts, and the member accounts within the organization will not be opted in to Compute Optimizer.

To re-enable trusted access, opt in to Compute Optimizer again using your organization's management account and include all member accounts within the organization. For more information, see Opting in your account (p. 6). For more information about AWS Organizations trusted access, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.

Policy to opt in to Compute Optimizer

The following policy statement grants access to opt in to Compute Optimizer. It grants access to create a service-linked role for Compute Optimizer, which is required to opt in. For more information, see Using Service-Linked Roles for AWS Compute Optimizer (p. 12). It also grants access to update the enrollment status to the Compute Optimizer service.

(14)

{ "Version": "2012-10-17", "Statement": [

{

"Effect": "Allow",

"Action": "iam:CreateServiceLinkedRole",

"Resource": "arn:aws:iam::*:role/aws-service-role/compute- optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",

"Condition": {"StringLike": {"iam:AWSServiceName": "compute- optimizer.amazonaws.com"}}

}, {

"Effect": "Allow",

"Action": "iam:PutRolePolicy",

"Resource": "arn:aws:iam::*:role/aws-service-role/compute- optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"

}, {

"Effect": "Allow",

"Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*"

} ] }

Policies to grant access to Compute Optimizer for standalone AWS accounts

The following policy statement grants full access to Compute Optimizer for standalone AWS accounts.

For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences (p. 11).

{

"Effect": "Allow", "Action": [

"compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes",

"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions",

"lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData"

],

"Resource": "*"

} ] }

The following policy statement grants read-only access to Compute Optimizer for standalone AWS accounts.

(15)

"Action": [

"compute-optimizer:GetEnrollmentStatus",

"compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences",

"compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations",

"compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences",

"ec2:DescribeInstances", "ec2:DescribeVolumes",

"lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData"

],

"Resource": "*"

} ] }

Policies to grant access to Compute Optimizer for a management account of an organization

The following policy statement grants full access to Compute Optimizer for a management account of an organization.For the policy statements to manage recommendation preferences, see Policies to grant access to manage Compute Optimizer recommendation preferences (p. 11).

{

"Version": "2012-10-17", "Statement": [

{

"compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes",

"lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData",

"organizations:ListAccounts",

"organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", ],

"Resource": "*"

} ] }

The following policy statement grants read-only access to Compute Optimizer for a management account of an organization.

{

(16)

{

"compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries",

"compute-optimizer:GetEC2InstanceRecommendations",

"compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences",

"ec2:DescribeInstances", "ec2:DescribeVolumes",

"organizations:DescribeOrganization", "organizations:DescribeAccount"

],

"Resource": "*"

} ] }

Policies to grant access to manage Compute Optimizer recommendation preferences

The following policy statements grant access to view and edit recommendation preferences, such as the enhanced infrastructure metrics paid feature. For more information, see Activating recommendation preferences (p. 25).

Grant access to manage recommendation preferences for EC2 instances only

{

"compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences",

"compute-optimizer:PutRecommendationPreferences"

],

"Resource": "*", "Condition" : { "StringEquals" : {

"compute-optimizer:ResourceType" : "Ec2Instance"

}

(17)

Grant access to manage recommendation preferences for Auto Scaling groups only

{

"compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences",

"compute-optimizer:PutRecommendationPreferences"

],

"Resource": "*", "Condition" : { "StringEquals" : {

"compute-optimizer:ResourceType" : "AutoScalingGroup"

}

} }

] }

Policy to deny access to Compute Optimizer

The following policy statement denies access to Compute Optimizer.

{

"Effect": "Deny",

"Action": "compute-optimizer:*", "Resource": "*"

} ] }

Using Service-Linked Roles for AWS Compute Optimizer

AWS Compute Optimizer uses AWS Identity and Access Management (IAM) service-linked roles. A service- linked role is a unique type of IAM role that is linked directly to Compute Optimizer. Service-linked roles are predeﬁned by Compute Optimizer and include all of the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up Compute Optimizer easier because you don’t have to manually add the necessary permissions. Compute Optimizer defines the permissions of its service-linked roles, and unless defined otherwise, only Compute Optimizer can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

(18)

Service-Linked Role permissions for Compute Optimizer

Compute Optimizer uses the service-linked role named AWSServiceRoleForComputeOptimizer – Role to access Amazon CloudWatch metrics for AWS resources in the account.

