IAM Role Permissions
The Stax Cost & Compliance Module IAM role is read-only and provides Stax no access to customer data.
Stax uses AWS IAM best practices for enabling third-party access to accounts, as described on the AWS website.
Basically, we help you to create an IAM role which gives Stax safe and secure access to your AWS account APIs.
AWS Billing Data
We help you see and analyze your billing data.
We access that using AWS's programmatic billing access APIs. They work by placing billing files regularly into a designated S3 bucket.
Our IAM role specifies read permissions on this S3 bucket only, we read files in no other S3 buckets.
If you have a single account, this S3 bucket exists in that account.
If you have multiple accounts, they will usually be consolidated into a single "root" or "payer" account, so that you only need to pay one bill. (AWS calls this Consolidated Billing. More recently they've made it part of AWS Organizations.) In these cases, the S3 bucket will exist in the payer account.
The billing account permissions are provided by the Billing CloudFormation template
The billing template also includes the "Service Role" permissions given below, as billing accounts can also be service accounts.
AWS Service Role Data
We need more than just the billing data to check the wastage and hygiene of your AWS. We need to know how utilized each service is, and how they're set up.
This is still read-only access and gives us no access to your customer data.
In AWS IAM terminology, we ask for Describe* and List* permissions on each service.
IAM is inconsistent so some services are slightly different. Occasionally we need to ask for some specific and vetted Get permissions. These are always called out specifically and never as wildcards, to protect you and allow you to audit.
The service role permissions are provided by the Service Role CloudFormation template
If you have any problems or concerns about the Stax IAM permissions, please raise a support case.