Permissions Explained
This page explains the permissions used during the audit and why they are required.
For complete setup steps, see AWS Read-Only IAM Role Setup.
We use a least-privilege, read-only policy that only grants access needed to analyze cost, usage, and configuration.
Overview
Section titled “Overview”The permissions we request fall into a small number of categories:
- Cost and billing data
- Usage metrics
- Infrastructure configuration
- Resource metadata (tags, structure)
Each category supports a specific part of the audit.
Cost and Billing Data
Section titled “Cost and Billing Data”Used to understand how your cloud spend is distributed.
This allows us to:
- Identify your highest cost services
- Analyze cost trends over time
- Estimate potential savings
This data comes from AWS billing and cost reporting services.
Usage Metrics
Section titled “Usage Metrics”Used to understand how your system is being used.
This allows us to:
- Analyze request volume and activity
- Identify inefficiencies in usage patterns
- Detect areas of unnecessary cost
These metrics come from services like CloudWatch.
Infrastructure Configuration
Section titled “Infrastructure Configuration”Used to understand how your system is set up.
This allows us to:
- Review settings such as Lambda memory and timeouts
- Identify over-provisioned or inefficient configurations
- Detect opportunities for optimization
We only read configuration—we do not change it.
Resource Metadata
Section titled “Resource Metadata”Used to understand how your system is organized.
This includes:
- Tags
- Resource relationships
- Service structure
This helps us group and analyze costs more effectively.
What We Do NOT Access
Section titled “What We Do NOT Access”We do not request permissions for:
- Application data
- Database contents
- S3 object contents
- Secrets or credentials
The audit is focused entirely on infrastructure and cost data.
Why Not Use Full Read-Only Access?
Section titled “Why Not Use Full Read-Only Access?”AWS provides a broad ReadOnlyAccess policy that grants access to nearly all services.
We do not use this policy.
Instead, we use a custom policy that only includes permissions required for:
- Cost analysis
- Usage analysis
- Configuration review
This reduces unnecessary access and improves security.
Summary
Section titled “Summary”The permissions requested are:
- Read-only
- Limited in scope
- Focused only on cost and infrastructure analysis
They are designed to provide the data needed for the audit while minimizing access to your system.
Questions?
Section titled “Questions?”If you have any questions about permissions or access, feel free to reach out.
You can also review Security & Data Handling for a broader overview.