We are an AWS Select technology partner and have had our stack and solution audited by AWS to be in line with their "well-architected" best practices.
Our system connects to your AWS master billing account using the Amazon Managed IAM System and the official vendor Assume Role process with External ID, the best practice recommended by AWS for providing access to AWS account owned by 3rd party.
The IAM policy we request follows a "Least Privileged" approach granting the minimal access required to deliver our savings analysis and automation. We ask for access to read your billing and usage metadata from AWS, which is no more permissive than what standard monitoring tools like Datadog or Grafana ask for. This lets us see aggregate costs, machines up/down and resource utilization but never gives us access to read data from or make changes to running infrastructure.
By using only Amazon managed APIs to access your account all operations taken by Archera can be audited by your team in CloudTrail. Finally, we implemented SOC2 defined controls for managing customer data, including enforcement that all customer data is encrypted at rest as well as in transit and having regular internal audits on all access to user data.