IAM Permissions
The permissions required for Faircloud AI are as follows:
IAM Permissions
AWS IAM Permissions for Fair Cloud Integration ReadOnly:
<include>./fcai-readonly.json</include>"Policies" : [
{
"PolicyName": "FcaiBillingReadOnly",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:GetContactInformation",
"application-autoscaling:Describe*",
"autoscaling:Describe*",
"aws-portal:ViewBilling",
"aws-portal:ViewUsage",
"billing:Get*",
"budgets:Describe*",
"budgets:View*",
"ce:*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"cur:*",
"dynamodb:Describe*",
"ec2:Describe*",
"ec2:GetCapacityReservationUsage",
"ec2:GetReservedInstancesExchangeQuote",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"es:Describe*",
"es:List*",
"freetier:Get*",
"iam:Get*",
"iam:List*",
"lambda:Describe*",
"medialive:Describe*",
"medialive:List*",
"organizations:Describe*",
"organizations:List*",
"payments:Get*",
"payments:List*",
"pricing:DescribeServices",
"pricing:GetAttributeValues",
"pricing:GetProducts",
"rds:Describe*",
"rds:List*",
"redshift:Describe*",
"redshift:GetReservedNodeExchangeConfigurationOptions",
"redshift:GetReservedNodeExchangeOfferings",
"savingsplans:Describe*",
"servicequotas:Get*",
"servicequotas:List*",
"tag:Get*",
"tax:Get*",
"tax:List*",
"transfer:Describe*",
"transfer:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
}
]Account & Contact Information
account:GetContactInformation- View account contact details
Auto Scaling
application-autoscaling:Describe*- View all application auto scaling configurationsautoscaling:Describe*- View all EC2 auto scaling configurations
Billing & Cost Management
aws-portal:ViewBilling- View billing information in AWS consoleaws-portal:ViewUsage- View usage information in AWS consolebilling:Get*- Read all billing dataconsolidatedbilling:Get*- Read consolidated billing informationconsolidatedbilling:List*- List consolidated billing resources
Budgets
budgets:Describe*- View budget configurationsbudgets:View*- View budget details and alerts
Cost Explorer & Cost Management
ce:*- Full read access to Cost Explorer (all cost and usage data)
Cost and Usage Reports (CUR)
cur:*- Full access to Cost and Usage Reports
DynamoDB
dynamodb:Describe*- View DynamoDB table configurations and metrics
EC2 (Elastic Compute Cloud)
ec2:Describe*- View all EC2 resources (instances, volumes, snapshots, etc.)ec2:GetCapacityReservationUsage- View capacity reservation usageec2:GetReservedInstancesExchangeQuote- View reserved instance exchange quotes
ECS (Elastic Container Service)
ecs:Describe*- View ECS cluster and service configurationsecs:List*- List ECS resources
EKS (Elastic Kubernetes Service)
eks:Describe*- View EKS cluster configurationseks:List*- List EKS resources
ElastiCache
elasticache:Describe*- View ElastiCache cluster configurationselasticache:List*- List ElastiCache resources
Elasticsearch Service
es:Describe*- View Elasticsearch domain configurationses:List*- List Elasticsearch resources
Free Tier
freetier:Get*- View free tier usage information
IAM (Identity and Access Management)
iam:Get*- Read IAM configurations (users, roles, policies)iam:List*- List IAM resources
Lambda
lambda:Describe*- View Lambda function configurations
MediaLive
medialive:Describe*- View MediaLive channel configurationsmedialive:List*- List MediaLive resources
Organizations
organizations:Describe*- View AWS Organizations structureorganizations:List*- List organization accounts and organizational units
Payments
payments:Get*- View payment methods and historypayments:List*- List payment-related resources
Pricing
pricing:DescribeServices- View available AWS services for pricingpricing:GetAttributeValues- Get pricing attribute valuespricing:GetProducts- Get product pricing information
RDS (Relational Database Service)
rds:Describe*- View RDS database configurationsrds:List*- List RDS resources
Redshift
redshift:Describe*- View Redshift cluster configurationsredshift:GetReservedNodeExchangeConfigurationOptions- View reserved node exchange optionsredshift:GetReservedNodeExchangeOfferings- View reserved node exchange offerings
Savings Plans
savingsplans:Describe*- View Savings Plans configurations and utilization
Service Quotas
servicequotas:Get*- View service quotas and usageservicequotas:List*- List service quota information
Resource Tagging
tag:Get*- View resource tags
Tax
tax:Get*- View tax informationtax:List*- List tax-related data
Transfer Family
transfer:Describe*- View AWS Transfer Family configurationstransfer:List*- List Transfer Family resources
Summary
This role provides read-only access to billing, cost management, and resource configuration data across multiple AWS services. The permissions are designed to allow Fair Cloud to:
- Analyze AWS costs and usage patterns
- View resource configurations for cost optimization
- Access billing and payment information
- Monitor service quotas and utilization
- Generate cost and usage reports
Note: All permissions are read-only - no create, update, or delete operations are granted.
