IAM Policy Reference
Servyx requires a read-only IAM policy to collect infrastructure and cost data from your AWS account. This page documents the full policy and explains what each permission does.
The ServyxReadOnly Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ServyxReadOnlyDiscovery",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVolumes",
"ec2:DescribeAddresses",
"ec2:DescribeNatGateways",
"ec2:DescribeSnapshots",
"eks:ListClusters",
"eks:DescribeCluster",
"eks:ListNodegroups",
"eks:DescribeNodegroup",
"rds:DescribeDBInstances",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"autoscaling:DescribeAutoScalingGroups",
"s3:ListAllMyBuckets",
"s3:GetBucketVersioning",
"s3:GetLifecycleConfiguration",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetSavingsPlansCoverage",
"ce:GetReservationCoverage",
"cloudtrail:LookupEvents",
"pricing:GetProducts"
],
"Resource": "*"
}
]
}
Permission Breakdown
Identity
| Permission | Purpose |
|---|
sts:GetCallerIdentity | Verifies that the credentials are valid and identifies which AWS account they belong to |
Compute (EC2)
| Permission | Purpose |
|---|
ec2:DescribeInstances | Lists all EC2 instances with their type, state, tags, and launch time |
ec2:DescribeInstanceTypes | Gets hardware specs (vCPU, memory, network bandwidth) for each instance type |
ec2:DescribeVolumes | Lists EBS volumes to detect orphaned or oversized disks |
ec2:DescribeAddresses | Discovers Elastic IPs, including unused ones that incur charges |
ec2:DescribeNatGateways | Lists NAT Gateways for network cost analysis |
ec2:DescribeSnapshots | Lists EBS snapshots to find old snapshots without lifecycle policies |
Kubernetes (EKS)
| Permission | Purpose |
|---|
eks:ListClusters | Discovers all EKS clusters in the account |
eks:DescribeCluster | Gets cluster configuration and status |
eks:ListNodegroups | Lists node groups in each cluster |
eks:DescribeNodegroup | Gets node group configuration (instance types, scaling settings) |
Databases (RDS)
| Permission | Purpose |
|---|
rds:DescribeDBInstances | Lists all RDS databases with engine type, instance class, storage, and multi-AZ configuration |
Networking
| Permission | Purpose |
|---|
elasticloadbalancing:DescribeLoadBalancers | Lists ALB and NLB load balancers |
elasticloadbalancing:DescribeTargetGroups | Gets target group health and configuration |
Auto Scaling
| Permission | Purpose |
|---|
autoscaling:DescribeAutoScalingGroups | Lists Auto Scaling Groups for scheduling and capacity analysis |
Storage (S3)
| Permission | Purpose |
|---|
s3:ListAllMyBuckets | Lists all S3 buckets in the account |
s3:GetBucketVersioning | Checks whether versioning is enabled (can significantly increase storage costs) |
s3:GetLifecycleConfiguration | Checks for lifecycle policies that manage object expiration |
Performance Monitoring
| Permission | Purpose |
|---|
cloudwatch:GetMetricStatistics | Collects CPU utilization, network throughput, disk I/O, and load balancer metrics |
cloudwatch:ListMetrics | Discovers available metrics for each resource |
Cost Analysis
| Permission | Purpose |
|---|
ce:GetCostAndUsage | Gets monthly cost breakdown by service |
ce:GetCostForecast | Gets projected costs for the current and upcoming billing periods |
ce:GetSavingsPlansCoverage | Checks how much of your spend is covered by Savings Plans |
ce:GetReservationCoverage | Checks how much of your spend is covered by Reserved Instances |
Audit
| Permission | Purpose |
|---|
cloudtrail:LookupEvents | Reviews recent infrastructure changes for context |
Pricing
| Permission | Purpose |
|---|
pricing:GetProducts | Gets current on-demand pricing for accurate savings calculations |
Why Resource: "*"
The policy uses "Resource": "*" because all of these are discovery and read APIs that operate across all resources in the account. AWS does not support resource-level restrictions for Describe*, List*, or Get* calls on most of these services.
Important Notes
- This policy is strictly read-only. It cannot create, modify, or delete any AWS resource.
- Cost Explorer must be enabled in the AWS Billing Console before cost data can be collected. It can take up to 24 hours to activate.
- The policy does not include
iam:*, organizations:*, or any administrative permissions.
- For enhanced security, consider rotating the access keys periodically and monitoring their usage via CloudTrail.
Creating the Policy via CLI
If you prefer the AWS CLI over the console:
aws iam create-policy \
--policy-name ServyxReadOnly \
--policy-document file://servyx-readonly-policy.json \
--description "Read-only access for Servyx infrastructure intelligence"
Save the JSON above to a file named servyx-readonly-policy.json before running this command.