What IAM permissions does the Archera AWS trial deployment require?
Last updated: February 11, 2026
In this article we cover the AWS IAM permissions required by Archera.ai to function for a trial, and why.
The following is a detailed breakdown of the Read-Only, Least-Privileged IAM credential required to enable the Trial of our AWS Platform Integration. This will enable Archera.ai to read the bare minimum usage and cost metadata required to enable our Trial analysis & modeling engine, with limited access to automation features.
This credential will prevent you from receiving any future platform updates and we don't recommend using it unless you have no other options. Please contact us if you would like this installation method enabled in your account.
The standard Production credential is required to enable our full automation platform and is covered in another article.
Cost Explorer
Cost explorer read permissions are used to allow us to extract specific cost, usage and commitment information associated with your organizations accounts, as well as get benchmark data from AWS to enable a comparison between solutions.
ce:List*
ce:Get*
ce:Describe*Pricing
Pricing API permissions are used to retrieve AWS service pricing information to enable accurate cost modeling and forecasting.
pricing:List*
pricing:Get*
pricing:Describe*Compute Optimizer
Compute Optimizer permissions are used to retrieve AWS optimization recommendations for your resources.
compute-optimizer:Get*STS
STS Get caller identity permission is used to verify access for the Trial role. This only allows access to the role making the call (i.e. it will be limited to us reading our own role).
sts:GetCallerIdentityService Quotas
The service quota read permissions are used to know what service quotas are imposed on accounts by AWS and when a service quota increase will be required for different recommended actions.
servicequotas:GetServiceQuota
servicequotas:GetRequestedServiceQuotaChange
servicequotas:GetAWSDefaultServiceQuota
servicequotas:ListServices
servicequotas:ListServiceQuotas
servicequotas:ListRequestedServiceQuotaChangeHistoryByQuotaCloudTrail
CloudTrail permissions are used to look up recent API events for audit and verification purposes.
cloudtrail:LookupEventsCUR
The CUR permissions enable us to identify where existing and new detailed Cost and Usage Billing reports have been created, and to create new report definitions when needed. We use these reports as a ground truth for finalized billing from AWS. The platform will not be accurate without access to this data.
cur:DescribeReportDefinitions
cur:PutReportDefinitionResource: arn:aws:cur:*:*:definition/reserved-ai-*
Tag
Tag read permissions are used to populate and enable the Tag Manager functionality and Tag based segmentation in the platform.
tag:GetResources
tag:GetTagKeys
tag:GetTagValuesResource Groups
Resource Groups read permissions are used to automatically create segments based on existing resource groups to better analyze their cost and usage.
resource-groups:GetGroupQuery
resource-groups:SearchResources
resource-groups:GetGroup
resource-groups:GetGroupConfiguration
resource-groups:GetTags
resource-groups:ListGroupResources
resource-groups:ListGroupsEC2
The EC2 read permissions are used to help us pull real-time usage, attribution and commitment information for all EC2 resources in the account. The platform analysis and segmentation will not work without this data. This permission will never allow us to impact or access data on the underlying infrastructure, it only allows us to view metadata (i.e. uptime, tags, deployment data etc.)
ec2:DescribeAccountAttributes
ec2:DescribeInstances
ec2:DescribeRegions
ec2:DescribeAvailabilityZones
ec2:CreateSpotDatafeedSubscription
ec2:DescribeSpotDatafeedSubscription
ec2:DescribeSpotFleetInstances
ec2:DescribeSpotFleetRequestHistory
ec2:DescribeSpotFleetRequests
ec2:DescribeSpotInstanceRequests
ec2:DescribeSpotPriceHistory
ec2:DescribeFleetHistory
ec2:DescribeFleetInstances
ec2:DescribeFleets
ec2:DescribeTags
ec2:DescribeAddresses
ec2:DescribeMovingAddresses
ec2:DescribeVolumes
ec2:DescribeVolumesModifications
ec2:DescribeVolumeStatus
ec2:DescribeElasticGpus
ec2:DescribeScheduledInstances
ec2:DescribeScheduledInstanceAvailability
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesModifications
ec2:DescribeReservedInstancesListings
ec2:GetReservedInstancesExchangeQuote
ec2:DescribeReservedInstancesOfferings
ec2:DescribeCapacityReservations
ec2:DescribeCapacityBlockOfferings
ec2:DescribeHosts
ec2:DescribeHostReservations
ec2:GetHostReservationPurchasePreview
ec2:DescribeHostReservationOfferingsRDS
The RDS read permissions are used to help us pull commitment information for all RDS resources in the account.
