The following is a detailed breakdown of the Read-Only, Least-Privileged IAM credential required to enable the Trial of our AWS Platform Integration. This will enable Archera.ai to read the bare minimum usage and cost metadata required to enable our Trial analysis & modeling engine, with limited access to automation features.
This credential will prevent you from receiving any future platform updates and we don't recommend using it unless you have no other options. Please contact us if you would like this installation method enabled in your account.
The standard Production credential is required to enable our full automation platform and is covered in another article.
Cost Explorer
Cost explorer read permissions are used to allow us to extract specific cost, usage and commitment information associated with your organizations accounts, as well as get benchmark data from AWS to enable a comparison between solutions.
ce:DescribeCostCategoryDefinition
ce:DescribeNotificationSubscription
ce:DescribeReport
ce:GetAnomalies
ce:GetAnomalyMonitors
ce:GetAnomalySubscriptions
ce:GetCostAndUsage
ce:GetCostAndUsageWithResources
ce:GetCostCategories
ce:GetCostForecast
ce:GetDimensionValues
ce:GetPreferences
ce:GetReservationCoverage
ce:GetReservationPurchaseRecommendation
ce:GetReservationUtilization
ce:GetRightsizingRecommendation
ce:GetSavingsPlansCoverage
ce:GetSavingsPlansPurchaseRecommendation
ce:GetSavingsPlansUtilization
ce:GetSavingsPlansUtilizationDetails
ce:GetTags
ce:GetUsageForecast
ce:ListCostCategoryDefinitions
Budgets
Budget read permissions are used to allow us to pull any existing budgets in the environment to inform automated configuration of segmentation & budgets in our platform for an easy on-boarding experience.
budgets:DescribeBudgetAction
budgets:DescribeBudgetActionHistories
budgets:DescribeBudgetActionsForAccount
budgets:DescribeBudgetActionsForBudget
Tag
Tag read permissions are used to populate and enable the Tag Manager functionality and Tag based segmentation in the platform.
tag:GetComplianceSummary
tag:GetResources
tag:GetTagKeys
tag:GetTagValues
Resource Groups
Resource Groups read permissions are used to automatically create segments based on existing resource groups to better analyze their cost and usage.
resource-groups:GetGroupQuery
resource-groups:SearchResources
resource-groups:GetGroup
resource-groups:GetGroupConfiguration
resource-groups:GetTags
resource-groups:ListGroupResources
resource-groups:ListGroups
STS
STS Get caller identity permission is used to verify access for the Trial role. This only allows access to the role making the call (i.e. it will be limited to us reading our own role).
sts:GetCallerIdentity
Service Quotas
The service quota read permissions are used to know what service quotas are imposed on accounts by AWS and when a service quota increases will be required for different recommended actions
servicequotas:GetAWSDefaultServiceQuota
servicequotas:GetAssociationForServiceQuotaTemplate
servicequotas:GetRequestedServiceQuotaChange
servicequotas:GetServiceQuota
servicequotas:GetServiceQuotaIncreaseRequestFromTemplate
servicequotas:ListAWSDefaultServiceQuotas
servicequotas:ListRequestedServiceQuotaChangeHistory
servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota
servicequotas:ListServiceQuotaIncreaseRequestsInTemplate
servicequotas:ListServiceQuotas
servicequotas:ListServices
servicequotas:ListTagsForResource
Service Catalog
The service catalog read permissions are used to inform automated configuration of segmentation & purchase modeling in the platform as well as to understand any existing resource governance policies.
servicecatalog:DescribeConstraint
servicecatalog:DescribeCopyProductStatus
servicecatalog:DescribePortfolio
servicecatalog:DescribePortfolioShareStatus
servicecatalog:DescribePortfolioShares
servicecatalog:DescribeProduct
servicecatalog:DescribeProductView
servicecatalog:DescribeProvisionedProduct
servicecatalog:DescribeProvisionedProductPlan
servicecatalog:DescribeProvisioningArtifact
servicecatalog:DescribeProvisioningParameters
servicecatalog:DescribeRecord
servicecatalog:DescribeServiceAction
servicecatalog:DescribeServiceActionExecutionParameters
servicecatalog:DescribeTagOption
servicecatalog:GetAWSOrganizationsAccessStatus
servicecatalog:GetApplication
servicecatalog:GetAttributeGroup
servicecatalog:GetProvisionedProductOutputs
servicecatalog:ListAcceptedPortfolioShares
servicecatalog:ListApplications
servicecatalog:ListAssociatedAttributeGroups
servicecatalog:ListAssociatedResources
servicecatalog:ListAttributeGroups
servicecatalog:ListBudgetsForResource
servicecatalog:ListConstraintsForPortfolio
servicecatalog:ListLaunchPaths
servicecatalog:ListOrganizationPortfolioAccess
servicecatalog:ListPortfolioAccess
servicecatalog:ListPortfolios
servicecatalog:ListPortfoliosForProduct
servicecatalog:ListPrincipalsForPortfolio
servicecatalog:ListProvisionedProductPlans
servicecatalog:ListProvisioningArtifacts
servicecatalog:ListProvisioningArtifactsForServiceAction
servicecatalog:ListRecordHistory
servicecatalog:ListResourcesForTagOption
servicecatalog:ListServiceActions
servicecatalog:ListServiceActionsForProvisioningArtifact
servicecatalog:ListStackInstancesForProvisionedProduct
servicecatalog:ListTagOptions
servicecatalog:ListTagsForResource
CloudWatch
The Cloudwatch read permissions enables us to pull utilization metadata for your infrastructure. Right-sizing as well as infrastructure usage monitoring & alerting will not function without this.