The AWSServiceRoleForComputeOptimizer service-linked role trusts the following services to assume the role:

• compute-optimizer.amazonaws.com

The role permissions policy allows Compute Optimizer to complete the following actions on the speciﬁed resources:

• Action: cloudwatch:GetMetricData on all AWS resources.

• Action: organizations:DescribeOrganization on all AWS resources.

• Action: organizations:ListAccounts on all AWS resources.

• Action: organizations:ListAWSServiceAccessForOrganization on all AWS resources.

Service-Linked Role permissions

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to create a service- linked role for Compute Optimizer. For more information, see Service-Linked Role Permissions in the IAM User Guide.

To allow an IAM entity to create a speciﬁc service-linked role for Compute Optimizer Add the following policy to the IAM entity that needs to create the service-linked role.

{

"Effect": "Allow",

"Resource": "arn:aws:iam::*:role/aws-service-role/compute- optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",

"Condition": {"StringLike": {"iam:AWSServiceName": "compute- optimizer.amazonaws.com"}}

}, {

"Effect": "Allow",

"Action": "iam:PutRolePolicy",

"Resource": "arn:aws:iam::*:role/aws-service-role/compute- optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"

}, {

"Effect": "Allow",

"Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*"

}

(19)

Add the following statement to the permissions policy for the IAM entity that needs to create a service- linked role, or any service role that includes the needed policies. This policy attaches a policy to the role.

{

"Effect": "Allow",

"Resource": "arn:aws:iam::*:role/aws-service-role/*"

}

Creating a Service-Linked Role for Compute Optimizer

You don't need to manually create a service-linked role. When you opt in to the Compute Optimizer service in the AWS Management Console, the AWS CLI, or the AWS API, Compute Optimizer creates the service-linked role for you.

Important

This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. For more information, see A New Role Appeared in My IAM Account.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you opt in to the Compute Optimizer service, Compute Optimizer creates the service-linked role for you again.

Editing a Service-Linked Role for Compute Optimizer

Compute Optimizer does not allow you to edit the AWSServiceRoleForComputeOptimizer service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Deleting a Service-Linked Role for Compute Optimizer

We recommend that you delete the AWSServiceRoleForComputeOptimizer service-linked role if you no longer need to use Compute Optimizer. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must opt out of Compute Optimizer before you can manually delete the service-linked role.

To opt out of Compute Optimizer

For information about opting out of Compute Optimizer, see Opting out your account (p. 7).

To manually delete the service-linked role using IAM

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForComputeOptimizer service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

Supported Regions for Compute Optimizer Service- Linked Roles

Compute Optimizer supports using service-linked roles in all of the Regions where the service is available. To view the currently supported AWS Regions and endpoints for Compute Optimizer, see Compute Optimizer Endpoints and Quotas in the AWS General Reference.

(20)

AWS managed policies for AWS Compute Optimizer

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies.

These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update aﬀects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources.

When a service launches a new feature, AWS adds read-only permissions for new operations and

resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy:

ComputeOptimizerServiceRolePolicy

You can't attach ComputeOptimizerServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Compute Optimizer to perform actions on your behalf. For more information, see Using Service-Linked Roles for AWS Compute Optimizer (p. 12).

Permissions details

This policy includes the following permissions.

• compute-optimizer – Grants full administrative permissions to all resources in Compute Optimizer.

• organizations – Allows the management account of an AWS organization to opt in member accounts of the organization to Compute Optimizer.

• cloudwatch – Grants access to CloudWatch resource metrics for the purpose of analyzing them and generating Compute Optimizer resource recommendations.

• autoscaling – Grants access to Auto Scaling groups and the instances in Auto Scaling groups for validation purposes.