AWS IAM Permissions for Fair Cloud Integration write permissions:
This CloudFormation template creates an IAM role named "FcaAICloudformation" with both read and write permissions for cost optimization and reserved instance management. Below are all the permissions granted:
"Policies": [
{
"PolicyName": "FcaAI",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ViewUsage",
"application-autoscaling:Describe*",
"autoscaling:Describe*",
"ce:Describe*",
"ce:Get*",
"ce:List*",
"cur:Get*",
"cloudwatch:GetMetricData",
"cloudformation:Describe*",
"pricing:DescribeServices",
"pricing:GetAttributeValues",
"pricing:GetProducts",
"savingsplans:Describe*",
"savingsplans:List*",
"servicequotas:Get*",
"servicequotas:List*",
"support:*",
"servicequotas:RequestServiceQuotaIncrease",
"organizations:List*",
"organizations:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:CancelReservedInstancesListing",
"ec2:CreateReservedInstancesListing",
"ec2:DeleteQueuedReservedInstances",
"ec2:ModifyReservedInstances",
"ec2:PurchaseHostReservation",
"ec2:PurchaseReservedInstancesOffering",
"ec2:GetReservedInstancesExchangeQuote",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"savingsplans:CreateSavingsPlan",
"savingsplans:DeleteQueuedSavingsPlan",
"savingsplans:ReturnSavingsPlan"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"rds:Describe*",
"rds:List*",
"rds:PurchaseReservedDbInstancesOffering"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticache:List*",
"elasticache:Describe*",
"elasticache:PurchaseReservedCacheNodesOffering"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"es:Describe*",
"es:List*",
"es:PurchaseReservedInstanceOffering"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"redshift:Describe*",
"redshift:PurchaseReservedNodeOffering",
"redshift:AcceptReservedNodeExchange",
"redshift:GetReservedNodeExchangeOfferings"
],
"Resource": "*"
}
]
}
}
]Billing & Cost Management
aws-portal:ViewBilling- View billing information in AWS consoleaws-portal:ViewUsage- View usage information in AWS console
Auto Scaling
application-autoscaling:Describe*- View all application auto scaling configurationsautoscaling:Describe*- View all EC2 auto scaling configurations
Cost Explorer
ce:Describe*- View Cost Explorer configurationsce:Get*- Read all Cost Explorer datace:List*- List Cost Explorer resources
Cost and Usage Reports
cur:Get*- Read Cost and Usage Reports
CloudWatch
cloudwatch:GetMetricData- Retrieve metric data for monitoring
CloudFormation
cloudformation:Describe*- View CloudFormation stack details
Pricing
pricing:DescribeServices- View available AWS services for pricingpricing:GetAttributeValues- Get pricing attribute valuespricing:GetProducts- Get product pricing information
Service Quotas
servicequotas:Get*- View service quotas and usageservicequotas:List*- List service quota information
Organizations
organizations:List*- List organization accounts and organizational unitsorganizations:Describe*- View AWS Organizations structure
Service Quotas Management
servicequotas:RequestServiceQuotaIncrease- Request increases to service limits
Support Access
support:*- Full access to AWS Support (create/view/manage support cases)
Read Permissions
ec2:Describe*- View all EC2 resources
Reserved Instance Management
ec2:AcceptReservedInstancesExchangeQuote- Accept reserved instance exchangesec2:CancelReservedInstancesListing- Cancel reserved instance marketplace listingsec2:CreateReservedInstancesListing- Create reserved instance marketplace listingsec2:DeleteQueuedReservedInstances- Delete queued reserved instance purchasesec2:ModifyReservedInstances- Modify existing reserved instancesec2:PurchaseHostReservation- Purchase dedicated host reservationsec2:PurchaseReservedInstancesOffering- Purchase new reserved instancesec2:GetReservedInstancesExchangeQuote- Get quotes for reserved instance exchanges
ECS (Elastic Container Service)
ecs:Describe*- View ECS cluster and service configurationsecs:List*- List ECS resources
EKS (Elastic Kubernetes Service)
eks:Describe*- View EKS cluster configurationseks:List*- List EKS resources
Read Permissions
savingsplans:Describe*- View Savings Plans configurationssavingsplans:List*- List Savings Plans
Write Permissions
savingsplans:CreateSavingsPlan- Create new Savings Planssavingsplans:DeleteQueuedSavingsPlan- Delete queued Savings Planssavingsplans:ReturnSavingsPlan- Return/cancel Savings Plans
Read Permissions
rds:Describe*- View RDS database configurationsrds:List*- List RDS resources
Reserved Instance Management
rds:PurchaseReservedDbInstancesOffering- Purchase RDS reserved instances
Read Permissions
elasticache:List*- List ElastiCache resourceselasticache:Describe*- View ElastiCache cluster configurations
Reserved Node Management
elasticache:PurchaseReservedCacheNodesOffering- Purchase ElastiCache reserved nodes
Read Permissions
es:Describe*- View Elasticsearch domain configurationses:List*- List Elasticsearch resources
Reserved Instance Management
es:PurchaseReservedInstanceOffering- Purchase Elasticsearch reserved instances
Read Permissions
redshift:Describe*- View Redshift cluster configurations
Reserved Node Management
redshift:PurchaseReservedNodeOffering- Purchase Redshift reserved nodesredshift:AcceptReservedNodeExchange- Accept reserved node exchangesredshift:GetReservedNodeExchangeOfferings- Get reserved node exchange offerings
Summary
This role is designed for active cost optimization rather than just analysis. It can automatically purchase reserved instances, manage Savings Plans, and optimize your AWS spending commitments - but with the ability to make real financial decisions on your behalf.