Trust Policy (AssumeRolePolicyDocument)
| Principal | Condition | Why We Need It |
|---|---|---|
arn:aws:iam::613007325984:root | sts:ExternalId must match parameter | Allows Wiv’s AWS account to assume this role securely; ExternalId prevents confused deputy attacks |
events.amazonaws.com | None | Allows EventBridge service to assume role when executing rules and targets |
apidestinations.events.amazonaws.com | None | Allows EventBridge API Destinations service to assume role for HTTP endpoint invocations |
WivPayerAccessPolicy
S3 - CUR Bucket Access
| Permission | Resource | Why We Need It |
|---|---|---|
s3:* | arn:aws:s3:::wiv-cur-{AccountId} | Full access to the CUR bucket itself for managing report storage |
s3:* | arn:aws:s3:::wiv-cur-{AccountId}/* | Full access to all CUR report files for reading and processing billing data |
Account & Billing
| Permission | Resource | Why We Need It |
|---|---|---|
account:GetAccountInformation | * | Retrieve account-level settings and contact information for account identification |
billing:Get* | * | Access billing dashboard data, preferences, and billing-related settings |
consolidatedbilling:Get* | * | Get consolidated billing information across the organization for unified cost views |
consolidatedbilling:List* | * | List all linked accounts under consolidated billing for multi-account analysis |
invoicing:List* | * | List invoices and line items for invoice-level cost tracking |
payments:Get* | * | Get payment methods and payment history for billing health monitoring |
payments:List* | * | List payment transactions for financial reconciliation |
tax:Get* | * | Get tax settings, exemptions, and tax-related configurations |
tax:List* | * | List tax registrations and documents for compliance visibility |
Cost Explorer & CUR
| Permission | Resource | Why We Need It |
|---|---|---|
ce:Get* | * | Retrieve cost data, forecasts, reservations, savings plans, and anomaly information |
ce:List* | * | List cost allocation tags, cost categories, and anomaly monitors |
ce:Describe* | * | Describe cost category definitions and report configurations |
ce:CreateAnomalySubscription | * | Create automated alerts when cost anomalies are detected |
ce:TagResource | * | Tag Cost Explorer resources for organization and tracking |
cur:Get* | * | Get Cost and Usage Report definitions and delivery status |
Compute Optimizer
| Permission | Resource | Why We Need It |
|---|---|---|
compute-optimizer:Describe* | * | Describe optimization enrollment status and preferences |
compute-optimizer:Get* | * | Get rightsizing recommendations for EC2, EBS, Lambda, and ECS to reduce costs |
Trusted Advisor
| Permission | Resource | Why We Need It |
|---|---|---|
trustedadvisor:Describe* | * | Describe Trusted Advisor check categories and statuses |
trustedadvisor:Get* | * | Get detailed check results for cost optimization, security, and performance |
trustedadvisor:List* | * | List available checks and affected resources |
trustedadvisor:RefreshCheck | * | Refresh checks to get the latest recommendations |
trustedadvisor:GenerateReport | * | Generate comprehensive Trusted Advisor reports |
trustedadvisor:ExcludeCheckItems | * | Exclude false positives or accepted risks from checks |
trustedadvisor:IncludeCheckItems | * | Re-include previously excluded items for monitoring |
support:Describe* | * | Describe support cases and service limits |
support:DescribeTrustedAdvisorChecks | * | List all available Trusted Advisor checks |
support:DescribeTrustedAdvisorCheckResult | * | Get detailed results for specific checks |
support:RefreshTrustedAdvisorCheck | * | Trigger refresh of individual checks for fresh data |
EC2 & Compute
| Permission | Resource | Why We Need It |
|---|---|---|
ec2:Describe* | * | Describe all EC2 resources including instances, volumes, snapshots, reserved instances, and spot pricing for comprehensive compute analysis |
ebs:List* | * | List EBS snapshots and volumes for storage cost optimization |
autoscaling:Describe* | * | Describe Auto Scaling groups, policies, and scaling activities for capacity planning |
application-autoscaling:Describe* | * | Describe Application Auto Scaling targets for ECS, DynamoDB, and other services |
Containers & Kubernetes
| Permission | Resource | Why We Need It |
|---|---|---|
ecs:Describe* | * | Describe ECS clusters, services, tasks, and container instances for container cost analysis |
