IAM Policy Reference

Servyx requires a read-only IAM policy to collect infrastructure and cost data from your AWS account. This page documents the full policy and explains what each permission does.

The ServyxReadOnly Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ServyxReadOnlyDiscovery",
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity",

        "ec2:DescribeInstances",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeVolumes",
        "ec2:DescribeAddresses",
        "ec2:DescribeNatGateways",
        "ec2:DescribeSnapshots",

        "eks:ListClusters",
        "eks:DescribeCluster",
        "eks:ListNodegroups",
        "eks:DescribeNodegroup",

        "rds:DescribeDBInstances",

        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",

        "autoscaling:DescribeAutoScalingGroups",

        "s3:ListAllMyBuckets",
        "s3:GetBucketVersioning",
        "s3:GetLifecycleConfiguration",

        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",

        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetSavingsPlansCoverage",
        "ce:GetReservationCoverage",

        "cloudtrail:LookupEvents",

        "pricing:GetProducts"
      ],
      "Resource": "*"
    }
  ]
}

Permission Breakdown

Identity

PermissionPurpose
sts:GetCallerIdentityVerifies that the credentials are valid and identifies which AWS account they belong to

Compute (EC2)

PermissionPurpose
ec2:DescribeInstancesLists all EC2 instances with their type, state, tags, and launch time
ec2:DescribeInstanceTypesGets hardware specs (vCPU, memory, network bandwidth) for each instance type
ec2:DescribeVolumesLists EBS volumes to detect orphaned or oversized disks
ec2:DescribeAddressesDiscovers Elastic IPs, including unused ones that incur charges
ec2:DescribeNatGatewaysLists NAT Gateways for network cost analysis
ec2:DescribeSnapshotsLists EBS snapshots to find old snapshots without lifecycle policies

Kubernetes (EKS)

PermissionPurpose
eks:ListClustersDiscovers all EKS clusters in the account
eks:DescribeClusterGets cluster configuration and status
eks:ListNodegroupsLists node groups in each cluster
eks:DescribeNodegroupGets node group configuration (instance types, scaling settings)

Databases (RDS)

PermissionPurpose
rds:DescribeDBInstancesLists all RDS databases with engine type, instance class, storage, and multi-AZ configuration

Networking

PermissionPurpose
elasticloadbalancing:DescribeLoadBalancersLists ALB and NLB load balancers
elasticloadbalancing:DescribeTargetGroupsGets target group health and configuration

Auto Scaling

PermissionPurpose
autoscaling:DescribeAutoScalingGroupsLists Auto Scaling Groups for scheduling and capacity analysis

Storage (S3)

PermissionPurpose
s3:ListAllMyBucketsLists all S3 buckets in the account
s3:GetBucketVersioningChecks whether versioning is enabled (can significantly increase storage costs)
s3:GetLifecycleConfigurationChecks for lifecycle policies that manage object expiration

Performance Monitoring

PermissionPurpose
cloudwatch:GetMetricStatisticsCollects CPU utilization, network throughput, disk I/O, and load balancer metrics
cloudwatch:ListMetricsDiscovers available metrics for each resource

Cost Analysis

PermissionPurpose
ce:GetCostAndUsageGets monthly cost breakdown by service
ce:GetCostForecastGets projected costs for the current and upcoming billing periods
ce:GetSavingsPlansCoverageChecks how much of your spend is covered by Savings Plans
ce:GetReservationCoverageChecks how much of your spend is covered by Reserved Instances

Audit

PermissionPurpose
cloudtrail:LookupEventsReviews recent infrastructure changes for context

Pricing

PermissionPurpose
pricing:GetProductsGets current on-demand pricing for accurate savings calculations

Why Resource: "*"

The policy uses "Resource": "*" because all of these are discovery and read APIs that operate across all resources in the account. AWS does not support resource-level restrictions for Describe*, List*, or Get* calls on most of these services.

Important Notes

  • This policy is strictly read-only. It cannot create, modify, or delete any AWS resource.
  • Cost Explorer must be enabled in the AWS Billing Console before cost data can be collected. It can take up to 24 hours to activate.
  • The policy does not include iam:*, organizations:*, or any administrative permissions.
  • For enhanced security, consider rotating the access keys periodically and monitoring their usage via CloudTrail.

Creating the Policy via CLI

If you prefer the AWS CLI over the console:

aws iam create-policy \
  --policy-name ServyxReadOnly \
  --policy-document file://servyx-readonly-policy.json \
  --description "Read-only access for Servyx infrastructure intelligence"

Save the JSON above to a file named servyx-readonly-policy.json before running this command.