{ "Sid": "ComputeOptimizerFullAccess", "Effect": "Allow",

"Action": [

(21)

"Sid": "AwsOrgsAccess", "Effect": "Allow", "Action": [

"organizations:DescribeOrganization", "organizations:ListAccounts",

"organizations:ListAWSServiceAccessForOrganization"

],

"Resource": [ "*"

] },

{ "Sid": "CloudWatchAccess", "Effect": "Allow",

"Action": [

"cloudwatch:GetMetricData"

],

"Resource": "*"

},

{ "Sid": "AutoScalingAccess", "Effect": "Allow",

"Action": [

"autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeAutoScalingGroups"

],

"Resource": "*"

} ] }

AWS managed policy:

ComputeOptimizerReadOnlyAccess

You can attach the ComputeOptimizerReadOnlyAccess policy to your IAM identities.

This policy grants read-only permissions that allow users to view Compute Optimizer resource recommendations.

Permissions details

This policy includes the following permissions.

• compute-optimizer – Grants read-only access to Compute Optimizer resource recommendations.

• ec2 – Grants read-only access to Amazon EC2 instances and Amazon EBS volumes.

• autoscaling – Grants read-only access to Auto Scaling groups.

• lambda – Grants read-only access to AWS Lambda functions and their conﬁgurations.

• cloudwatch – Grants read-only access to Amazon CloudWatch metric data for resource types supported by Compute Optimizer.

• organizations – Grants read-only access to member accounts of an AWS organization.

{ "Effect": "Allow", "Action": [

"compute-optimizer:DescribeRecommendationExportJobs",

(22)

"compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries",

"compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetRecommendationPreferences",

"compute-optimizer:GetEffectiveRecommendationPreferences", "ec2:DescribeInstances",

"ec2:DescribeVolumes",

"organizations:DescribeOrganization", "organizations:DescribeAccount"

],

"Resource": "*"

} ] }

Compute Optimizer updates to AWS managed policies

View details about updates to AWS managed policies for Compute Optimizer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed for this guide.

Change Description Date

Edit to the

ComputeOptimizerServiceRolePolicy managed policies

Added the

autoscaling:DescribeAutoScalingInstances and

autoscaling:DescribeAutoScalingGroups actions to the

ComputeOptimizerServiceRolePolicy managed policy.

November 29, 2021

Edit to the

ComputeOptimizerReadOnlyAccess managed policies

Added the compute-

optimizer:GetRecommendationPreferences, compute-

optimizer:GetEffectiveRecommendationPreferences, and

autoscaling:DescribeAutoScalingInstances actions to the

ComputeOptimizerReadOnlyAccess managed policy.

November 29, 2021

Edit to the Added the August 26, 2021

(23)

Change Description Date Compute Optimizer started

tracking changes Compute Optimizer started tracking changes for its AWS managed policies.

May 18, 2021

Amazon S3 bucket policy for AWS Compute Optimizer

You can export your Compute Optimizer recommendations in a comma-separated values (.csv) ﬁle, and its metadata in a JavaScript Object Notation (.json) ﬁle, to an Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Exporting recommendations (p. 73).

You must create the destination S3 bucket for your recommendations export before you create the export job. Compute Optimizer does not create the S3 bucket for you. The S3 bucket that you specify for your recommendations export ﬁles cannot be publicly accessible, and cannot be conﬁgured as a Requester Pays bucket.

As a best practice, create a dedicated S3 bucket for Compute Optimizer export ﬁles. For more

information, see How Do I Create an S3 Bucket? in the Amazon S3 Console User Guide. After you create the S3 bucket, ensure that it has the required permission policy to allow Compute Optimizer to write the export ﬁles to it. For more information, see Specifying an existing bucket for your recommendations export (p. 19).

Using encrypted S3 buckets for your recommendations export

For the destination of your Compute Optimizer recommendations exports, you can specify S3 buckets that are encrypted with either Amazon S3-Managed Keys (SSE-S3) or Customer Master Keys (CMKs) stored in the AWS Key Management Service (AWS KMS).