cloudwatch:ListMetrics
cloudwatch:GetMetricStatistics
cloudwatch:GetMetricData
CUR
The CUR describe report permission enables us to identify where existing and new detailed Cost and Usage Billing reports have been created. We use these reports as a ground truth for finalized billing from AWS. The platform will not be accurate without access to this data.
cur:DescribeReportDefinitions
EC2
The EC2 read permissions are used to help us pull real-time usage, attribution and commitment information for all EC2 resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)
ec2:DescribeAccountAttributes
ec2:DescribeInstances
ec2:DescribeRegions
ec2:DescribeAvailabilityZones
ec2:CreateSpotDatafeedSubscription
ec2:DescribeSpotDatafeedSubscription
ec2:DescribeSpotFleetInstances
ec2:DescribeSpotFleetRequestHistory
ec2:DescribeSpotFleetRequests
ec2:DescribeSpotInstanceRequests
ec2:DescribeSpotPriceHistory
ec2:DescribeFleetHistory
ec2:DescribeFleetInstances
ec2:DescribeFleets
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeVolumesModifications
ec2:DescribeVolumeStatus
ec2:DescribeElasticGpus
ec2:DescribeScheduledInstances
ec2:DescribeScheduledInstanceAvailability
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesModifications
ec2:DescribeReservedInstancesListings
ec2:GetReservedInstancesExchangeQuote
ec2:DescribeReservedInstancesOfferings
ec2:DescribeCapacityReservations
ec2:DescribeHosts
ec2:DescribeHostReservations
ec2:GetHostReservationPurchasePreview
ec2:DescribeHostReservationOfferings
RDS
The RDS read permissions are used to help us pull real-time usage, attribution and commitment information for all RDS resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)
rds:DescribeAccountAttributes
rds:DescribeCustomAvailabilityZones
rds:DescribeDBClusterBacktracks
rds:DescribeDBClusterEndpoints
rds:DescribeDBClusterParameterGroups
rds:DescribeDBClusterParameters
rds:DescribeDBClusterSnapshotAttributes
rds:DescribeDBClusterSnapshots
rds:DescribeDBClusters
rds:DescribeDBEngineVersions
rds:DescribeDBInstanceAutomatedBackups
rds:DescribeDBInstances
rds:DescribeDBParameterGroups
rds:DescribeDBParameters
rds:DescribeDBProxies
rds:DescribeDBProxyEndpoints
rds:DescribeDBProxyTargetGroups
rds:DescribeDBProxyTargets
rds:DescribeDBSecurityGroups
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
rds:DescribeDBSubnetGroups
rds:DescribeEngineDefaultClusterParameters
rds:DescribeEngineDefaultParameters
rds:DescribeEventCategories
rds:DescribeEventSubscriptions
rds:DescribeEvents
rds:DescribeExportTasks
rds:DescribeGlobalClusters
rds:DescribeInstallationMedia
rds:DescribeOptionGroupOptions
rds:DescribeOptionGroups
rds:DescribeOrderableDBInstanceOptions
rds:DescribePendingMaintenanceActions
rds:DescribeReservedDBInstances
rds:DescribeReservedDBInstancesOfferings
rds:DescribeSourceRegions
rds:DescribeValidDBInstanceModifications
rds:ListTagsForResource
Redshift
The Redshift read permissions are used to help us pull real-time usage, attribution and commitment information for all Redshift resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)
redshift:DescribeAccountAttributes
redshift:DescribeClusterDbRevisions
redshift:DescribeClusterParameterGroups
redshift:DescribeClusterParameters
redshift:DescribeClusterSecurityGroups
redshift:DescribeClusterSnapshots
redshift:DescribeClusterSubnetGroups
redshift:DescribeClusterTracks
redshift:DescribeClusterVersions
redshift:DescribeClusters
redshift:DescribeDefaultClusterParameters
redshift:DescribeEventCategories
redshift:DescribeEventSubscriptions
redshift:DescribeEvents
redshift:DescribeHsmClientCertificates
redshift:DescribeHsmConfigurations
redshift:DescribeLoggingStatus
redshift:DescribeNodeConfigurationOptions
redshift:DescribeOrderableClusterOptions
redshift:DescribeReservedNodeOfferings
redshift:DescribeReservedNodes
redshift:DescribeResize
redshift:DescribeScheduledActions
redshift:DescribeSnapshotCopyGrants
redshift:DescribeSnapshotSchedules
redshift:DescribeStorage
redshift:DescribeTable
redshift:DescribeTableRestoreStatus
redshift:DescribeTags
redshift:GetReservedNodeExchangeOfferings
DynamoDB
The DynamoDB read permissions are used to help us pull real-time usage, attribution and commitment information for all DynamoDB resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)
dynamodb:DescribeBackup
dynamodb:DescribeContinuousBackups
dynamodb:DescribeContributorInsights
dynamodb:DescribeExport
dynamodb:DescribeGlobalTable
dynamodb:DescribeGlobalTableSettings
dynamodb:DescribeKinesisStreamingDestination
