1. Help Center
  2. Using ProsperOps

Limited IAM Permissions for Savings Analysis

To perform our Savings Analysis, we require read-only API permissions on your AWS management account. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.

These permissions allow us to:

  • Access Cost Explorer data
  • Understand Organizations metadata and AWS account structure
  • Verify our permissions are applied correctly

The actual IAM policy is:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
              "ce:GetCostAndUsage",
              "ce:GetDimensionValues",
                "ce:GetReservationCoverage",
                "ce:GetReservationUtilization",
                "ce:GetSavingsPlansCoverage",
                "ce:GetSavingsPlansUtilization",
                "ce:GetSavingsPlansUtilizationDetails",
                "organizations:DescribeOrganization",
              "organizations:ListAccounts"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": [
              "arn:aws:iam::<aws_account_number>:role/ProsperOps"
            ]
        }
    ]
}

Note: <aws_account_number> will automatically be replaced with your account number during our Onboarding process in the ProsperOps Console.