Skip to main content

Why we need permissions

To deliver savings, we analyse your AWS usage and apply commitment-based discounts on your behalf. This is done through a cross-account IAM role that you create in your payer account with our CloudFormation template. The role follows the principle of least privilege. We only receive the access strictly necessary to:
  1. Read cost and usage data.
  2. Detect optimisation opportunities.
  3. Manage the lifecycle of our .

Monitoring (Read-Only)

These permissions let MilkStraw AI monitor your spend and resources without touching your workloads. Cost management 
ce:Describe*
ce:Get*
ce:List*
ce:StartSavingsPlansPurchaseRecommendationGeneration
pricing:DescribeServices
pricing:GetAttributeValues
pricing:GetProducts
savingsplans:Describe*
savingsplans:List*
cloudwatch:GetMetricData
cloudwatch:ListMetrics
Compute & DataStores 
application-autoscaling:Describe*,
autoscaling:Describe*,
ec2:Describe*,
ecs:Describe*,
ecs:List*,
eks:Describe*,
eks:List*,
elasticache:Describe*,
elasticache:List*,
es:Describe*,
es:List*,
memorydb:Describe*,
rds:Describe*,
rds:List*,
redshift:Describe*,
redshift:Get*,
redshift:List*,
sagemaker:Describe*,
sagemaker:Get*,
sagemaker:List*,
We have a deny policy for Redshift, to block access to cluster credentials: 
redshift:GetClusterCredentials
redshift:GetClusterCredentialsWithIAM
redshift:DescribeAuthenticationProfiles

Integration management

These actions are required to integrate MilkBox accounts into your AWS Organization. 
organizations:CreateOrganization
organizations:Describe*
organizations:InviteAccountToOrganization
organizations:List*
We use organizations:CreateOrganization when the organization is not already created, this is a one-time operation for small standalone accounts, if you already have an organization, this api cant be executed against your account, then organizations:InviteAccountToOrganization is used to invite MilkBox accounts to your organization.

Cost monitoring and visibility

These permissions are required to manage budgets and tagging for cost monitoring and visibility per resource. Budgets 
budgets:CreateBudgetAction
budgets:DeleteBudgetAction
budgets:DescribeBudgetAct*
budgets:ExecuteBudgetAction
budgets:ListTagsForResource
budgets:ModifyBudget
budgets:UpdateBudgetAction
budgets:ViewBudget
Tagging 
tag:DescribeReportCreation
tag:Get*
tag:StartReportCreation
tag:TagResources
tag:UntagResources

Review the full policy

You can always inspect the exact IAM policy generated by our CloudFormation stack: View the JSON policy ↗ Feel free to reach out if you have any questions about security or least-privilege access.