You must create a symmetric CMK to use an S3 bucket with AWS KMS encryption enabled. Symmetric CMKs are the only CMKs supported by Amazon S3. For more information, see Creating keys in the AWS KMS Developer Guide. After you create the CMK, you must apply it to the S3 bucket that you plan to use for your recommendations export. For more information, see Enabling Amazon S3 default bucket encryption in the Amazon Simple Storage Service User Guide.

Use the following procedure to grant Compute Optimizer the required permission to use your CMK to encrypt your recommendations export ﬁle when saving it to your encrypted S3 bucket.

1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

3. In the left navigation menu, choose Customer Managed Keys.

4. Choose the name of the CMK that you chose to encrypt the export S3 bucket.

5. Choose the Key policy tab, then choose Switch to policy view.

6. Choose Edit to edit the key policy.

7. Copy and paste one of the following policies into the statements section of the key policy. Replace the placeholders in italics with the source AWS Region, and the account number of the requester of the export job.

The statement (for the GenerateDataKey action) allows Compute Optimizer to call the AWS KMS API to obtain the data key for encrypting the recommendation ﬁles. In this way, the uploaded data

(24)

format can accommodate the bucket encryption setting. Otherwise, Amazon S3 will reject the export request.

NoteIf the existing CMK already has one or more policies attached, add the statements for Compute Optimizer access to those policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who will access the CMK.

• Use the following policy if you have not enabled Amazon S3 Bucket Keys.

{

"Sid": "Allow use of the key to Compute Optimizer", "Effect": "Allow",

"Principal": {

"Service": "compute-optimizer.amazonaws.com"

},

"Action": "kms:GenerateDataKey", "Resource": "*",

"Condition": { "StringEquals": {

"aws:SourceAccount": "myAccountID", "aws:SourceArn": "arn:aws:compute- optimizer:myRegion:myAccountID:*"

} } }

• Use the following policy if you have enabled Amazon S3 Bucket Keys. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys in the Amazon Simple Storage Service User Guide.

{

"Sid": "Allow use of the key to Compute Optimizer", "Effect": "Allow",

"Principal": {

"Service": "compute-optimizer.amazonaws.com"

},

"Action": [

"kms:GenerateDataKey", "kms:Decrypt"

],

"Resource": "*", "Condition": { "StringEquals": {

"aws:SourceAccount": "myAccountID", "aws:SourceArn": "arn:aws:compute- optimizer:myRegion:myAccountID:*"

} } }

Specifying an existing bucket for your recommendations export

Use the following procedure to add a policy to your S3 bucket that allows Compute Optimizer to write

(25)

3. Choose Permissions.

4. Choose Bucket Policy.

5. Copy the following policy, and paste it into the Bucket Policy Editor text box.

Replace the placeholders in italics with the name of your bucket, the optional object prefix, the source AWS Region, and the account number of the requester of the export job. If you plan to specify an object prefix when you create your recommendations export, include it in the policy. The object prefix is an optional addition to the S3 object key that organizes your export files in your S3 bucket.

You must copy and paste this policy to include all three statements. The ﬁrst statement (for the GetBucketAcl action) allows Compute Optimizer to get the access control list (ACL) of your bucket.

The second statement (for the GetBucketPolicyStatus action) allows Compute Optimizer to get the policy status of your bucket, indicating whether the bucket is public. The third statement (for the PutObject action) gives Compute Optimizer full control to put the export ﬁle in your bucket.

Your export request will fail if any of these statements is missing, or if the bucket name and optional object preﬁx in the policy don't match what you specify in your export request, or if the account number in the policy doesn't match the account number of the requester of the export job.

NoteIf the existing bucket already has one or more policies attached, add the statements for Compute Optimizer access to that policy or policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who will access the bucket.

{

"Effect": "Allow",

"Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl",

"Resource": "arn:aws:s3:::myBucketName"

}, {

"Effect": "Allow",

"Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus",

}, {

"Effect": "Allow",

"Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject",

"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/compute- optimizer/myAccountID/*",

"Condition": {"StringEquals": {

"s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "myAccountID",

"aws:SourceArn": "arn:aws:compute-optimizer:myRegion:myAccountID:*"

} } } ] }

If you don't want to specify an object preﬁx, use the following policy instead.

