All of the required permission to setup our Cost Savings Report are all read only permissions. 


Here is the full list of all the permissions required to powered our cost savings report:


Permissions

Description

cloudwatch:GetMetricStatistics

Provides statistics for a specified metric. This permission will allow us monitor usage for specific entities (EC2 instances, ELB, …).

dynamodb:DescribeTable

Provides informations for your Dynamodb tables. This permission will allow to compare your reserved capacity to your actual usage.

dynamodb:ListTables

Provides the ability to list your DynamoDb tables. This permission will allow us to retrieve which tables to monitor.

ec2:DescribeAddresses

Provides information about specific Elastic IP addresses. This permission will also us to check for unused APIs.

ec2:DescribeInstances

Provides the ability to list your EC2 instances. This permission will also us to check for low usage or compare with your reserved capacity

ec2:DescribeReservedInstances

Provides the ability to retrieve you reserved instances status. This permission will allow us to compare it with your EC2 usage.

ec2:DescribeVolumes

Provides the ability to retrieve information about your EBS snapshots. This permission will allow us detect unused EBS volumes

elasticache:DescribeCacheClusters

Provides the ability to list your cache clusters. This permission will also us to compare it with your reserved capacity

elasticache:DescribeReservedCacheNodes

Provides the ability to retrieve you reserved instances capacity. This permission will allow us to compare it with your actual usage.

elasticloadbalancing:DescribeLoadBalancers

Provides the ability to list your ELBs. This permission will also us to compare it with your reserved capacity

elasticloadbalancing:DescribeTargetGroups

Provides the ability to retrieve you reserved ELBs capacity. This permission will allow us to compare it with your actual usage.

organizations:ListAccounts

Provides the ability to lists all the accounts in your organization. This permission will allow us to display the report in human readable way

rds:DescribeDBInstances

Provides the ability to list your RDS instances. This permission will also us to compare it with your reserved capacity

rds:DescribeReservedDBInstances

Provides the ability to retrieve you reserved RDS instances capacity. This permission will allow us to compare it with your actual usage.

redshift:DescribeClusters

Provides the ability to list your Redshift instances. This permission will also us to compare it with your reserved capacity

redshift:DescribeReservedNodes

Provides the ability to retrieve you reserved Redshift instances capacity. This permission will allow us to compare it with your actual usage.

 ce:*

Provides access to the AWS Cost Explorer API. This permission will allow us to better estimate your saving

sts:AssumeRole

Provides the ability to assumeRole on a sub-accounts. This permissions will allow us to run the exhaustive across all your accounts