Cost and Compliance Module IAM Role Permissions
Stax uses AWS IAM best practices for enabling third-party access to accounts, as described by AWS.
This guidance assumes you're subscribed only to the Cost & Compliance module of Stax. If your AWS accounts are Stax-managed, Stax takes care of this for you. See Deploy the Stax-Provisioning IAM Role for more on how access to Stax-managed accounts is controlled.
AWS Billing Data
Stax helps you to see and analyze your billing data. Stax accesses that data using AWS's programmatic billing access APIs. They work by placing billing files regularly into a designated S3 bucket.
Stax's IAM role specifies read permissions on this S3 bucket only, it reads files in no other S3 buckets. If you have a single account, this S3 bucket exists in that account.
If your AWS accounts are consolidated into an AWS Organization, this bucket resides in the Organization's management account.
The permissions can be reviewed by considering the Billing CloudFormation template.
The CloudFormation template also includes the "Service Role" permissions given below, as management accounts can also be service accounts.
AWS Service Role Data
Stax needs more than just the billing data to check the wastage and hygiene of your AWS. It needs to know how utilized each service is, and how they're set up. This is still read-only access and gives us no access to your data within AWS resources.
In AWS IAM terminology, Stax requires Describe* and List* permissions on each service.
From time to time, AWS service APIs do not consistently enable usage of Describe*and List*permissions. On these occasions, Stax requires specific Get permissions. These are defined specifically and never as wildcards to enhance the security of the Role.