All Collections
Security FAQs
What IAM permissions does the Archera AWS trial deployment require?
What IAM permissions does the Archera AWS trial deployment require?

In this article we cover the AWS IAM permissions required by Archera.ai to function for a trial, and why.

J
Written by Jim Gallagher
Updated over a week ago

The following is a detailed breakdown of the Read-Only, Least-Privileged IAM credential required to enable the Trial of our AWS Platform Integration. This will enable Archera.ai to read the bare minimum usage and cost metadata required to enable our Trial analysis & modeling engine, with limited access to automation features.

This credential will prevent you from receiving any future platform updates and we don't recommend using it unless you have no other options. Please contact us if you would like this installation method enabled in your account.

The standard Production credential is required to enable our full automation platform and is covered in another article.

Cost Explorer

Cost explorer read permissions are used to allow us to extract specific cost, usage and commitment information associated with your organizations accounts, as well as get benchmark data from AWS to enable a comparison between solutions.

ce:DescribeCostCategoryDefinition
ce:DescribeNotificationSubscription
ce:DescribeReport
ce:GetAnomalies
ce:GetAnomalyMonitors
ce:GetAnomalySubscriptions
ce:GetCostAndUsage
ce:GetCostAndUsageWithResources
ce:GetCostCategories
ce:GetCostForecast
ce:GetDimensionValues
ce:GetPreferences
ce:GetReservationCoverage
ce:GetReservationPurchaseRecommendation
ce:GetReservationUtilization
ce:GetRightsizingRecommendation
ce:GetSavingsPlansCoverage
ce:GetSavingsPlansPurchaseRecommendation
ce:GetSavingsPlansUtilization
ce:GetSavingsPlansUtilizationDetails
ce:GetTags
ce:GetUsageForecast
ce:ListCostCategoryDefinitions

Budgets

Budget read permissions are used to allow us to pull any existing budgets in the environment to inform automated configuration of segmentation & budgets in our platform for an easy on-boarding experience.

budgets:DescribeBudgetAction
budgets:DescribeBudgetActionHistories
budgets:DescribeBudgetActionsForAccount
budgets:DescribeBudgetActionsForBudget

Tag

Tag read permissions are used to populate and enable the Tag Manager functionality and Tag based segmentation in the platform.

tag:GetComplianceSummary
tag:GetResources
tag:GetTagKeys
tag:GetTagValues

Resource Groups

Resource Groups read permissions are used to automatically create segments based on existing resource groups to better analyze their cost and usage.

resource-groups:GetGroupQuery
resource-groups:SearchResources
resource-groups:GetGroup
resource-groups:GetGroupConfiguration
resource-groups:GetTags
resource-groups:ListGroupResources
resource-groups:ListGroups

STS

STS Get caller identity permission is used to verify access for the Trial role. This only allows access to the role making the call (i.e. it will be limited to us reading our own role).

sts:GetCallerIdentity

Service Quotas

The service quota read permissions are used to know what service quotas are imposed on accounts by AWS and when a service quota increases will be required for different recommended actions

servicequotas:GetAWSDefaultServiceQuota
servicequotas:GetAssociationForServiceQuotaTemplate
servicequotas:GetRequestedServiceQuotaChange
servicequotas:GetServiceQuota
servicequotas:GetServiceQuotaIncreaseRequestFromTemplate
servicequotas:ListAWSDefaultServiceQuotas
servicequotas:ListRequestedServiceQuotaChangeHistory
servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota
servicequotas:ListServiceQuotaIncreaseRequestsInTemplate
servicequotas:ListServiceQuotas
servicequotas:ListServices
servicequotas:ListTagsForResource

Service Catalog

The service catalog read permissions are used to inform automated configuration of segmentation & purchase modeling in the platform as well as to understand any existing resource governance policies.

