GetInfraDesk
DocsDashboard โ†’
Documentation
๐Ÿ“– Overview
Getting Started
๐Ÿš€ Quick Start
๐Ÿ” AWS IAM Permissions
๐Ÿ›ก๏ธ Security & Privacy
Decision Intelligence
โœ‹ Decision Inbox
๐Ÿ“„ Decision Briefs
โšก How Approved Actions Work
โ†ฉ๏ธ Rollback Guide
Connected Signals
๐Ÿ”— Signal Hub Overview
โ˜๏ธ Cloudflare
๐Ÿค– OpenAI Spend
๐Ÿ“Š Datadog
๐Ÿƒ MongoDB Atlas
Support
๐Ÿ”ง Troubleshooting
โ“ FAQ
๐ŸŽฏ Pilot Program
Need help?
Email us at support@getinfradesk.com
IAM Permissions

AWS IAM permissions used by GetInfraDesk

InfraDesk scans first with read-only access. Any supported fix requires explicit approval before action. This page lists every permission, what it reads, and whether it can modify AWS resources.

โœ… Section A โ€” Default Read-Only Scan Role
Free scan requires read-only permissions only. Remediation permissions are never required to generate a report or view savings opportunities.

Download read-only CloudFormation template โ†’
โš ๏ธ Section B โ€” Optional Remediation Role
Remediation permissions are optional and separate from the read-only scan role. They are used only after explicit user approval in the InfraDesk dashboard.

Download optional remediation template โ†’
Permission categoryRequired for scan?Required for remediation?Why needed
Cost Explorer (ce:Get*, ce:List*)โœ… YesโŒ NoCost visibility and spend analysis
EC2 Describe*โœ… YesโŒ NoResource inventory โ€” instances, volumes, EIPs, NAT
CloudWatch Read (Get*, List*, Describe*)โœ… YesโŒ NoUtilization evidence โ€” CPU, memory, traffic
RDS Describe*โœ… YesโŒ NoDatabase resource inventory
Tagging (tag:GetResources)โœ… YesโŒ NoTag and ownership evidence
Organizations (list/describe)โšก OptionalโŒ NoMulti-account discovery
CloudWatch Logs (Describe)โšก OptionalโŒ NoLog retention cost analysis
ec2:StopInstancesโŒ Noโšก OptionalOnly after explicit approval โ€” scheduler/cost saving
ec2:DeleteVolumeโŒ Noโšก OptionalOnly after explicit approval โ€” orphan cleanup
ec2:ModifyVolumeโŒ Noโšก OptionalOnly after explicit approval โ€” GP2โ†’GP3 migration
ec2:ReleaseAddressโŒ Noโšก OptionalOnly after explicit approval โ€” idle EIP release
rds:StopDBInstanceโŒ Noโšก OptionalOnly after explicit approval โ€” idle RDS stop
iam:PassRoleโŒ Noโšก OptionalRequired for scheduler-based automation only

Scan permissions are read-only and cannot modify AWS resources. Remediation permissions are optional and require separate deployment.

How access works
InfraDesk uses a cross-account IAM role created via CloudFormation. Your credentials are never stored. InfraDesk assumes the role temporarily using AWS STS AssumeRole with a unique External ID per account. The CloudFormation template is open-source โ€” review it on GitHub โ†’
READ-ONLY
These permissions cannot modify any AWS resource

Read-only scan permissions

EC2
Detect stopped instances, orphaned volumes, unused Elastic IPs
ec2:DescribeInstances
Instance state, type, launch time, tags
ec2:DescribeVolumes
Volume state, size, attachment status
ec2:DescribeSnapshots
Snapshot metadata
ec2:DescribeAddresses
Elastic IP allocation and association
ec2:DescribeRegions
Available AWS regions
ec2:DescribeTags
Resource tags for owner gap analysis
ec2:DescribeLoadBalancers
Load balancer state and target groups
RDS
Detect idle RDS instances
rds:DescribeDBInstances
DB instance state, engine, size, tags
rds:DescribeDBSnapshots
Snapshot metadata
Cost Explorer
Calculate monthly waste cost per resource
ce:GetCostAndUsage
Monthly and daily cost and usage data
ce:GetCostForecast
Monthly cost forecast
ce:GetDimensionValues
Cost dimension values for filtering
CloudWatch
Detect idle resources based on CPU and network activity
cloudwatch:GetMetricStatistics
CPU and network metrics for EC2 and RDS
cloudwatch:ListMetrics
Available metrics list
Resource Groups Tagging
Identify owner and tag gaps across all resources
tag:GetResources
Resource ARNs and their tag keys/values
tag:GetTagKeys
All tag keys in use
STS
Verify role assumption and account identity
sts:GetCallerIdentity
AWS account ID and role ARN
Organizations (optional)
Multi-account org discovery โ€” only used if you connect a management account
organizations:ListAccounts
Member account IDs and names
OPTIONAL REMEDIATION
Only used after you explicitly approve a fix action

Optional fix permissions

These permissions exist only in the optional remediation template (infradesk-remediation-role.json) and are never invoked during scan. They are used only when you explicitly approve a supported fix action in the InfraDesk dashboard.

EC2 (optional remediation)
Used only when you approve a supported fix action in InfraDesk.
ec2:StopInstances
Stop a running EC2 instance
Only after explicit approval
ec2:StartInstances
Restart a stopped EC2 instance
Rollback or scheduler restart
ec2:CreateSnapshot
Take a snapshot before a supported delete action
Pre-action context step
ec2:DeleteVolume
Delete an orphaned EBS volume
Only after explicit approval
ec2:ModifyVolume
Change GP2 volume to GP3
Only after explicit approval
ec2:ReleaseAddress
Release an unused Elastic IP
Only after explicit approval
RDS (optional remediation)
Used only when you approve a supported RDS fix action.
rds:CreateDBSnapshot
Take a snapshot before a supported RDS action
Pre-action context step
rds:ModifyDBInstance
Modify RDS instance class or state
Only after explicit approval
Lambda + EventBridge (non-prod scheduler)
Used only if you enable the non-prod auto-stop scheduler feature.
lambda:CreateFunction
Create a scheduler Lambda function
Scheduler setup only
lambda:DeleteFunction
Remove a scheduler Lambda function
Scheduler removal only
lambda:InvokeFunction
Invoke the scheduler function
Scheduled execution
scheduler:CreateSchedule
Create an EventBridge schedule
Scheduler setup only
scheduler:DeleteSchedule
Remove an EventBridge schedule
Scheduler removal only
IAM (scheduler role only)
Used only to create a minimal IAM role for the scheduler Lambda. Not used for any other IAM operations.
iam:CreateRole
Create a role for the scheduler Lambda
Scheduler setup only
iam:AttachRolePolicy
Attach a policy to the scheduler role
Scheduler setup only
iam:PassRole
Pass the scheduler role to Lambda
Scheduler setup only
iam:GetRole
Read scheduler role details
Scheduler verification only
โœ… Free scan uses the separate read-only template: infradesk-readonly-role.json. This template contains zero write, delete, stop, modify, update, create, or terminate permissions. Approval-based remediation uses a separate optional template: infradesk-remediation-role.json. It is not required for scan or reporting.