{

(26)

"Effect": "Allow",

"Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketAcl",

}, {

"Effect": "Allow",

"Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:GetBucketPolicyStatus",

}, {

"Effect": "Allow",

"Principal": {"Service": "compute-optimizer.amazonaws.com"}, "Action": "s3:PutObject",

"Resource": "arn:aws:s3:::myBucketName/compute-optimizer/myAccountID/*", "Condition": {"StringEquals": {

"s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "myAccountID",

"aws:SourceArn": "arn:aws:compute-optimizer:myRegion:myAccountID:*"

} } } ] }

Additional resources

For more information about S3 buckets and policies, see the Amazon Simple Storage Service User Guide.

(27)

Metrics analyzed by AWS Compute Optimizer

After you opt in (p. 5), AWS Compute Optimizer begins analyzing the speciﬁcations (vCPUs, memory, storage, and so on) and the CloudWatch metrics of your running resources from a period of the last 14 days or longer if you activate the enhanced infrastructure metrics recommendation preference (p. 25).

Compute Optimizer requires at least 30 consecutive hours of metrics data from your resource to generate recommendations. After the analysis is complete, which can take up to 12 hours, Compute Optimizer presents its ﬁndings on the dashboard page. For more information, see Viewing the AWS Compute Optimizer dashboard (p. 41).

Contents

• EC2 instance metrics (p. 22)

• EBS volume metrics (p. 23)

• Lambda function metrics (p. 24)

EC2 instance metrics

Compute Optimizer analyzes the following CloudWatch metrics of your EC2 instances, including instances that are part of Auto Scaling groups.

Metric Description

CPUutilization The percentage of allocated EC2 compute units that are in use on the instance. This metric identiﬁes the processing power required to run an application on an instance.

Memory utilization The amount of memory that has been used in some way during the sample period. This metric identiﬁes the memory required to run an application on an instance.

Memory utilization is analyzed only for resources that have the uniﬁed CloudWatch agent installed on them. For more

information, see Enabling memory utilization with the CloudWatch Agent (p. 23).

NetworkIn The number of bytes received on all network interfaces by the instance. This metric identiﬁes the volume of incoming network traﬃc to an instance.

NetworkOut The number of bytes sent out on all network interfaces by the instance. This metric identiﬁes the volume of outgoing network traﬃc from an instance.

NetworkPacketsIn The number of packets received by the instance.

NetworkPacketsOut The number of packets sent out by the instance.

DiskReadOps The read operations per second of the instance store volume of the instance.

(28)

DiskWriteOps The write operations per second of the instance store volume of the instance.

DiskReadBytes The read bytes per second of the instance store volume of the instance.

DiskWriteBytes The write bytes per second of the instance store volume of the instance.

VolumeReadBytes The read bytes per second of EBS volumes attached to the instance.

Displayed as KiB/seconds in the console.

VolumeWriteBytes The write bytes per second of EBS volumes attached to the instance. Displayed as KiB/seconds in the console.

VolumeReadOps The read operations per second of EBS volumes attached to the instance.

VolumeWriteOps The write operations per second of EBS volumes attached to the instance.

For more information about instance metrics, see List the available CloudWatch metrics for your instances in the Amazon Elastic Compute Cloud User Guide. For more information about EBS volume metrics, see Amazon CloudWatch metrics for Amazon EBS in the Amazon Elastic Compute Cloud User Guide.

Enabling memory utilization with the CloudWatch Agent

Install the CloudWatch agent on your instances to have Compute Optimizer analyze the memory utilization of your instances. Enabling Compute Optimizer to analyze memory utilization data for your instances provides an additional measurement of data that further improves the recommendations provided by the service. For more information about installing the CloudWatch agent, see Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent in the Amazon CloudWatch User Guide.