dynamodb:DescribeLimits
dynamodb:DescribeReservedCapacity
dynamodb:DescribeReservedCapacityOfferings
dynamodb:DescribeStream
dynamodb:DescribeTable
dynamodb:DescribeTableReplicaAutoScaling
dynamodb:DescribeTimeToLive
dynamodb:ListBackups
dynamodb:ListContributorInsights
dynamodb:ListExports
dynamodb:ListGlobalTables
dynamodb:ListStreams
dynamodb:ListTables
dynamodb:ListTagsOfResource
ElastiCache
The Elasticache read permissions are used to help us pull real-time usage, attribution and commitment information for all Elasticache resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)
elasticache:DescribeCacheClusters
elasticache:DescribeCacheEngineVersions
elasticache:DescribeCacheParameterGroups
elasticache:DescribeCacheParameters
elasticache:DescribeCacheSecurityGroups
elasticache:DescribeCacheSubnetGroups
elasticache:DescribeEngineDefaultParameters
elasticache:DescribeEvents
elasticache:DescribeGlobalReplicationGroups
elasticache:DescribeReplicationGroups
elasticache:DescribeReservedCacheNodes
elasticache:DescribeReservedCacheNodesOfferings
elasticache:DescribeServiceUpdates
elasticache:DescribeSnapshots
elasticache:DescribeUpdateActions
elasticache:DescribeUserGroups
elasticache:DescribeUsers
elasticache:ListAllowedNodeTypeModifications
elasticache:ListTagsForResource
ElasticSearch
The ElasticSearch read permissions are used to help us pull real-time usage, attribution and commitment information for all ElasticSearch resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)
es:DescribeElasticsearchDomain
es:DescribeElasticsearchDomainConfig
es:DescribeElasticsearchDomains
es:DescribeElasticsearchInstanceTypeLimits
es:DescribeInboundCrossClusterSearchConnections
es:DescribeOutboundCrossClusterSearchConnections
es:DescribeReservedElasticsearchInstanceOfferings
es:DescribeReservedElasticsearchInstances
es:ListDomainNames
es:ListElasticsearchInstanceTypeDetails
es:ListElasticsearchInstanceTypes
es:ListElasticsearchVersions
es:ListTags
License Manager
The License Manager can control the launch of some EC2 instances that require dedicated hosts and there are some cost implications from it, such as license overage costs. The read permissions allow us to reflect, project and account for these costs.
license-manager:GetAccessToken
license-manager:GetLicenseUsage
license-manager:GetLicenseConfiguration
license-manager:GetLicense
license-manager:GetGrant
license-manager:GetServiceSettings
Organizations
The organization read permission is used to enable segmentation and analysis based on AWS organization structure. Additionally, this permission is required to accurately reflect reservation attribution and coverage within your AWS organization. The platform will not function without this.
organizations:DescribeAccount
organizations:DescribeCreateAccountStatus
organizations:DescribeEffectivePolicy
organizations:DescribeHandshake
organizations:DescribeOrganization
organizations:DescribeOrganizationalUnit
organizations:DescribePolicy
organizations:ListAWSServiceAccessForOrganization
organizations:ListAccounts
organizations:ListAccountsForParent
organizations:ListChildren
organizations:ListCreateAccountStatus
organizations:ListDelegatedServicesForAccount
organizations:ListOrganizationalUnitsForParent
organizations:ListParents
organizations:ListPolicies
organizations:ListPoliciesForTarget
organizations:ListRoots
organizations:ListTagsForResource
organizations:ListTargetsForPolicy
Savings Plans
The savings plan read permissions are used to provide analysis for savings plan coverage, savings and attribution within your AWS accounts. The platform will not reflect accurate cost data without this permission.
savingsplans:DescribeSavingsPlanRates
savingsplans:DescribeSavingsPlans
savingsplans:DescribeSavingsPlansOfferingRates
savingsplans:DescribeSavingsPlansOfferings
savingsplans:ListTagsForResource
IAM
The IAM Read and Simulate permissions, restricted explicitly to Archera.ai related roles, is required to allow this role to verify the permissions it is allowed to operate under, and ensure a valid installation. The platform will not be able to access your environment or function without this permission.
iam:GetRolePolicy
iam:ListRolePolicies
iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion
iam:SimulatePrincipalPolicy
arn:aws:iam::*:role/ReservedAI
arn:aws:iam::*:role/ReservedAI-Read
arn:aws:iam::*:role/ReservedAI-Write
arn:aws:iam::*:policy/ReservedAI
arn:aws:iam::*:policy/ReservedAI-Read
arn:aws:iam::*:policy/ReservedAI-Write