ecs:List* | * | List ECS resources across all clusters |
ecr:Describe* | * | Describe ECR repositories and images for storage cost tracking |
ecr:List* | * | List ECR repositories and image tags |
eks:list* | * | List EKS clusters and node groups for Kubernetes cost visibility |
Serverless
| Permission | Resource | Why We Need It |
|---|---|---|
lambda:ListFunctions | * | List all Lambda functions for serverless cost tracking |
lambda:ListProvisionedConcurrencyConfigs | * | List provisioned concurrency settings which significantly impact Lambda costs |
lambda:ListTags | * | List tags on Lambda functions for cost allocation |
Databases
| Permission | Resource | Why We Need It |
|---|---|---|
rds:Describe* | * | Describe RDS instances, clusters, snapshots, and reserved instances for database cost analysis |
rds:List* | * | List RDS resources and tags |
rds:CreateDBSnapshot | * | Create DB snapshots as part of backup optimization workflows |
dynamodb:Describe* | * | Describe DynamoDB tables, capacity modes, and backup settings for NoSQL cost optimization |
dynamodb:ListTables | * | List all DynamoDB tables across the account |
dynamodb:ListTagsOfResource | * | List tags on DynamoDB tables for cost allocation |
elasticache:Describe* | * | Describe ElastiCache clusters and reserved nodes for caching cost analysis |
elasticache:List* | * | List ElastiCache resources and tags |
redshift:Describe* | * | Describe Redshift clusters, reserved nodes, and snapshots for data warehouse cost optimization |
Storage
| Permission | Resource | Why We Need It |
|---|---|---|
s3:Describe* | * | Describe S3 storage lens and configurations |
s3:List* | * | List all buckets and objects for storage cost analysis |
s3:GetAccelerateConfiguration | * | Check if transfer acceleration is enabled which adds cost |
s3:GetBucketVersioning | * | Check versioning status which impacts storage costs |
s3:GetLifecycleConfiguration | * | Get lifecycle rules to analyze storage optimization opportunities |
backup:List* | * | List AWS Backup plans, vaults, and jobs for backup cost tracking |
Networking & CDN
| Permission | Resource | Why We Need It |
|---|---|---|
cloudfront:GetDistribution | * | Get CloudFront distribution details for CDN cost analysis |
cloudfront:GetDistributionConfig | * | Get distribution configuration to identify optimization opportunities |
cloudfront:ListDistributions | * | List all CloudFront distributions |
cloudfront:GetCachePolicyConfig | * | Get cache policy settings that affect origin requests and costs |
elasticloadbalancing:Describe* | * | Describe load balancers, target groups, and listeners for networking cost analysis |
route53:ListHostedZones | * | List Route 53 hosted zones for DNS cost tracking |
route53:ListHostedZonesByName | * | List hosted zones by domain name for easier identification |
route53:ListResourceRecordSets | * | List DNS records to analyze query volumes and costs |
Analytics & Search
| Permission | Resource | Why We Need It |
|---|---|---|
es:Describe* | * | Describe OpenSearch/Elasticsearch domains for search service cost analysis |
es:List* | * | List OpenSearch domains and tags |
kafka:Describe* | * | Describe MSK clusters and configurations for streaming cost analysis |
kafka:List* | * | List Kafka clusters and topics |
AI/ML
| Permission | Resource | Why We Need It |
|---|---|---|
sagemaker:ListTrainingJobs | * | List SageMaker training jobs for ML cost tracking |
sagemaker:DescribeTrainingJob | * | Get training job details including instance types and duration for cost analysis |
bedrock:InvokeModel | * | Invoke Bedrock foundation models for Wiv’s AI-powered features and recommendations |
Monitoring & Logging
| Permission | Resource | Why We Need It |
|---|---|---|
cloudwatch:Describe* | * | Describe CloudWatch alarms and dashboards |
cloudwatch:Get* | * | Get metrics data for usage analysis and rightsizing recommendations |
cloudwatch:List* | * | List metrics, dashboards, and alarms |
logs:DescribeLogGroups | * | List CloudWatch Log Groups to identify logging costs and optimization opportunities |
cloudtrail:Describe* | * | Describe CloudTrail trails and their configurations |
cloudtrail:Get* | * | Get trail configurations and event selectors |
cloudtrail:List* | * | List trails and tags |
cloudtrail:LookupEvents | * | Query CloudTrail events to track resource changes and identify cost-impacting actions |
Config & Compliance