On Linux instances, Compute Optimizer analyses the mem_used_percent metric in the CWAgent namespace, or the legacy MemoryUtilization metric in the System/Linux namespace. On Windows instances, Compute Optimizer analyses the Memory % Committed Bytes In Use metric in the CWAgent namespace. Additionally, the namespace must contain the InstanceId dimension. Compute Optimizer will not be able to collect memory utilization data for your instance if the InstanceId dimension is missing, or if you overwrite it with your own custom dimension name. Namespaces and dimensions are defined in the CloudWatch Agent configuration file. For more information, see Create the CloudWatch Agent Configuration File in the Amazon CloudWatch User Guide.

EBS volume metrics

Compute Optimizer analyzes the following CloudWatch metrics of your EBS volumes.

(29)

VolumeWriteBytes The write bytes per second of the EBS volume.

VolumeReadOps The read operations per second of the EBS volume.

VolumeWriteOps The write operations per second of the EBS volume.

For more information about these metrics, see Amazon CloudWatch metrics for Amazon EBS in the Amazon Elastic Compute Cloud User Guide.

Lambda function metrics

Compute Optimizer analyzes the following CloudWatch metrics of your Lambda functions.

Invocations The number of times your function code is executed, including successful executions and executions that result in a function error.

Duration The amount of time that your function code spends processing an event.

Errors The number of invocations that result in a function error. Function errors include exceptions thrown by your code and exceptions thrown by the Lambda runtime. The runtime returns errors for issues such as timeouts and conﬁguration errors.

Throttles The number of invocation requests that are throttled.

For more information about these metrics, see Working with AWS Lambda function metrics in the AWS Lambda Developer Guide.

In addition to these metrics, Compute Optimizer analyzes the memory utilization of your function during the look-back period. For more information about memory utilization for Lambda functions, see Understanding AWS Lambda behavior using Amazon CloudWatch Logs Insights in the AWS Management

& Governance Blog and Using Lambda Insights in CloudWatch in the AWS Lambda Developer Guide.

(30)

Activating recommendation preferences

Recommendation preferences are features that you can activate to enhance or augment the

recommendations that Compute Optimizer generates for your resources. Following are the features that are currently available as recommendation preferences in Compute Optimizer.

• Enhanced infrastructure metrics - Extends the utilization metrics analysis look-back period up to three months (93 days) for Amazon EC2 instances, including instances that are part of Auto Scaling groups. Enhanced infrastructure metrics is a paid feature. For more information, see Enhanced infrastructure metrics (p. 25).

• Inferred workload type - Infers the applications that might be running on your AWS resources, such as EC2 instances and Auto Scaling groups. This helps with identifying the eﬀort to migrate your workloads from x86-based instance types to Arm-based AWS Graviton instance types. For more information, see Inferred workload type (p. 34).

• AWS Graviton-based instance recommendations - Gives you the price and performance impact of running your workload on AWS Graviton-based instances. For more information, see AWS Graviton- based instance recommendations (p. 36).

Enhanced infrastructure metrics

Enhanced infrastructure metrics is a paid feature of Compute Optimizer that applies to Amazon EC2 instances, including instances that are part of Auto Scaling groups. It's a recommendation preference that extends the utilization metrics analysis look-back period up to three months (93 days), compared to the 14-day default. This allows Compute Optimizer to analyze a longer history of utilization metrics data. Enhanced infrastructure metrics is inactive by default and must be activated manually. For more information about pricing for this feature, see Compute Optimizer pricing.

Contents

• Required permissions (p. 25)

• Activating enhanced infrastructure metrics (p. 25)

• Conﬁrming the status of enhanced infrastructure metrics (p. 33)

• Troubleshooting enhanced infrastructure metrics (p. 33)

Required permissions

You must have the appropriate permissions to activate and deactivate enhanced infrastructure metrics.

For more information, see Policies to grant access to manage Compute Optimizer recommendation preferences (p. 11).

Activating enhanced infrastructure metrics

You can activate enhanced infrastructure metrics using the Compute Optimizer console, AWS Command

(31)

Instance details page for an individual EC2 instance provides the option to activate the enhanced infrastructure metrics feature only for that EC2 instance. For more information, see Activating enhanced infrastructure metrics at the resource level (p. 26) later in this guide.

