Why We Need Permissions

To deliver savings, we analyse your AWS usage and apply commitment-based discounts on your behalf. This is done through a cross-account IAM role that you create in your management / payer account with our CloudFormation template. The role follows the principle of least privilege,we only receive the access strictly necessary to:

  1. Read cost and usage data.
  2. Detect optimisation opportunities.
  3. Manage the lifecycle of our .

Below is a breakdown of the permissions granted to that role.

Monitoring and Data Collection (Read-Only)

These permissions let MilkStraw AI monitor your spend and resources without touching your workloads.

Cost Management

ce:Describe*
ce:Get*
ce:List*
pricing:DescribeServices
pricing:GetAttributeValues
pricing:GetProducts
savingsplans:Describe*
savingsplans:List*
ce:StartSavingsPlansPurchaseRecommendationGeneration
cloudwatch:GetMetricData

Compute & Databases

ec2:Describe*
ecs:Describe*
ecs:List*
eks:Describe*
eks:List*
lambda:Get*
lambda:List*
rds:Describe*
rds:List*
elasticache:Describe*
elasticache:List*
memorydb:Describe*
redshift:Describe*
redshift:Get*
redshift:List*
sagemaker:Describe*
sagemaker:Get*
sagemaker:List*
application-autoscaling:Describe*
autoscaling:Describe*
es:Describe*
es:List*

Integration Management

These actions are required to integrate MilkBox accounts into your AWS Organization.

organizations:CreateOrganization
organizations:Describe*
organizations:InviteAccountToOrganization
organizations:List*

organizations:InviteAccountToOrganization is used solely to invite MilkBox accounts.

EC2 Reservation Management

We manage the lifecycle of Savings Plans and Reserved Instances on the MilkBox accounts that cover your usage.

ec2:AcceptReservedInstancesExchangeQuote
ec2:CancelReservedInstancesListing
ec2:CreateReservedInstancesListing
ec2:DeleteQueuedReservedInstances
ec2:ModifyReservedInstances
ec2:PurchaseReservedInstancesOffering

Other Essential Operations

Budgets

budgets:CreateBudgetAction
budgets:DeleteBudgetAction
budgets:Describe*
budgets:ExecuteBudgetAction
budgets:ListTagsForResource
budgets:ModifyBudget
budgets:UpdateBudgetAction
budgets:ViewBudget

Support

support:Add*
support:Describe*
support:GetInteraction
support:Initiate*
support:PutCaseAttributes
support:RateCaseCommunication
support:SearchForCases
support:StartInteraction

Service Quotas

servicequotas:Get*
servicequotas:List*
servicequotas:AssociateServiceQuotaTemplate
servicequotas:PutServiceQuotaIncreaseRequestIntoTemplate
servicequotas:RequestServiceQuotaIncrease

Review the Full Policy

You can always inspect the exact IAM policy generated by our CloudFormation stack:

View the JSON policy ↗

Feel free to reach out if you have any questions about security or least-privilege access.