| Permission | Resource | Why We Need It |
|---|---|---|
config:Describe* | * | Describe AWS Config rules and configuration recorders |
config:Get* | * | Get resource configurations and compliance status |
config:List* | * | List Config resources, rules, and aggregators |
Other Services
| Permission | Resource | Why We Need It |
|---|---|---|
kms:List* | * | List KMS keys to track encryption-related costs |
servicequotas:ListServiceQuotas | * | List service quotas for capacity planning and limit monitoring |
servicequotas:ListServices | * | List all services with quotas |
savingsplans:DescribeSavingsPlansOfferings | * | Get available Savings Plans offerings to generate purchase recommendations |
Tagging
| Permission | Resource | Why We Need It |
|---|---|---|
tag:GetResources | * | Get resources by tag for cost allocation and chargeback |
tag:GetTagKeys | * | List all tag keys in use across the account |
tag:GetTagValues | * | Get values for specific tag keys for filtering and grouping |
Athena
| Permission | Resource | Why We Need It |
|---|---|---|
athena:StartQueryExecution | {AthenaARN} | Execute SQL queries against CUR data for detailed cost analysis |
athena:GetQueryExecution | {AthenaARN} | Check query execution status and progress |
athena:GetQueryResults | {AthenaARN} | Retrieve query results for reporting and dashboards |
CloudFormation StackSets
| Permission | Resource | Why We Need It |
|---|---|---|
cloudformation:CreateStackInstances | arn:aws:cloudformation:*:{AccountId}:stackset-target/*WivOrgStackSet* | Deploy the Wiv role to member accounts in the organization |
cloudformation:CreateStackInstances | arn:aws:cloudformation:*:{AccountId}:stackset/*WivOrgStackSet* | Create new stack instances from the StackSet definition |
cloudformation:DescribeStackSetOperation | arn:aws:cloudformation:*:{AccountId}:stackset-target/*WivOrgStackSet* | Monitor deployment progress to member accounts |
cloudformation:DescribeStackSetOperation | arn:aws:cloudformation:*:{AccountId}:stackset/*WivOrgStackSet* | Check status of StackSet operations |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Role | Permission to provision IAM Role resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Group | Permission to provision IAM Group resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Policy | Permission to provision IAM Policy resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-CloudFormation-CustomResource | Permission to provision Custom Resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-S3-Bucket | Permission to provision S3 Bucket resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-Lambda-Function | Permission to provision Lambda Function resources in member accounts |
Glue
| Permission | Resource | Why We Need It |
|---|---|---|
glue:* | arn:aws:glue:{Region}:{AccountId}:catalog | Full access to Glue Data Catalog for managing CUR data schema |
glue:* | arn:aws:glue:{Region}:{AccountId}:database/wivdb | Manage the wivdb database where CUR tables are stored |
glue:* | arn:aws:glue:{Region}:{AccountId}:table/wivdb/* | Manage all tables in wivdb including partitions for Athena queries |
glue:* | arn:aws:glue:{Region}:{AccountId}:userDefinedFunction/wivdb/* | Manage user-defined functions for custom data transformations |
OrganizationRetrievalPolicy
| Permission | Resource | Why We Need It |
|---|---|---|
iam:ListAccountAliases | * | Retrieve friendly account alias names to display in Wiv dashboard instead of account IDs |
organizations:DescribeOrganization | * | Get organization ID, master account, and enabled features for org-level context |
organizations:ListAccounts | * | Enumerate all member accounts in the organization for multi-account cost visibility |
EventbridgePolicy
EventBridge Rules
| Permission | Resource | Condition | Why We Need It |
|---|---|---|---|
events:PutRule | * | Wiv-Infrastructure: true Tag | Create EventBridge rules for scheduled cost reports and event-driven workflows |
events:PutTargets | * | Wiv-Infrastructure: true Tag | Add targets (API destinations, Lambda) to EventBridge rules |
events:RemoveTargets | * | Wiv-Infrastructure: true Tag | Remove targets from rules during updates or reconfiguration |
events:DeleteRule | * | Wiv-Infrastructure: true Tag | Delete EventBridge rules during cleanup or disconnection |
events:TagResource | * | Wiv-Infrastructure: true Request tag | Apply Wiv tags to EventBridge resources for identification and management |