NoteResource-level preferences override account-level preferences, and account-level preferences override organization-level preferences. For an EC2 instance that is part of an Auto Scaling group, the Auto Scaling group recommendation preference overrides that of the individual instance.

• Account-level recommendation preferences - In the Account page for an individual account, you can activate the enhanced infrastructure metrics feature for all EC2 instances in the account that meet your resource type and AWS Region criteria. EC2 instance preferences at the account level apply to standalone instances and instances that are part of Auto Scaling groups. For more information, see Activating enhanced infrastructure metrics at the account level (p. 28) later in this guide.

• Organization-level recommendation preferences - In the Account page for the management account of an organization, you can activate the enhanced infrastructure metrics feature for all resources in all member accounts of the organization that meet your resource type and AWS Region criteria. EC2 instance preferences at the organization level apply to standalone instances and instances that are part of Auto Scaling groups in all member accounts. For more information, see Activating enhanced infrastructure metrics at the organization level (p. 30) later in this guide.

After you activate the enhanced infrastructure metrics feature, Compute Optimizer will apply the preference the next time recommendations are refreshed, which can take up to 24 hours. To conﬁrm if your resource recommendations are taking enhanced infrastructure metrics into consideration, see Conﬁrming the status of enhanced infrastructure metrics (p. 33).

NoteTo improve the recommendation quality of Compute Optimizer, AWS may use your CloudWatch metrics and conﬁguration data. This includes up to three months (93 days) of metrics analysis when you activate the enhanced infrastructure metrics feature. Contact AWS Support to request that AWS stop using your CloudWatch metrics and conﬁguration data to improve the recommendation quality of Compute Optimizer.

Activating enhanced infrastructure metrics at the resource level

Use the following procedure to activate or deactivate enhanced infrastructure metrics at the resource level. Recommendation preferences activated at the resource level apply only to the individual resource.

2. On the Dashboard page of the Compute Optimizer console, complete one of the following steps depending on the resource type for which you want to activate or deactivate enhanced infrastructure metrics.

• Choose View recommendations for EC2 instances if you want to activate the feature for an individual Amazon EC2 instance.

• Choose View recommendations for Auto Scaling groups if you want to activate the feature for an individual Auto Scaling group.

NoteFor an EC2 instance that is part of an Auto Scaling group, the Auto Scaling group recommendation preference overrides that of the individual instance.

3. In the Resource recommendations page that appears, either for Amazon EC2 instances or for Auto Scaling groups, choose the resource for which you want to activate or deactivate enhanced infrastructure metrics.

4. In the Resource details page that appears, choose Edit in the Recommendation preferences section of the page.

(32)

Enhanced infrastructure metrics is checked if the feature is currently activated for the resource that you're viewing. The option is unchecked if it is not currently activated.

5. Select the enhanced infrastructure metrics feature to activate it, or clear it to deactivate it.

6. Choose Save to save the updated recommendation preference for the individual resource.

NoteSaving the preference initiates metering for enhanced infrastructure metrics for the individual resource. For more information about pricing for this feature, see Compute Optimizer pricing.

Compute Optimizer will consider updated preferences the next time it generates recommendations. Until then, a pending status is affixed to your updated preference (for example, Active-pending or Inactive- pending). To confirm if your resource recommendations are taking enhanced infrastructure metrics into consideration, see Confirming the status of enhanced infrastructure metrics (p. 33).

(33)

Activating enhanced infrastructure metrics at the account level

Use the following procedure to activate or deactivate enhanced infrastructure metrics at the account level. Recommendation preferences created at the account level apply to all resources within the account that meet your resource type and AWS Region criteria.

2. Choose Accounts in the navigation pane.

If you're signed in to the management account of the organization, the Accounts page lists all member accounts of the organization and recommendation preferences as shown in the following example. If you're signed in to a standalone account, the page lists only the recommendation preferences for your account.

3. If you're signed in to the management account of an organization, choose the account for which you want to activate enhanced infrastructure metrics. Then choose View preferences. If you're signed in to a standalone account, skip to the next step (step 4) of this procedure.

(34)

4. The Recommendation preferences section of the page lists the current preferences for the individual account, if any. Choose Edit in the Recommendation preferences section of the page.

