IAM Role Permissions

The Stax Cost & Compliance Module IAM role is read-only and provides Stax no access to customer data.

Article Tags
On This Page
AWS Billing DataAWS Service Role DataProblemsSee also

Stax uses AWS IAM best practices for enabling third-party access to accounts, as described on the AWS website.

Basically, we help you to create an IAM role which gives Stax safe and secure access to your AWS account APIs.

This guidance assumes you're subscribed to only the Stax Cost & Compliance module. If your AWS accounts are Stax-managed, Stax takes care of this for you.

AWS Billing Data

We help you see and analyze your billing data.

We access that using AWS's programmatic billing access APIs. They work by placing billing files regularly into a designated S3 bucket.

Our IAM role specifies read permissions on this S3 bucket only, we read files in no other S3 buckets.

If you have a single account, this S3 bucket exists in that account.

If you have multiple accounts, they will usually be consolidated into a single "root" or "payer" account, so that you only need to pay one bill. (AWS calls this Consolidated Billing. More recently they've made it part of AWS Organizations.) In these cases, the S3 bucket will exist in the payer account.

The billing account permissions are provided by the Billing CloudFormation template

The billing template also includes the "Service Role" permissions given below, as billing accounts can also be service accounts.

AWS Service Role Data

We need more than just the billing data to check the wastage and hygiene of your AWS. We need to know how utilized each service is, and how they're set up.

This is still read-only access and gives us no access to your customer data.

In AWS IAM terminology, we ask for Describe* and List* permissions on each service.

IAM is inconsistent so some services are slightly different. Occasionally we need to ask for some specific and vetted Get permissions. These are always called out specifically and never as wildcards, to protect you and allow you to audit.

Do not use the managed ReadOnlyAccess policy. Stax uses a least-privilege permission model, and this role contains too much access to your customer data. It allows the role to read S3 files and DynamoDB data, amongst other things. If we detect that this policy has been used, then we’ll halt on-boarding of that account until the problem can be rectified.

The service role permissions are provided by the Service Role CloudFormation template


If you have any problems or concerns about the Stax IAM permissions, please raise a support case.

See also