Right-Sizing – How to Configure User Groups and Workflows

The EC2 Right-Sizing report can automate the task of resizing any EC2 instances that are over- or under-utilized. The report will give you a selection of instances—each with a utilization rating—and you have the option to fix individual instances.

For security purposes, you will want to control:

  • which users can request changes
  • which users can approve or deny these requested changes to ensure that only the selected users have authority to make changes to your AWS deployment

These change requests are controlled by workflows, which are then assigned to specific users via the user groups management section. There are two types of Workflow permissions:

  • Open Workflows: This is the permission to request a change, for example, to open a workflow. This is the lower level of the two permissions: it gives the user the ability to request that only a right-sizing change is made.
  • Admin Workflows: This is the permission to approve and execute or deny the change.

In practice, once a right-sizing request is made, a user with Admin Workflow permissions will need to look at the request and decide whether to approve and execute the change, or to deny the request.

Creating User Groups and Workflows

  1. Create a new user group or modify an existing user group.

    1. From the header menu, click the Settings icon and choose Partner/Account > Groups.

      You can see full instructions for working with user groups.
    2. For the purposes of this procedure, click New Group to continue.

  2. Within the New Group screen:

    1. Name your group.
    2. Add any users to the group.
    3. Add an Account Access Control List (ACL), which is where you can specify the workflow to add to the group.
  3. In the Account ACL screen, select the AWS account that you want to give access to, and then click the Automation tab. In this tab, you will select one of the two workflow options:

    • Open Workflow: the user can only open a workflow (i.e. open a right-sizing request)
    • Admin Workflow: the user can approve and then execute a request or deny a request
      When performing one of these actions within the right-sizing report, both the approve/execute and deny actions provide a comment field in order to give relevant feedback to the requestor.
  4. Once your changes are complete, click OK to save your new account ACL. You have now configured the proper workflow configuration for the Right-Sizing report.
  5. Complete the Right Sizing actions.

How did we do?