servicecatalog:DescribeConstraint
servicecatalog:DescribeCopyProductStatus
servicecatalog:DescribePortfolio
servicecatalog:DescribePortfolioShareStatus
servicecatalog:DescribePortfolioShares
servicecatalog:DescribeProduct
servicecatalog:DescribeProductView
servicecatalog:DescribeProvisionedProduct
servicecatalog:DescribeProvisionedProductPlan
servicecatalog:DescribeProvisioningArtifact
servicecatalog:DescribeProvisioningParameters
servicecatalog:DescribeRecord
servicecatalog:DescribeServiceAction
servicecatalog:DescribeServiceActionExecutionParameters
servicecatalog:DescribeTagOption
servicecatalog:GetAWSOrganizationsAccessStatus
servicecatalog:GetApplication
servicecatalog:GetAttributeGroup
servicecatalog:GetProvisionedProductOutputs
servicecatalog:ListAcceptedPortfolioShares
servicecatalog:ListApplications
servicecatalog:ListAssociatedAttributeGroups
servicecatalog:ListAssociatedResources
servicecatalog:ListAttributeGroups
servicecatalog:ListBudgetsForResource
servicecatalog:ListConstraintsForPortfolio
servicecatalog:ListLaunchPaths
servicecatalog:ListOrganizationPortfolioAccess
servicecatalog:ListPortfolioAccess
servicecatalog:ListPortfolios
servicecatalog:ListPortfoliosForProduct
servicecatalog:ListPrincipalsForPortfolio
servicecatalog:ListProvisionedProductPlans
servicecatalog:ListProvisioningArtifacts
servicecatalog:ListProvisioningArtifactsForServiceAction
servicecatalog:ListRecordHistory
servicecatalog:ListResourcesForTagOption
servicecatalog:ListServiceActions
servicecatalog:ListServiceActionsForProvisioningArtifact
servicecatalog:ListStackInstancesForProvisionedProduct
servicecatalog:ListTagOptions
servicecatalog:ListTagsForResource

CloudWatch

The Cloudwatch read permissions enables us to pull utilization metadata for your infrastructure. Right-sizing as well as infrastructure usage monitoring & alerting will not function without this.

cloudwatch:ListMetrics
cloudwatch:GetMetricStatistics
cloudwatch:GetMetricData

CUR

The CUR describe report permission enables us to identify where existing and new detailed Cost and Usage Billing reports have been created. We use these reports as a ground truth for finalized billing from AWS. The platform will not be accurate without access to this data.

cur:DescribeReportDefinitions

EC2

The EC2 read permissions are used to help us pull real-time usage, attribution and commitment information for all EC2 resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)

ec2:DescribeAccountAttributes
ec2:DescribeInstances
ec2:DescribeRegions
ec2:DescribeAvailabilityZones
ec2:CreateSpotDatafeedSubscription
ec2:DescribeSpotDatafeedSubscription
ec2:DescribeSpotFleetInstances
ec2:DescribeSpotFleetRequestHistory
ec2:DescribeSpotFleetRequests
ec2:DescribeSpotInstanceRequests
ec2:DescribeSpotPriceHistory
ec2:DescribeFleetHistory
ec2:DescribeFleetInstances
ec2:DescribeFleets
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeVolumesModifications
ec2:DescribeVolumeStatus
ec2:DescribeElasticGpus
ec2:DescribeScheduledInstances
ec2:DescribeScheduledInstanceAvailability
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesModifications
ec2:DescribeReservedInstancesListings
ec2:GetReservedInstancesExchangeQuote
ec2:DescribeReservedInstancesOfferings
ec2:DescribeCapacityReservations
ec2:DescribeHosts
ec2:DescribeHostReservations
ec2:GetHostReservationPurchasePreview
ec2:DescribeHostReservationOfferings

