Cross Account Role

CloudRunr accesses your AWS account via a cross-account role. In line with AWS IAM policy best practices, CloudRunr requests only the least-privilege permissions. This means we limit the actions we can take and the resources to which those actions can be applied.

The IAM read only role is used during the initial onboarding step (Step 1). It requires read-only permissions (see the full list here) to access historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the EC2 instances you are using and whether they are already covered by Compute Savings Plans or Reserved Instances). After ingesting this data, CloudRunr uses them to map them to other Cloud providers and provide estimates. Once a user is fully onboarded, the read-only role is used again to display cost and comparison estimates whenever a new month's usage is requested on the CloudRunr dashboard, helping users compare their current spending with other Cloud providers.

[
      {
        "PolicyName": "CloudRunRBillingReadOnly",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "budgets:Describe*",
                "budgets:View*",
                "ce:Get*",
                "ce:Describe*",
                "ce:List*",
                "cur:Describe*",
                "cur:Get*",
                "cur:Validate*",
                "pricing:DescribeServices",
                "pricing:GetAttributeValues",
                "pricing:GetProducts",
                "organizations:Describe*",
                "organizations:List*",
                "savingsplans:Describe*",
                "rds:Describe*",
                "rds:List*",
                "elasticache:List*",
                "elasticache:Describe*",
                "redshift:Describe*",
                "es:Describe*",
                "es:List*",
                "billing:Get*",
                "payments:List*",
                "payments:Get*",
                "tax:List*",
                "tax:Get*",
                "consolidatedbilling:Get*",
                "consolidatedbilling:List*",
                "account:GetContactInformation",
                "invoicing:List*",
                "invoicing:Get*",
                "freetier:Get*",
                "ec2:Describe*",
                "lambda:Describe*",
                "ecs:Describe*"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
      }
]

Please contact our support team for more information. support@cloudrunr.co

PreviousSecurity & AccessNextRole Deployment

Last updated