> ## Documentation Index
> Fetch the complete documentation index at: https://docs.milkstraw.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Required Permissions

> Breakdown of the cross-account IAM role MilkStraw AI uses and the least-privilege permissions it requires.

## Why we need permissions

To deliver savings, we analyse your AWS usage and apply commitment-based discounts on your behalf. This is done through a **cross-account IAM role** that you create in your payer account with our CloudFormation template. The role follows the **principle of least privilege**.

We only receive the access strictly necessary to:

1. Read cost and usage data.
2. Detect optimisation opportunities.
3. Manage the lifecycle of our <Tooltip tip="Standard AWS accounts that contain Commitment-based discounts">MilkBoxes</Tooltip>.

***

## Monitoring (Read-Only)

These permissions let MilkStraw AI monitor your spend and resources without touching your workloads.

**Cost management**

```json theme={null}
ce:Describe*
ce:Get*
ce:List*
ce:StartSavingsPlansPurchaseRecommendationGeneration
pricing:DescribeServices
pricing:GetAttributeValues
pricing:GetProducts
savingsplans:Describe*
savingsplans:List*
cloudwatch:GetMetricData
cloudwatch:ListMetrics
```

**Compute & DataStores**

```json theme={null}
application-autoscaling:Describe*
autoscaling:Describe*
ec2:Describe*
ecs:Describe*
ecs:List*
eks:Describe*
eks:List*
elasticache:Describe*
elasticache:List*
es:Describe*
es:List*
memorydb:Describe*
rds:Describe*
rds:List*
redshift:Describe*
redshift:Get*
redshift:List*
sagemaker:Describe*
sagemaker:Get*
sagemaker:List*
```

> We have a deny policy for Redshift, to block access to cluster credentials:
>
> ```json theme={null}
> redshift:GetClusterCredentials
> redshift:GetClusterCredentialsWithIAM
> redshift:DescribeAuthenticationProfiles
> ```

***

## Integration management

These actions are required to integrate MilkBox accounts into your AWS Organization.

```json theme={null}
organizations:CreateOrganization
organizations:Describe*
organizations:InviteAccountToOrganization
organizations:List*
```

> We use `organizations:CreateOrganization` when the organization is not already created, this is a one-time operation for small standalone accounts, if you already have an organization, this api cant be executed against your account, then `organizations:InviteAccountToOrganization` is used to invite MilkBox accounts to your organization.

***

## Cost monitoring and visibility

These permissions are required to read budgets and tagging for cost monitoring and visibility per resource.

**Budgets**

```json theme={null}
budgets:DescribeBudgetAct*
budgets:ListTagsForResource
budgets:ViewBudget
```

**Tagging**

```json theme={null}
tag:DescribeReportCreation
tag:Get*
tag:StartReportCreation
```

***

## Review the full policy

You can always inspect the exact IAM policy generated by our CloudFormation stack:

[View the JSON policy ↗](https://s3.eu-west-1.amazonaws.com/statics.milkstraw.ai/cloudformation_templates/cross_account_role.json)

Feel free to reach out if you have any questions about security or least-privilege access.