AWS
      Back to home
      1. Help Center
      2. Security & Access Management
      3. AWS

      Limited IAM Permissions for an AWS Savings Analysis

      Follow along with our walkthrough guide, plus learn what our permissions allow us to do

       

      To perform our Savings Analysis, we require extremely limited IAM permissions on your AWS management account. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.

      At no point in time do we have access to:

      • The AWS data plane (e.g., instances, clusters, containers)
      • Manipulate the AWS control plane (e.g., start or terminate an instance, cluster, or task)
      • Your data, whether local or in a managed storage/datastore service 

      Read more: What level of access ProsperOps needs

       

      These permissions will allow us to:

      • Access Cost Explorer, which we use to analyze 12 months of daily historical cost and usage data
      • Setup and access a Cost and Usage Report (CUR), which we use to analyze recent hourly volatility patterns
      • Understand Organizations metadata and AWS account structure
      • Verify our permissions are applied correctly

      ⚠️ This is an example IAM Policy. You should not copy/paste it when creating your account. We provide a customized policy during account activation.

      The actual IAM policy is:

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ce:GetCostAndUsage",
                      "ce:GetDimensionValues",
                      "ce:GetReservationCoverage",
                      "ce:GetReservationUtilization",
                      "ce:GetSavingsPlansCoverage",
                      "ce:GetSavingsPlansUtilization",
                      "ce:GetSavingsPlansUtilizationDetails",
                      "cur:DescribeReportDefinitions",
                      "organizations:DescribeOrganization",
                      "organizations:ListAccounts"
                  ],
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "iam:GetRolePolicy",
                      "iam:ListRolePolicies",
                      "iam:SimulatePrincipalPolicy"
                  ],
                  "Resource": "arn:aws:iam::*:role/ProsperOps"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "s3:CreateBucket",
                      "s3:ListBucket",
                      "s3:PutBucketPolicy"
                  ],
                  "Resource": "arn:aws:s3:::prosperops-cur-*"
              },
              {
                  "Effect": "Allow",
                  "Action": "s3:GetObject",
                  "Resource": "arn:aws:s3:::prosperops-cur-*/*"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "cur:ModifyReportDefinition",
                      "cur:PutReportDefinition"
                  ],
                  "Resource": "arn:aws:cur:*:*:definition/prosperops-*"
              }
          ]
      }