5. Complete one of the following steps:

• To activate enhanced infrastructure metrics for a resource type in a speciﬁc AWS Region, choose the resource type in the Resource type dropdown menu, choose the AWS Region in the Region dropdown menu, and select the Activate option.

NoteThe EC2 instance option encompasses all EC2 resources, inclusive of standalone instances and instances that are part of Auto Scaling groups. The Auto Scaling group option encompasses only instances that are part of Auto Scaling groups, and not standalone instances.

(35)

• To deactivate enhanced infrastructure metrics for a resource type in a speciﬁc AWS Region, clear the Activate option for the preference you want to deactivate.

6. Choose Save to save the updated recommendation preference for the account.

NoteSaving the preference initiates metering for enhanced infrastructure metrics for all resources of the selected resource type in the selected Region and in the selected account.

For more information about pricing for this feature, see Compute Optimizer pricing.

Compute Optimizer will consider updated preferences the next time it generates recommendations. Until then, a pending status is affixed to your update preference (for example, Active-pending or Inactive- pending). To confirm if your resource recommendations are taking enhanced infrastructure metrics into consideration, see Confirming the status of enhanced infrastructure metrics (p. 33).

Activating enhanced infrastructure metrics at the organization level

Use the following procedure to activate or deactivate enhanced infrastructure metrics at the

organization level. Recommendation preferences created at the organization level apply to all resources within all member accounts of the organization that meet your resource type and AWS Region criteria

(36)

NoteThis option is available only to management accounts of an organization who opted member accounts in to Compute Optimizer.

2. Choose Accounts in the navigation pane.

The Accounts page lists all member accounts of the organization if you're signed in to the management account of the organization. The Recommendation preferences section of the page lists the preferences that are activated for all accounts in the organization, if any.

3. Choose Edit in the Recommendation preferences section of the page.

AWS Compute Optimizer

AWS Compute Optimizer

User Guide

AWS Compute Optimizer: User Guide

Table of Contents

What is AWS Compute Optimizer?

Supported resources and requirements

Opting in

Analyzing metrics

Enhancing recommendations

Viewing ﬁndings and recommendations

Availability

Supported resources and requirements

CloudWatch metric requirements

Amazon EC2 instance requirements

Auto Scaling group requirements

Amazon EBS volume requirements

Lambda function requirements

Getting started with AWS Compute Optimizer

Accounts supported by Compute Optimizer

Required permissions

Opting in your account

Opting out your account

Controlling access with AWS Identity and Access Management

Compute Optimizer and AWS Organizations trusted access

Policy to opt in to Compute Optimizer

Policies to grant access to Compute Optimizer for standalone AWS accounts

Policies to grant access to Compute Optimizer for a management account of an organization

Policies to grant access to manage Compute Optimizer recommendation preferences

Policy to deny access to Compute Optimizer

Using Service-Linked Roles for AWS Compute Optimizer

Service-Linked Role permissions for Compute Optimizer

Service-Linked Role permissions

Creating a Service-Linked Role for Compute Optimizer

Editing a Service-Linked Role for Compute Optimizer

Deleting a Service-Linked Role for Compute Optimizer

Supported Regions for Compute Optimizer Service- Linked Roles

AWS managed policies for AWS Compute Optimizer

AWS managed policy:

ComputeOptimizerServiceRolePolicy

AWS managed policy:

ComputeOptimizerReadOnlyAccess

Compute Optimizer updates to AWS managed policies

Amazon S3 bucket policy for AWS Compute Optimizer

Using encrypted S3 buckets for your recommendations export

Specifying an existing bucket for your recommendations export

Additional resources

Metrics analyzed by AWS Compute Optimizer

EC2 instance metrics

Enabling memory utilization with the CloudWatch Agent

EBS volume metrics

Lambda function metrics

Activating recommendation preferences

Enhanced infrastructure metrics

Required permissions

Activating enhanced infrastructure metrics

Activating enhanced infrastructure metrics at the resource level

Activating enhanced infrastructure metrics at the account level

Activating enhanced infrastructure metrics at the organization level