To perform our Savings Analysis, we require read-only API permissions on your AWS payer account. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.

These permissions allow us to:

  • Access Cost Explorer data
  • Understand Organizations metadata and AWS account structure
  • Verify our permissions are applied correctly

The actual IAM policy is:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "ce:*",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/ProsperOps"
            ]
        }
    ]
}

Did this answer your question?