API Destinations
| Permission | Resource | Why We Need It |
|---|---|---|
events:CreateApiDestination | * | Create HTTP API endpoints to send events to Wiv’s backend for real-time data |
events:InvokeApiDestination | * | Call the API destination endpoints to deliver event data to Wiv |
events:DeleteApiDestination | * | Remove API destinations during cleanup or reconfiguration |
events:DescribeApiDestination | * | View API destination configuration and invocation status |
events:CreateConnection | * | Create authenticated connections with credentials for secure API calls |
events:DescribeConnection | * | View connection details and authentication status |
Secrets Manager
| Permission | Resource | Why We Need It |
|---|---|---|
secretsmanager:CreateSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Create secrets to store EventBridge connection credentials securely |
secretsmanager:PutSecretValue | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Store API credential values in secrets |
secretsmanager:UpdateSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Update credentials when they rotate or change |
secretsmanager:GetSecretValue | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Retrieve credentials for API authentication |
secretsmanager:DeleteSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Remove secrets during cleanup |
secretsmanager:DescribeSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | View secret metadata and rotation configuration |
IAM - Self Role Management
| Permission | Resource | Why We Need It |
|---|---|---|
iam:PassRole | WivAccessRole ARN | Allow EventBridge and other services to assume this role when invoking targets |
iam:PutRolePolicy | WivAccessRole ARN | Add inline policies to the role dynamically for EventBridge setup |
iam:ListAttachedRolePolicies | WivAccessRole ARN | List managed policies attached to verify role configuration |
iam:ListRolePolicies | WivAccessRole ARN | List inline policies to check existing permissions |
iam:GetRolePolicy | WivAccessRole ARN | Read inline policy documents to verify configuration |
IAM - Service Linked Role
| Permission | Resource | Condition | Why We Need It |
|---|---|---|---|
iam:CreateServiceLinkedRole | ...AWSServiceRoleForAmazonEventBridgeApiDestinations | Service: apidestinations.events.amazonaws.com | Create the AWS-managed service-linked role required for API Destinations to function |
iam:AttachRolePolicy | ...AWSServiceRoleForAmazonEventBridgeApiDestinations | None | Attach managed policies to the EventBridge service-linked role |
iam:PutRolePolicy | ...AWSServiceRoleForAmazonEventBridgeApiDestinations | None | Add inline policies to the EventBridge service-linked role |
Summary by Category
| Category | Permission Count | Why We Need It |
|---|---|---|
| S3 (CUR Bucket) | 2 | Read and manage Cost and Usage Report data |
| Account & Billing | 9 | Access billing, invoicing, payments, and tax information |
| Cost Explorer & CUR | 6 | Query cost data, forecasts, and anomaly detection |
| Compute Optimizer | 2 | Get rightsizing recommendations |
| Trusted Advisor | 11 | Access optimization checks and recommendations |
| EC2 & Compute | 4 | Analyze compute resources and auto scaling |
| Containers & Kubernetes | 5 | Track ECS, ECR, and EKS costs |
| Serverless | 3 | Monitor Lambda functions and provisioned concurrency |
| Databases | 9 | Analyze RDS, DynamoDB, ElastiCache, Redshift costs |
| Storage | 6 | Track S3, EBS, and backup costs |
| Networking & CDN | 8 | Analyze CloudFront, ELB, and Route 53 costs |
| Analytics & Search | 4 | Monitor OpenSearch and MSK costs |
| AI/ML | 3 | Track SageMaker costs and power Wiv AI features |
| Monitoring & Logging | 8 | Access CloudWatch metrics and CloudTrail events |
| Config & Compliance | 3 | Get resource configurations |
| Other Services | 3 | Track KMS, quotas, and Savings Plans |
| Tagging | 3 | Enable cost allocation by tags |
| Athena | 3 | Query CUR data with SQL |
| CloudFormation | 10 | Deploy Wiv role to member accounts via StackSets |
| Glue | 4 | Manage CUR data catalog for Athena |
| Organizations | 3 | List and identify accounts |
| EventBridge | 11 | Set up real-time event integration |
| Secrets Manager | 6 | Manage API credentials securely |
| IAM | 8 | Self-manage role and create service-linked roles |
| Total | ~125 | Complete FinOps visibility and automation |