IAM Permissions
AWS IAM permissions used by GetInfraDesk
InfraDesk scans first with read-only access. Any supported fix requires explicit approval before action. This page lists every permission, what it reads, and whether it can modify AWS resources.
โ
Section A โ Default Read-Only Scan Role
โ ๏ธ Section B โ Optional Remediation Role
| Permission category | Required for scan? | Required for remediation? | Why needed |
|---|
| Cost Explorer (ce:Get*, ce:List*) | โ
Yes | โ No | Cost visibility and spend analysis |
| EC2 Describe* | โ
Yes | โ No | Resource inventory โ instances, volumes, EIPs, NAT |
| CloudWatch Read (Get*, List*, Describe*) | โ
Yes | โ No | Utilization evidence โ CPU, memory, traffic |
| RDS Describe* | โ
Yes | โ No | Database resource inventory |
| Tagging (tag:GetResources) | โ
Yes | โ No | Tag and ownership evidence |
| Organizations (list/describe) | โก Optional | โ No | Multi-account discovery |
| CloudWatch Logs (Describe) | โก Optional | โ No | Log retention cost analysis |
| ec2:StopInstances | โ No | โก Optional | Only after explicit approval โ scheduler/cost saving |
| ec2:DeleteVolume | โ No | โก Optional | Only after explicit approval โ orphan cleanup |
| ec2:ModifyVolume | โ No | โก Optional | Only after explicit approval โ GP2โGP3 migration |
| ec2:ReleaseAddress | โ No | โก Optional | Only after explicit approval โ idle EIP release |
| rds:StopDBInstance | โ No | โก Optional | Only after explicit approval โ idle RDS stop |
| iam:PassRole | โ No | โก Optional | Required for scheduler-based automation only |
Scan permissions are read-only and cannot modify AWS resources. Remediation permissions are optional and require separate deployment.
READ-ONLY
These permissions cannot modify any AWS resource
Read-only scan permissions
EC2
Detect stopped instances, orphaned volumes, unused Elastic IPs
ec2:DescribeInstancesInstance state, type, launch time, tags
ec2:DescribeVolumesVolume state, size, attachment status
ec2:DescribeSnapshotsSnapshot metadata
ec2:DescribeAddressesElastic IP allocation and association
ec2:DescribeRegionsAvailable AWS regions
ec2:DescribeTagsResource tags for owner gap analysis
ec2:DescribeLoadBalancersLoad balancer state and target groups
RDS
Detect idle RDS instances
rds:DescribeDBInstancesDB instance state, engine, size, tags
rds:DescribeDBSnapshotsSnapshot metadata
Cost Explorer
Calculate monthly waste cost per resource
ce:GetCostAndUsageMonthly and daily cost and usage data
ce:GetCostForecastMonthly cost forecast
ce:GetDimensionValuesCost dimension values for filtering
CloudWatch
Detect idle resources based on CPU and network activity
cloudwatch:GetMetricStatisticsCPU and network metrics for EC2 and RDS
cloudwatch:ListMetricsAvailable metrics list
Resource Groups Tagging
Identify owner and tag gaps across all resources
tag:GetResourcesResource ARNs and their tag keys/values
tag:GetTagKeysAll tag keys in use
STS
Verify role assumption and account identity
sts:GetCallerIdentityAWS account ID and role ARN
Organizations (optional)
Multi-account org discovery โ only used if you connect a management account
organizations:ListAccountsMember account IDs and names
OPTIONAL REMEDIATION
Only used after you explicitly approve a fix action
Optional fix permissions
These permissions exist only in the optional remediation template (infradesk-remediation-role.json) and are never invoked during scan. They are used only when you explicitly approve a supported fix action in the InfraDesk dashboard.
EC2 (optional remediation)
Used only when you approve a supported fix action in InfraDesk.
ec2:StopInstancesStop a running EC2 instance
Only after explicit approval
ec2:StartInstancesRestart a stopped EC2 instance
Rollback or scheduler restart
ec2:CreateSnapshotTake a snapshot before a supported delete action
Pre-action context step
ec2:DeleteVolumeDelete an orphaned EBS volume
Only after explicit approval
ec2:ModifyVolumeChange GP2 volume to GP3
Only after explicit approval
ec2:ReleaseAddressRelease an unused Elastic IP
Only after explicit approval
RDS (optional remediation)
Used only when you approve a supported RDS fix action.
rds:CreateDBSnapshotTake a snapshot before a supported RDS action
Pre-action context step
rds:ModifyDBInstanceModify RDS instance class or state
Only after explicit approval
Lambda + EventBridge (non-prod scheduler)
Used only if you enable the non-prod auto-stop scheduler feature.
lambda:CreateFunctionCreate a scheduler Lambda function
Scheduler setup only
lambda:DeleteFunctionRemove a scheduler Lambda function
Scheduler removal only
lambda:InvokeFunctionInvoke the scheduler function
Scheduled execution
scheduler:CreateScheduleCreate an EventBridge schedule
Scheduler setup only
scheduler:DeleteScheduleRemove an EventBridge schedule
Scheduler removal only
IAM (scheduler role only)
Used only to create a minimal IAM role for the scheduler Lambda. Not used for any other IAM operations.
iam:CreateRoleCreate a role for the scheduler Lambda
Scheduler setup only
iam:AttachRolePolicyAttach a policy to the scheduler role
Scheduler setup only
iam:PassRolePass the scheduler role to Lambda
Scheduler setup only
iam:GetRoleRead scheduler role details
Scheduler verification only
โ
Free scan uses the separate read-only template: infradesk-readonly-role.json. This template contains zero write, delete, stop, modify, update, create, or terminate permissions. Approval-based remediation uses a separate optional template: infradesk-remediation-role.json. It is not required for scan or reporting.