Stax uses AWS IAM best practices for enabling third-party access to accounts, as described on the AWS site here.

Basically, we help you to create an IAM role which gives Stax safe and secure access to your AWS account APIs.

AWS Billing Data

We help you see and analyze your billing data.

We access that using AWS's programmatic billing access APIs. They work by placing billing files regularly into a designated S3 bucket.

(If you don't have programmatic billing access turned on, click here.)

Our IAM role specifies read permissions on this S3 bucket only, we read files in no other S3 buckets.

If you have a single account, this S3 bucket exists in that account.

If you have multiple accounts, they will usually be consolidated into a single "root" or "payer" account, so that you only need to pay one bill. (AWS calls this Consolidated Billing. More recently they've made it part of AWS Organizations.) In these cases, the S3 bucket will exist in the payer account.

The billing account permissions are provided by the CloudFormation template given here:

https://s3-ap-southeast-2.amazonaws.com/stax-public-resources/stax-iam-role-billing-cfn.json

(Note that these also include the "Service Data" permissions given below, as billing accounts can also be service accounts.)

AWS Service Data

We need more than just the billing data to check the wastage and hygiene of your AWS. We need to know how utilised each service is, and how they're set up.

This is still read-only access and gives us no access to your customer data.

In AWS IAM terminology, we ask for Describe* and List* permissions on each service.

IAM is inconsistent so some services are slightly different. Occasionally we need to ask for some specific and vetted Get permissions. These are always called out specifically and never as wildcards, to protect you and allow you to audit.

NOTE: Do not use the managed ReadOnlyAccess policy. Stax uses a least-privilege permission model, and this role contains too much access to your customer data. It allows the role to read S3 files and DynamoDB data, amongst other things. If we detect that this policy has been used, then we’ll halt on-boarding of that account until the problem can be rectified.

The service data permissions are provided by the CloudFormation template given here:

https://s3-ap-southeast-2.amazonaws.com/stax-public-resources/stax-iam-role-service-cfn.json

Problems

If you have any problems or concerns about the Stax IAM permissions, please get in touch to hello@stax.io. Security is the highest priority for us and so any feedback is useful.

Did this answer your question?