Why we need permissions
To deliver savings, we analyse your AWS usage and apply commitment-based discounts on your behalf. This is done through a cross-account IAM role that you create in your payer account with our CloudFormation template. The role follows the principle of least privilege. We only receive the access strictly necessary to:- Read cost and usage data.
- Detect optimisation opportunities.
- Manage the lifecycle of our .
Monitoring (Read-Only)
These permissions let MilkStraw AI monitor your spend and resources without touching your workloads. Cost managementIntegration management
These actions are required to integrate MilkBox accounts into your AWS Organization.
organizations:InviteAccountToOrganization
is used solely to invite MilkBox accounts.