IAM Permissions
AWS IAM permissions used by GetInfraDesk
InfraDesk scans first with read-only access. Any supported fix requires explicit approval before action. This page lists every permission, what it reads, and whether it can modify AWS resources.
READ-ONLY
These permissions cannot modify any AWS resource
Read-only scan permissions
EC2
Detect stopped instances, orphaned volumes, unused Elastic IPs
ec2:DescribeInstancesInstance state, type, launch time, tags
ec2:DescribeVolumesVolume state, size, attachment status
ec2:DescribeSnapshotsSnapshot metadata
ec2:DescribeAddressesElastic IP allocation and association
ec2:DescribeRegionsAvailable AWS regions
ec2:DescribeTagsResource tags for owner gap analysis
ec2:DescribeLoadBalancersLoad balancer state and target groups
RDS
Detect idle RDS instances
rds:DescribeDBInstancesDB instance state, engine, size, tags
rds:DescribeDBSnapshotsSnapshot metadata
Cost Explorer
Calculate monthly waste cost per resource
ce:GetCostAndUsageMonthly and daily cost and usage data
ce:GetCostForecastMonthly cost forecast
ce:GetDimensionValuesCost dimension values for filtering
CloudWatch
Detect idle resources based on CPU and network activity
cloudwatch:GetMetricStatisticsCPU and network metrics for EC2 and RDS
cloudwatch:ListMetricsAvailable metrics list
Resource Groups Tagging
Identify owner and tag gaps across all resources
tag:GetResourcesResource ARNs and their tag keys/values
tag:GetTagKeysAll tag keys in use
STS
Verify role assumption and account identity
sts:GetCallerIdentityAWS account ID and role ARN
Organizations (optional)
Multi-account org discovery â only used if you connect a management account
organizations:ListAccountsMember account IDs and names
OPTIONAL REMEDIATION
Only used after you explicitly approve a fix action
Optional fix permissions
These permissions are included in the IAM role but are only invoked when you approve a specific supported fix action in InfraDesk. InfraDesk does not use these permissions during scan.
EC2 (optional remediation)
Used only when you approve a supported fix action in InfraDesk.
ec2:StopInstancesStop a running EC2 instance
Only after explicit approval
ec2:StartInstancesRestart a stopped EC2 instance
Rollback or scheduler restart
ec2:CreateSnapshotTake a snapshot before a supported delete action
Pre-action context step
ec2:DeleteVolumeDelete an orphaned EBS volume
Only after explicit approval
ec2:ModifyVolumeChange GP2 volume to GP3
Only after explicit approval
ec2:ReleaseAddressRelease an unused Elastic IP
Only after explicit approval
RDS (optional remediation)
Used only when you approve a supported RDS fix action.
rds:CreateDBSnapshotTake a snapshot before a supported RDS action
Pre-action context step
rds:ModifyDBInstanceModify RDS instance class or state
Only after explicit approval
Lambda + EventBridge (non-prod scheduler)
Used only if you enable the non-prod auto-stop scheduler feature.
lambda:CreateFunctionCreate a scheduler Lambda function
Scheduler setup only
lambda:DeleteFunctionRemove a scheduler Lambda function
Scheduler removal only
lambda:InvokeFunctionInvoke the scheduler function
Scheduled execution
scheduler:CreateScheduleCreate an EventBridge schedule
Scheduler setup only
scheduler:DeleteScheduleRemove an EventBridge schedule
Scheduler removal only
IAM (scheduler role only)
Used only to create a minimal IAM role for the scheduler Lambda. Not used for any other IAM operations.
iam:CreateRoleCreate a role for the scheduler Lambda
Scheduler setup only
iam:AttachRolePolicyAttach a policy to the scheduler role
Scheduler setup only
iam:PassRolePass the scheduler role to Lambda
Scheduler setup only
iam:GetRoleRead scheduler role details
Scheduler verification only
â ī¸ If you want a strictly read-only role with no remediation permissions, you can edit the CloudFormation template before deploying to remove the optional sections. Contact support@getinfradesk.com for a read-only-only template.