All Collections
Security FAQs
What IAM permissions does the Archera AWS production deployment require?
What IAM permissions does the Archera AWS production deployment require?
Aran Khanna avatar
Written by Aran Khanna
Updated over a week ago

The Following is a detailed breakdown of the additional Least-Privileged IAM credential required to enable the Production deployment of our AWS Platform Integration. This will enable all the features of our full automation platform and will be able to receive all updates for new services.

Like our trial credential these additional "write" permissions do not allow us to read anything beyond the bare minimum usage and cost metadata. They additionally allows you to automate all commitment management tasks (purchase, exchange, resell, renewal etc.) without having any ability to access or impact any underlying infrastructure in your AWS accounts.

The three main technical differences between the production credential and the permissions detailed on our documentation on the trial credential is:
โ€‹

1. The wildecard (*) added to the requested list, read & describe permissions to ensure Archera is robust to new metadata endpoints being added without requiring you to manually update the role.

2. The following block of "write" permissions allowing Archera to automate the purchase as well as management of commitments, which are non-infrastructure/application impacting financial discounts, on your behalf. This includes the lifecycle management of EC2 GRIs, with marketplace listing & resale.

        "ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering",
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:CreateReservedInstancesListing",
"ec2:CancelReservedInstancesListing",
"ec2:PurchaseScheduledInstances",
"ec2:RunScheduledInstances",
"ec2:ModifyCapacityReservation",
"ec2:ModifyInstanceCapacityReservationAttributes",
"ec2:CreateCapacityReservation",
"ec2:CancelCapacityReservation",
"ec2:PurchaseHostReservation",
"ec2:RequestSpotFleet",
"ec2:RequestSpotInstances",
"ec2:CancelSpotFleetRequests",
"ec2:CancelSpotInstanceRequests",
"rds:PurchaseReservedDbInstancesOffering",
"redshift:GetReservedNodeExchangeOfferings",
"redshift:PurchaseReservedNodeOffering",
"redshift:AcceptReservedNodeExchange",
"elasticache:PurchaseReservedCacheNodesOffering",
"es:PurchaseReservedElasticsearchInstance",
"es:PurchaseReservedElasticsearchInstanceOffering",
"savingsplans:CreateSavingsPlan"

3. The following (optional) block of "write" permissions allowing Archera to automate the AWS organization management of sub-accounts containing only commitments to handle the lifecycle management of non-EC2 GRIs in a non infrastructure/application impacting manner. The exact use of these permissions is detailed in our documentation describing the use of sub-account transfer for non-EC2 GRIs

"organizations:InviteAccountToOrganization",
"organizations:RemoveAccountFromOrganization",
"organizations:CreateAccount"

Did this answer your question?