AWS Permissions
Antimetal only collects metadata about your infrastructure and never attempts to read sensitive information from the underlying services. We can’t touch workloads, introspect on server state, or terminate/stop instances.
1
{
2
"Version": "2012-10-17",
3
"Statement": [ {
4
"Action": [ "application-autoscaling:Describe*",
5
"autoscaling:Describe*",
6
"ce:Describe*",
7
"ce:Get*",
8
"ce:List*",
9
"cloudwatch:GetMetricData",
10
"ec2:Describe*",
11
"ec2:AcceptReservedInstancesExchangeQuote",
12
"ec2:CancelReservedInstancesListing",
13
"ec2:CreateReservedInstancesListing",
14
"ec2:DeleteQueuedReservedInstances",
15
"ec2:ModifyReservedInstances",
16
"ec2:PurchaseHostReservation",
17
"ec2:PurchaseReservedInstancesOffering",
18
"pricing:DescribeServices",
19
"pricing:GetAttributeValues",
20
"pricing:GetProducts",
21
"savingsplans:Describe*",
22
"savingsplans:List*",
23
"servicequotas:Get*",
24
"servicequotas:List*",
25
"support:*"
26
],
27
"Effect": "Allow",
28
"Resource": "*"
29
}
30
]
31
}
Below is a list of AWS permissions and a brief description of what each permission does.
Note: We have built-in safeguards into our system so that we can only use write permissions after customers have approved savings or turned on autopilot.
Permission | Brief Description |
|---|---|
"application-autoscaling:Describe*" | Determine EC2-related application autoscaling behavior and policies (for services like ECS and SageMaker) to make recommendation decisions. |
"autoscaling:Describe*" | Determine application EC2 autoscaling behavior and policies to make recommendation decisions. |
"aws-portal:ViewBilling" | Allows viewing billing information in the AWS portal |
"aws-portal:ViewUsage" | Allows viewing usage information in the AWS portal |
"ce:Describe/Get/List*" | Fetch historical spending data; list existing savings infrastructure across accounts (within an organization); and collect utilization information for on-demand instances, reserved instances, and savings plans. |
"cloudwatch:GetMetricData" | Get per-instance metric data to make right- sizing recommendations and measure instance utilization. |
"ec2:Describe*" | Fetch and store data related to EC2 on- demand and reserved instances. In particular, stores instance type, platform, tenancy, region, and how long instance has been on. |
"ec2:AcceptReservedInstancesExchangeQuote" | Allows accepting exchange quotes for Reserved Instances in EC2 |
"ec2:CancelReservedInstancesListing" | Allows canceling Reserved Instances listings in EC2 |
"ec2:CreateReservedInstancesListing" | Allows creating Reserved Instances listings in EC2 |
"ec2:DeleteQueuedReservedInstances" | Allows deleting queued Reserved Instances in EC2 |
"ec2:ModifyReservedInstances" | Allows modifying Reserved Instances in EC2 |
"ec2:PurchaseHostReservation" | Allows purchasing host reservations in EC2 |
"ec2:PurchaseReservedInstancesOffering" | Allows purchasing Reserved Instances offerings in EC2 |
"pricing:DescribeServices" | Allows describing services related to pricing |
"pricing:GetAttributeValues" | Allows getting attribute values related to pricing |
"pricing:GetProducts" | Allows getting products related to pricing |
"savingsplans:Describe/List" | Fetch and store type and spend commitment data for Compute and EC2 savings plans. |
"servicequotas:Get/List*" | Determine service quota limits for the number of reserved instances that can be purchased in a single month. |
servicequotas:RequestServiceQuotaIncrease | Request a service quota increase. The only service quota Antimetal currently requests an increase for is the number of reserved instances that can be purchased per month. |
"support:*" | Resolve support cases related to service quota increases. Antimetal only touches support cases that it created via a RequestServiceQuotaIncrease call. |
We take security seriously and want to make sure to answer any questions you have. If we missed any critical information or if there are any questions that you still have, don't hesitate to reach out to [email protected]
Last modified 4h ago