Why we need permissions

To deliver savings, we analyse your AWS usage and apply commitment-based discounts on your behalf. This is done through a cross-account IAM role that you create in your payer account with our CloudFormation template. The role follows the principle of least privilege. We only receive the access strictly necessary to:
  1. Read cost and usage data.
  2. Detect optimisation opportunities.
  3. Manage the lifecycle of our .

Monitoring (Read-Only)

These permissions let MilkStraw AI monitor your spend and resources without touching your workloads. Cost management
ce:Describe*
ce:Get*
ce:List*
ce:StartSavingsPlansPurchaseRecommendationGeneration
pricing:DescribeServices
pricing:GetAttributeValues
pricing:GetProducts
savingsplans:Describe*
savingsplans:List*
cloudwatch:GetMetricData
Compute & DataStores
ec2:Describe*
ecs:Describe*
ecs:List*
eks:Describe*
eks:List*
lambda:Get*
lambda:List*
rds:Describe*
rds:List*
elasticache:Describe*
elasticache:List*
memorydb:Describe*
redshift:Describe*
redshift:Get*
redshift:List*
sagemaker:Describe*
sagemaker:Get*
sagemaker:List*
application-autoscaling:Describe*
autoscaling:Describe*
es:Describe*
es:List*

Integration management

These actions are required to integrate MilkBox accounts into your AWS Organization.
organizations:CreateOrganization
organizations:Describe*
organizations:InviteAccountToOrganization
organizations:List*
organizations:InviteAccountToOrganization is used solely to invite MilkBox accounts.

EC2 reservation management

We use those permissions to maintain exisitng EC2 reservations on your account, if required.
ec2:AcceptReservedInstancesExchangeQuote
ec2:CancelReservedInstancesListing
ec2:CreateReservedInstancesListing
ec2:DeleteQueuedReservedInstances
ec2:ModifyReservedInstances
ec2:PurchaseReservedInstancesOffering

Other essential operations

Budgets
budgets:CreateBudgetAction
budgets:DeleteBudgetAction
budgets:Describe*
budgets:ExecuteBudgetAction
budgets:ListTagsForResource
budgets:ModifyBudget
budgets:UpdateBudgetAction
budgets:ViewBudget
Support
support:Add*
support:Describe*
support:GetInteraction
support:Initiate*
support:PutCaseAttributes
support:RateCaseCommunication
support:SearchForCases
support:StartInteraction
Service quotas
servicequotas:Get*
servicequotas:List*
servicequotas:AssociateServiceQuotaTemplate
servicequotas:PutServiceQuotaIncreaseRequestIntoTemplate
servicequotas:RequestServiceQuotaIncrease

Review the full policy

You can always inspect the exact IAM policy generated by our CloudFormation stack: View the JSON policy ↗ Feel free to reach out if you have any questions about security or least-privilege access.