rds:DescribeReservedDBInstances
rds:DescribeReservedDBInstancesOfferingsRedshift
The Redshift read permissions are used to help us pull commitment information for all Redshift resources in the account.
redshift:DescribeReservedNodeOfferings
redshift:DescribeReservedNodes
redshift:DescribeReservedNodeExchangeStatus
redshift:GetReservedNodeExchangeConfigurationOptions
redshift:GetReservedNodeExchangeOfferingsDynamoDB
The DynamoDB read permissions are used to help us pull commitment information for all DynamoDB resources in the account.
dynamodb:DescribeReservedCapacity
dynamodb:DescribeReservedCapacityOfferingsElastiCache
The ElastiCache read permissions are used to help us pull commitment information for all ElastiCache resources in the account.
elasticache:DescribeReservedCacheNodes
elasticache:DescribeReservedCacheNodesOfferingsMemoryDB
The MemoryDB read permissions are used to help us pull commitment information for all MemoryDB resources in the account.
memorydb:DescribeReservedNodes
memorydb:DescribeReservedNodesOfferingsElasticSearch
The ElasticSearch read permissions are used to help us pull commitment information for all ElasticSearch resources in the account.
es:DescribeReservedElasticsearchInstanceOfferings
es:DescribeReservedElasticsearchInstancesOrganizations
The organization read permission is used to enable segmentation and analysis based on AWS organization structure. Additionally, this permission is required to accurately reflect reservation attribution and coverage within your AWS organization. The platform will not function without this.
organizations:DescribeOrganization
organizations:ListAccounts
organizations:DescribeAccount
organizations:ListAccountsForParent
organizations:ListRoots
organizations:DescribeOrganizationalUnit
organizations:ListParents
organizations:ListOrganizationalUnitsForParent
organizations:ListChildrenSavings Plans
The savings plan read permissions are used to provide analysis for savings plan coverage, savings and attribution within your AWS accounts. The platform will not reflect accurate cost data without this permission.
savingsplans:DescribeSavingsPlansOfferingRates
savingsplans:DescribeSavingsPlansOfferings
savingsplans:DescribeSavingsPlans
savingsplans:DescribeSavingsPlanRatesS3
The S3 permissions are required to create and access buckets for Cost and Usage Report data and Spot instance data feeds.
s3:CreateBucket
s3:PutBucketPolicy
s3:GetObjectResources:
arn:aws:s3:::reserved-ai-cur-*
arn:aws:s3:::reserved-ai-spot-*
arn:aws:s3:::reserved-ai-cur-*/*
arn:aws:s3:::reserved-ai-spot-*/*
IAM
The IAM Read and Simulate permissions, restricted explicitly to Archera.ai related roles, is required to allow this role to verify the permissions it is allowed to operate under, and ensure a valid installation. The platform will not be able to access your environment or function without this permission.
iam:GetRolePolicy
iam:ListRolePolicies
iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion
iam:SimulatePrincipalPolicyResources:
arn:aws:iam::*:role/ReservedAI
arn:aws:iam::*:role/ReservedAI-Read
arn:aws:iam::*:role/ReservedAI-Write
arn:aws:iam::*:policy/ReservedAI
arn:aws:iam::*:policy/ReservedAI-Read
arn:aws:iam::*:policy/ReservedAI-Write