Permissions needed to link AWS to Stax Cost & Compliance

Firstly, you need to be an administrator of your AWS accounts to link them to Stax

Article Tags
On This Page

Stax Spotlight accesses your AWS metadata using AWS best practices, as described here.

We believe that the right way to manage infrastructure is always to use automation, as this gives you safety and repeatability. Best practice for AWS automation is to use AWS CloudFormation.

With that in mind, we provide a CloudFormation script which creates the IAM roles we need. To perform the linking, your user needs the ability to create a CloudFormation stack and the ability to create an IAM role.

In specific IAM permissions, this is:

  • cloudformation:CreateStack
  • iam:CreateRole
  • iam:CreatePolicy
  • iam:AttachRolePolicy

If your IAM user has the AdministratorAccess managed policy attached then these are included. You can also use the root IAM user, though that is not best practice and we don't recommend taking any actions as the root IAM user. (This is one of the things that Stax Cost & Compliance checks for!)