Why We Need Permissions To deliver savings, we analyse your AWS usage and apply commitment-based discounts on your behalf. This is done through a cross-account IAM role that you create in your management / payer account with our CloudFormation template. The role follows the principle of least privilege ,we only receive the access strictly necessary to:
Read cost and usage data.
Detect optimisation opportunities.
Manage the lifecycle of our MilkBoxes
Below is a breakdown of the permissions granted to that role.
Monitoring and Data Collection (Read-Only) These permissions let MilkStraw AI monitor your spend and resources without touching your workloads.
Cost Management
ce:Describe* ce:Get* ce:List* pricing:DescribeServices pricing:GetAttributeValues pricing:GetProducts savingsplans:Describe* savingsplans:List* ce:StartSavingsPlansPurchaseRecommendationGeneration cloudwatch:GetMetricData Compute & Databases
ec2:Describe* ecs:Describe* ecs:List* eks:Describe* eks:List* lambda:Get* lambda:List* rds:Describe* rds:List* elasticache:Describe* elasticache:List* memorydb:Describe* redshift:Describe* redshift:Get* redshift:List* sagemaker:Describe* sagemaker:Get* sagemaker:List* application-autoscaling:Describe* autoscaling:Describe* es:Describe* es:List* Integration Management These actions are required to integrate MilkBox accounts into your AWS Organization.
organizations:CreateOrganization organizations:Describe* organizations:InviteAccountToOrganization organizations:List*
organizations:InviteAccountToOrganization is used solely to invite MilkBox accounts.
EC2 Reservation Management We manage the lifecycle of Savings Plans and Reserved Instances on the MilkBox accounts that cover your usage.
ec2:AcceptReservedInstancesExchangeQuote ec2:CancelReservedInstancesListing ec2:CreateReservedInstancesListing ec2:DeleteQueuedReservedInstances ec2:ModifyReservedInstances ec2:PurchaseReservedInstancesOffering Other Essential Operations Budgets
budgets:CreateBudgetAction budgets:DeleteBudgetAction budgets:Describe* budgets:ExecuteBudgetAction budgets:ListTagsForResource budgets:ModifyBudget budgets:UpdateBudgetAction budgets:ViewBudget Support
support:Add* support:Describe* support:GetInteraction support:Initiate* support:PutCaseAttributes support:RateCaseCommunication support:SearchForCases support:StartInteraction Service Quotas
servicequotas:Get* servicequotas:List* servicequotas:AssociateServiceQuotaTemplate servicequotas:PutServiceQuotaIncreaseRequestIntoTemplate servicequotas:RequestServiceQuotaIncrease Review the Full Policy You can always inspect the exact IAM policy generated by our CloudFormation stack:
View the JSON policy ↗
Feel free to reach out if you have any questions about security or least-privilege access.
Responses are generated using AI and may contain mistakes.