RDS

The RDS read permissions are used to help us pull real-time usage, attribution and commitment information for all RDS resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)

rds:DescribeAccountAttributes
rds:DescribeCustomAvailabilityZones
rds:DescribeDBClusterBacktracks
rds:DescribeDBClusterEndpoints
rds:DescribeDBClusterParameterGroups
rds:DescribeDBClusterParameters
rds:DescribeDBClusterSnapshotAttributes
rds:DescribeDBClusterSnapshots
rds:DescribeDBClusters
rds:DescribeDBEngineVersions
rds:DescribeDBInstanceAutomatedBackups
rds:DescribeDBInstances
rds:DescribeDBParameterGroups
rds:DescribeDBParameters
rds:DescribeDBProxies
rds:DescribeDBProxyEndpoints
rds:DescribeDBProxyTargetGroups
rds:DescribeDBProxyTargets
rds:DescribeDBSecurityGroups
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
rds:DescribeDBSubnetGroups
rds:DescribeEngineDefaultClusterParameters
rds:DescribeEngineDefaultParameters
rds:DescribeEventCategories
rds:DescribeEventSubscriptions
rds:DescribeEvents
rds:DescribeExportTasks
rds:DescribeGlobalClusters
rds:DescribeInstallationMedia
rds:DescribeOptionGroupOptions
rds:DescribeOptionGroups
rds:DescribeOrderableDBInstanceOptions
rds:DescribePendingMaintenanceActions
rds:DescribeReservedDBInstances
rds:DescribeReservedDBInstancesOfferings
rds:DescribeSourceRegions
rds:DescribeValidDBInstanceModifications
rds:ListTagsForResource

Redshift

The Redshift read permissions are used to help us pull real-time usage, attribution and commitment information for all Redshift resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)

redshift:DescribeAccountAttributes
redshift:DescribeClusterDbRevisions
redshift:DescribeClusterParameterGroups
redshift:DescribeClusterParameters
redshift:DescribeClusterSecurityGroups
redshift:DescribeClusterSnapshots
redshift:DescribeClusterSubnetGroups
redshift:DescribeClusterTracks
redshift:DescribeClusterVersions
redshift:DescribeClusters
redshift:DescribeDefaultClusterParameters
redshift:DescribeEventCategories
redshift:DescribeEventSubscriptions
redshift:DescribeEvents
redshift:DescribeHsmClientCertificates
redshift:DescribeHsmConfigurations
redshift:DescribeLoggingStatus
redshift:DescribeNodeConfigurationOptions
redshift:DescribeOrderableClusterOptions
redshift:DescribeReservedNodeOfferings
redshift:DescribeReservedNodes
redshift:DescribeResize
redshift:DescribeScheduledActions
redshift:DescribeSnapshotCopyGrants
redshift:DescribeSnapshotSchedules
redshift:DescribeStorage
redshift:DescribeTable
redshift:DescribeTableRestoreStatus
redshift:DescribeTags
redshift:GetReservedNodeExchangeOfferings

DynamoDB

The DynamoDB read permissions are used to help us pull real-time usage, attribution and commitment information for all DynamoDB resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)

dynamodb:DescribeBackup
dynamodb:DescribeContinuousBackups
dynamodb:DescribeContributorInsights
dynamodb:DescribeExport
dynamodb:DescribeGlobalTable
dynamodb:DescribeGlobalTableSettings
dynamodb:DescribeKinesisStreamingDestination
dynamodb:DescribeLimits
dynamodb:DescribeReservedCapacity
dynamodb:DescribeReservedCapacityOfferings
dynamodb:DescribeStream
dynamodb:DescribeTable
dynamodb:DescribeTableReplicaAutoScaling
dynamodb:DescribeTimeToLive
dynamodb:ListBackups
dynamodb:ListContributorInsights
dynamodb:ListExports
dynamodb:ListGlobalTables
dynamodb:ListStreams
dynamodb:ListTables
dynamodb:ListTagsOfResource

