CloudRunr Documentation
  • Overview
    • Our Features
    • Money back guarantee
  • Getting Started
    • Step 1 - Connect to AWS
    • Step 1a (Alternative) - Upload your On-premises Usage as Excel
    • Step 1b (Alternative) - Use VMWare env usage as Excel (RVTools)
    • Step 2 - How to read the CloudRunr comparison report
    • Inviting your team [Roadmap]
    • Adding additional AWS accounts
    • Post Linking your AWS account
  • Security & Access
    • Cross Account Role
    • Role Deployment
    • Ongoing Access
    • Access Management
  • Multi-account architecture
  • General FAQ
  • Request a Demo
Powered by GitBook
On this page
  1. Security & Access

Cross Account Role

PreviousSecurity & AccessNextRole Deployment

Last updated 9 months ago

CloudRunr accesses your AWS account via a cross-account role. In line with AWS IAM policy best practices, CloudRunr requests only the least-privilege permissions. This means we limit the actions we can take and the resources to which those actions can be applied.

The IAM read only role is used during the initial onboarding step (Step 1). It requires read-only permissions (see the ) to access historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the EC2 instances you are using and whether they are already covered by Compute Savings Plans or Reserved Instances). After ingesting this data, CloudRunr uses them to map them to other Cloud providers and provide estimates. Once a user is fully onboarded, the read-only role is used again to display cost and comparison estimates whenever a new month's usage is requested on the CloudRunr dashboard, helping users compare their current spending with other Cloud providers.

[
      {
        "PolicyName": "CloudRunRBillingReadOnly",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "budgets:Describe*",
                "budgets:View*",
                "ce:Get*",
                "ce:Describe*",
                "ce:List*",
                "cur:Describe*",
                "cur:Get*",
                "cur:Validate*",
                "pricing:DescribeServices",
                "pricing:GetAttributeValues",
                "pricing:GetProducts",
                "organizations:Describe*",
                "organizations:List*",
                "savingsplans:Describe*",
                "rds:Describe*",
                "rds:List*",
                "elasticache:List*",
                "elasticache:Describe*",
                "redshift:Describe*",
                "es:Describe*",
                "es:List*",
                "billing:Get*",
                "payments:List*",
                "payments:Get*",
                "tax:List*",
                "tax:Get*",
                "consolidatedbilling:Get*",
                "consolidatedbilling:List*",
                "account:GetContactInformation",
                "invoicing:List*",
                "invoicing:Get*",
                "freetier:Get*",
                "ec2:Describe*",
                "lambda:Describe*",
                "ecs:Describe*"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
      }
]

Please contact our support team for more information.

full list here
support@cloudrunr.co