Why We Need Permissions
To deliver savings, we analyse your AWS usage and apply commitment-based discounts on your behalf. This is done through a cross-account IAM role that you create in your management / payer account with our CloudFormation template. The role follows the principle of least privilege ,we only receive the access strictly necessary to:
Read cost and usage data.
Detect optimisation opportunities.
Manage the lifecycle of our MilkBoxes .
Below is a breakdown of the permissions granted to that role.
Monitoring and Data Collection (Read-Only)
These permissions let MilkStraw AI monitor your spend and resources without touching your workloads.
Cost Management
ce:Describe*
ce:Get*
ce:List*
pricing:DescribeServices
pricing:GetAttributeValues
pricing:GetProducts
savingsplans:Describe*
savingsplans:List*
ce:StartSavingsPlansPurchaseRecommendationGeneration
cloudwatch:GetMetricData
Compute & Databases
ec2:Describe*
ecs:Describe*
ecs:List*
eks:Describe*
eks:List*
lambda:Get*
lambda:List*
rds:Describe*
rds:List*
elasticache:Describe*
elasticache:List*
memorydb:Describe*
redshift:Describe*
redshift:Get*
redshift:List*
sagemaker:Describe*
sagemaker:Get*
sagemaker:List*
application-autoscaling:Describe*
autoscaling:Describe*
es:Describe*
es:List*
Integration Management
These actions are required to integrate MilkBox accounts into your AWS Organization.
organizations:CreateOrganization
organizations:Describe*
organizations:InviteAccountToOrganization
organizations:List*
organizations:InviteAccountToOrganization
is used solely to invite MilkBox accounts.
EC2 Reservation Management
We manage the lifecycle of Savings Plans and Reserved Instances on the MilkBox accounts that cover your usage.
ec2:AcceptReservedInstancesExchangeQuote
ec2:CancelReservedInstancesListing
ec2:CreateReservedInstancesListing
ec2:DeleteQueuedReservedInstances
ec2:ModifyReservedInstances
ec2:PurchaseReservedInstancesOffering
Other Essential Operations
Budgets
budgets:CreateBudgetAction
budgets:DeleteBudgetAction
budgets:Describe*
budgets:ExecuteBudgetAction
budgets:ListTagsForResource
budgets:ModifyBudget
budgets:UpdateBudgetAction
budgets:ViewBudget
Support
support:Add*
support:Describe*
support:GetInteraction
support:Initiate*
support:PutCaseAttributes
support:RateCaseCommunication
support:SearchForCases
support:StartInteraction
Service Quotas
servicequotas:Get*
servicequotas:List*
servicequotas:AssociateServiceQuotaTemplate
servicequotas:PutServiceQuotaIncreaseRequestIntoTemplate
servicequotas:RequestServiceQuotaIncrease
Review the Full Policy
You can always inspect the exact IAM policy generated by our CloudFormation stack:
View the JSON policy ↗
Feel free to reach out if you have any questions about security or least-privilege access.
Responses are generated using AI and may contain mistakes.