ElastiCache

The Elasticache read permissions are used to help us pull real-time usage, attribution and commitment information for all Elasticache resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)

elasticache:DescribeCacheClusters
elasticache:DescribeCacheEngineVersions
elasticache:DescribeCacheParameterGroups
elasticache:DescribeCacheParameters
elasticache:DescribeCacheSecurityGroups
elasticache:DescribeCacheSubnetGroups
elasticache:DescribeEngineDefaultParameters
elasticache:DescribeEvents
elasticache:DescribeGlobalReplicationGroups
elasticache:DescribeReplicationGroups
elasticache:DescribeReservedCacheNodes
elasticache:DescribeReservedCacheNodesOfferings
elasticache:DescribeServiceUpdates
elasticache:DescribeSnapshots
elasticache:DescribeUpdateActions
elasticache:DescribeUserGroups
elasticache:DescribeUsers
elasticache:ListAllowedNodeTypeModifications
elasticache:ListTagsForResource

ElasticSearch

The ElasticSearch read permissions are used to help us pull real-time usage, attribution and commitment information for all ElasticSearch resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)

es:DescribeElasticsearchDomain
es:DescribeElasticsearchDomainConfig
es:DescribeElasticsearchDomains
es:DescribeElasticsearchInstanceTypeLimits
es:DescribeInboundCrossClusterSearchConnections
es:DescribeOutboundCrossClusterSearchConnections
es:DescribeReservedElasticsearchInstanceOfferings
es:DescribeReservedElasticsearchInstances
es:ListDomainNames
es:ListElasticsearchInstanceTypeDetails
es:ListElasticsearchInstanceTypes
es:ListElasticsearchVersions
es:ListTags

License Manager

The License Manager can control the launch of some EC2 instances that require dedicated hosts and there are some cost implications from it, such as license overage costs. The read permissions allow us to reflect, project and account for these costs.

license-manager:GetAccessToken
license-manager:GetLicenseUsage 
license-manager:GetLicenseConfiguration 
license-manager:GetLicense 
license-manager:GetGrant 
license-manager:GetServiceSettings

Organizations

The organization read permission is used to enable segmentation and analysis based on AWS organization structure. Additionally, this permission is required to accurately reflect reservation attribution and coverage within your AWS organization. The platform will not function without this.

organizations:DescribeAccount
organizations:DescribeCreateAccountStatus
organizations:DescribeEffectivePolicy
organizations:DescribeHandshake
organizations:DescribeOrganization
organizations:DescribeOrganizationalUnit
organizations:DescribePolicy
organizations:ListAWSServiceAccessForOrganization
organizations:ListAccounts
organizations:ListAccountsForParent
organizations:ListChildren
organizations:ListCreateAccountStatus
organizations:ListDelegatedServicesForAccount
organizations:ListOrganizationalUnitsForParent
organizations:ListParents
organizations:ListPolicies
organizations:ListPoliciesForTarget
organizations:ListRoots
organizations:ListTagsForResource
organizations:ListTargetsForPolicy

Savings Plans

The savings plan read permissions are used to provide analysis for savings plan coverage, savings and attribution within your AWS accounts. The platform will not reflect accurate cost data without this permission.

savingsplans:DescribeSavingsPlanRates
savingsplans:DescribeSavingsPlans
savingsplans:DescribeSavingsPlansOfferingRates
savingsplans:DescribeSavingsPlansOfferings
savingsplans:ListTagsForResource

IAM

The IAM Read and Simulate permissions, restricted explicitly to Archera.ai related roles, is required to allow this role to verify the permissions it is allowed to operate under, and ensure a valid installation. The platform will not be able to access your environment or function without this permission.

iam:GetRolePolicy
iam:ListRolePolicies
iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion
iam:SimulatePrincipalPolicy

arn:aws:iam::*:role/ReservedAI
arn:aws:iam::*:role/ReservedAI-Read
arn:aws:iam::*:role/ReservedAI-Write
arn:aws:iam::*:policy/ReservedAI
arn:aws:iam::*:policy/ReservedAI-Read
arn:aws:iam::*:policy/ReservedAI-Write

Did this answer your question?