Skip to content
CarneyCorp CarneyCorp Docs

AWS Read-Only IAM Role Setup

This guide walks you through creating a secure, read-only IAM role for your serverless cost audit. This policy represents the base permissions required to get started. We may ask for additional permissions during onboarding, but they will always be read-only.

We use a least-privilege policy that only grants access to cost, usage, and configuration data required for the audit. For a breakdown of each permission category, see Permissions Explained.

✅ We cannot modify, deploy, or delete anything in your account

✅ We cannot access application data

✅ You can remove access at any time

What You’ll Need

Section titled “What You’ll Need”

Before starting, make sure you have:

  • Access to your AWS account
  • Permission to create IAM roles
  • Our AWS Account ID
  • The External ID we provide

Step 1: Open IAM Roles

Section titled “Step 1: Open IAM Roles”
  1. Sign in to the AWS Console
  2. Search for IAM
  3. Click Roles (left sidebar)
  4. Click Create role

Step 2: Choose Trusted Entity

Section titled “Step 2: Choose Trusted Entity”
  • Trusted entity type: AWS account
  • Select: Another AWS account

Enter our AWS Account ID:

597437436252

Step 3: Require External ID

Section titled “Step 3: Require External ID”

Check:

Require external ID

Enter the External ID we provided:

[We will provide this value to you]

This ensures only your audit engagement can assume this role.

Click Next

Step 4: Attach Permissions (Custom Policy)

Section titled “Step 4: Attach Permissions (Custom Policy)”

Instead of using broad ReadOnlyAccess, create a custom policy.

4.1 Create Policy

Section titled “4.1 Create Policy”
  1. Open a new tab → go to IAM → Policies
  2. Click Create policy
  3. Switch to the JSON tab
  4. Paste the following:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CostExplorerReadOnly",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostAndUsageWithResources",
        "ce:GetCostForecast",
        "ce:GetDimensionValues",
        "ce:GetTags",
        "ce:GetUsageForecast"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchMetricsReadOnly",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:DescribeAlarms"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LambdaReadOnly",
      "Effect": "Allow",
      "Action": [
        "lambda:ListFunctions",
        "lambda:GetFunction",
        "lambda:GetFunctionConfiguration",
        "lambda:ListVersionsByFunction",
        "lambda:ListAliases",
        "lambda:ListTags",
        "lambda:GetPolicy"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ApiGatewayReadOnly",
      "Effect": "Allow",
      "Action": [
        "apigateway:GET"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DynamoDBReadOnlyMetadata",
      "Effect": "Allow",
      "Action": [
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:DescribeTimeToLive",
        "dynamodb:ListTagsOfResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "S3ReadOnlyMetadata",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketTagging",
        "s3:GetBucketRequestPayment",
        "s3:GetBucketVersioning",
        "s3:GetBucketLifecycleConfiguration"
      ],
      "Resource": "*"
    },
    {
      "Sid": "StepFunctionsReadOnly",
      "Effect": "Allow",
      "Action": [
        "states:ListStateMachines",
        "states:DescribeStateMachine",
        "states:ListTagsForResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ResourceTaggingReadOnly",
      "Effect": "Allow",
      "Action": [
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues"
      ],
      "Resource": "*"
    }
  ]
}

4.2 Save Policy

Section titled “4.2 Save Policy”
  • Name:
CostAuditReadOnlyPolicy
  • Click Create policy

4.3 Attach Policy to Role

Section titled “4.3 Attach Policy to Role”

Return to the role creation tab and:

  • Search for: CostAuditReadOnlyPolicy
  • Select it
  • Click Next

Step 5: Create the Role

Section titled “Step 5: Create the Role”
  • Role name:
CostAuditReadOnly
  • Description:
Read-only role for serverless cost audit

Click Create role

Step 6: Copy the Role ARN

Section titled “Step 6: Copy the Role ARN”

After creation:

  1. Open the role
  2. Copy the Role ARN

Example:

arn:aws:iam::123456789012:role/CostAuditReadOnly

Send this ARN to us before or during your onboarding call.

If you are deciding between access methods, see Which Option Should I Choose?.

Important Notes

Section titled “Important Notes”

Billing Access

Section titled “Billing Access”

Make sure IAM users/roles are allowed to access billing:

  • Go to Billing → Account Settings

  • Enable:

    • IAM access to billing

What This Role Allows

Section titled “What This Role Allows”
  • Cost and billing analysis
  • Lambda configuration review
  • CloudWatch metrics access
  • API Gateway, DynamoDB, S3 metadata inspection
  • Tag analysis

What This Role Does NOT Allow

Section titled “What This Role Does NOT Allow”
  • Modifying infrastructure
  • Deploying code
  • Deleting resources
  • Accessing application data
  • Changing permissions

After the Audit

Section titled “After the Audit”

You can remove access at any time.

To delete the role:

  1. Go to IAM → Roles
  2. Search: CostAuditReadOnly
  3. Delete the role

Need Help?

Section titled “Need Help?”

If you get stuck, no problem - we’ll walk through this during your onboarding call.

If you prefer not to grant access, use Export AWS Cost & Usage Data.