IAM Role Permissions

The Stax IAM role is read-only and provides Stax no access to customer data

Article Tags
On This Page
AWS Billing DataAWS Service DataProblems

Stax uses AWS IAM best practices for enabling third-party access to accounts, as described on the AWS site here.

Basically, we help you to create an IAM role which gives Stax safe and secure access to your AWS account APIs.

AWS Billing Data

We help you see and analyze your billing data.

We access that using AWS's programmatic billing access APIs. They work by placing billing files regularly into a designated S3 bucket.

Our IAM role specifies read permissions on this S3 bucket only, we read files in no other S3 buckets.

If you have a single account, this S3 bucket exists in that account.

If you have multiple accounts, they will usually be consolidated into a single "root" or "payer" account, so that you only need to pay one bill. (AWS calls this Consolidated Billing. More recently they've made it part of AWS Organizations.) In these cases, the S3 bucket will exist in the payer account.

The billing account permissions are provided by the CloudFormation template given here:


(Note that these also include the "Service Data" permissions given below, as billing accounts can also be service accounts.)

AWS Service Data

We need more than just the billing data to check the wastage and hygiene of your AWS. We need to know how utilized each service is, and how they're set up.

This is still read-only access and gives us no access to your customer data.

In AWS IAM terminology, we ask for Describe* and List* permissions on each service.

IAM is inconsistent so some services are slightly different. Occasionally we need to ask for some specific and vetted Get permissions. These are always called out specifically and never as wildcards, to protect you and allow you to audit.

Do _not_ use the managed **ReadOnlyAccess** policy. Stax uses a least-privilege permission model, and this role contains too much access to your customer data. It allows the role to read S3 files and DynamoDB data, amongst other things. If we detect that this policy has been used, then we’ll halt on-boarding of that account until the problem can be rectified.

The service data permissions are provided by the CloudFormation template given here:



If you have any problems or concerns about the Stax IAM permissions, please get in touch with support@stax.io. Security is the highest priority for us and so any feedback is useful.