What IAM permissions does the Archera AWS production deployment require?

Last updated: February 11, 2026

The following is a detailed breakdown of the additional Least-Privileged IAM credential required to enable the Production deployment of our AWS Platform Integration. This will enable all the features of our full automation platform and will be able to receive all updates for new services.

Like our trial credential these additional "write" permissions do not allow us to read anything beyond the bare minimum usage and cost metadata. They additionally allow you to automate all commitment management tasks (purchase, exchange, resell, renewal etc.) without having any ability to access or impact any underlying infrastructure in your AWS accounts.

The main technical differences between the production credential and the permissions detailed on our documentation on the trial credential are:

1. The wildcard (*) added to the requested list, read & describe permissions to ensure Archera is robust to new metadata endpoints being added without requiring you to manually update the role.

2. The following block of "write" permissions allowing Archera to automate the purchase as well as management of commitments, which are non-infrastructure/application impacting financial discounts, on your behalf. This includes the lifecycle management of EC2 Guaranteed Commitments, with marketplace listing & resale.

3. The following (optional) block of "write" permissions allowing Archera to automate the AWS organization management of sub-accounts containing only commitments to handle the lifecycle management of non-EC2 Guaranteed Commitments in a non infrastructure/application impacting manner.

Read Permissions (with Wildcards)

The following permissions use wildcards to ensure the platform remains robust to new AWS API endpoints without requiring manual role updates.

Cost Explorer

ce:*

Pricing

pricing:*

Budgets

budgets:*

Support

support:*

Well-Architected

wellarchitected:*

Compute Optimizer

compute-optimizer:*

Trusted Advisor

trustedadvisor:*

Service Quotas

servicequotas:List*
servicequotas:Get*
servicequotas:RequestServiceQuotaIncrease

Service Catalog

servicecatalog:Describe*
servicecatalog:Get*
servicecatalog:List*

Billing Conductor

billingconductor:Get*
billingconductor:List*

License Manager

license-manager:Get*
license-manager:List*

Tag

tag:Get*

Resource Groups

resource-groups:Get*
resource-groups:SearchResources
resource-groups:List*

STS

sts:GetCallerIdentity

CloudTrail

cloudtrail:LookupEvents

RAM (Resource Access Manager)

ram:Get*
ram:List*

CloudWatch

cloudwatch:ListMetrics
cloudwatch:ListMetricStreams
cloudwatch:GetMetricStatistics
cloudwatch:GetMetricData
cloudwatch:GetMetricStream

CUR

cur:DescribeReportDefinitions

EC2

ec2:Describe*
ec2:CreateSpotDatafeedSubscription
ec2:GetReservedInstancesExchangeQuote
ec2:GetHostReservationPurchasePreview

RDS

rds:Describe*
rds:List*

CloudFront

cloudfront:Get*
cloudfront:List*

Redshift

redshift:Describe*
redshift:GetReservedNodeExchangeOfferings

DynamoDB

dynamodb:List*
dynamodb:Describe*

ElastiCache

elasticache:List*
elasticache:Describe*

MemoryDB

memorydb:List*
memorydb:Describe*

EKS

eks:List*
eks:Describe*

ElasticSearch

es:Describe*
es:List*

ECS

ecs:List*
ecs:Describe*

S3

s3:List*
s3:GetBucketLocation

Organizations

organizations:List*
organizations:Describe*

Elastic Load Balancing

elasticloadbalancing:Describe*

Auto Scaling

autoscaling:Describe*

EMR

elasticmapreduce:List*
elasticmapreduce:Describe*

SageMaker

sagemaker:List*
sagemaker:Describe*

Elastic Beanstalk

elasticbeanstalk:List*
elasticbeanstalk:Describe*

Data Pipeline

datapipeline:List*
datapipeline:Describe*

Batch

batch:List*
batch:Describe*

API Gateway

apigateway:GET

Lambda

lambda:List*

SQS

sqs:List*

MQ

mq:List*

CloudWatch Logs

logs:Describe*

ACM

acm:List*

Glue

glue:Get*

Kinesis

kinesis:List*

Route 53

route53:List*

SWF

swf:List*

KMS

kms:List*

Savings Plans

savingsplans:Describe*
savingsplans:List*
savingsplans:*

Write Permissions (Commitment Management)

The following permissions allow Archera to automate the purchase and management of commitments on your behalf. These are non-infrastructure/application impacting financial discounts.

EC2 Reserved Instances

ec2:ModifyReservedInstances
ec2:PurchaseReservedInstancesOffering
ec2:AcceptReservedInstancesExchangeQuote
ec2:CreateReservedInstancesListing
ec2:CancelReservedInstancesListing

EC2 Scheduled Instances

ec2:PurchaseScheduledInstances
ec2:RunScheduledInstances

EC2 Capacity Reservations

ec2:ModifyCapacityReservation
ec2:ModifyInstanceCapacityReservationAttributes
ec2:CreateCapacityReservation
ec2:CancelCapacityReservation

EC2 Host Reservations

ec2:PurchaseHostReservation

EC2 Spot Instances

ec2:RequestSpotFleet
ec2:RequestSpotInstances
ec2:CancelSpotFleetRequests
ec2:CancelSpotInstanceRequests
ec2:ModifySpotFleetRequest

ElastiCache

elasticache:PurchaseReservedCacheNodesOffering

MemoryDB

memorydb:PurchaseReservedNodesOffering

RDS

rds:PurchaseReservedDBInstancesOffering

Redshift

redshift:PurchaseReservedNodeOffering
redshift:AcceptReservedNodeExchange

ElasticSearch

es:PurchaseReservedElasticsearchInstanceOffering

Savings Plans

savingsplans:CreateSavingsPlan
savingsplans:DeleteQueuedSavingsPlan

Organizations Write Permissions (Optional)

The following permissions allow Archera to automate the AWS organization management of sub-accounts containing only commitments to handle the lifecycle management of non-EC2 Guaranteed Commitments in a non infrastructure/application impacting manner.

organizations:InviteAccountToOrganization
organizations:RemoveAccountFromOrganization
organizations:CreateAccount
organizations:MoveAccount

IAM Permissions

The IAM Read and Simulate permissions, restricted explicitly to Archera.ai related roles, is required to allow this role to verify the permissions it is allowed to operate under, and ensure a valid installation.

iam:GetRolePolicy
iam:ListRolePolicies
iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion
iam:SimulatePrincipalPolicy

Resources:

  • arn:aws:iam::*:role/ReservedAI

  • arn:aws:iam::*:role/ReservedAI-Read

  • arn:aws:iam::*:role/ReservedAI-Write

  • arn:aws:iam::*:policy/ReservedAI

  • arn:aws:iam::*:policy/ReservedAI-Read

  • arn:aws:iam::*:policy/ReservedAI-Write

Service Linked Role Creation

The following permissions allow Archera to create service-linked roles required for certain AWS services to function properly.

Service Quotas

iam:CreateServiceLinkedRole

Resource: arn:aws:iam::*:role/aws-service-role/*

Condition: iam:AWSServiceName equals servicequotas.amazonaws.com

ElastiCache

iam:CreateServiceLinkedRole

Resource: arn:aws:iam::*:role/aws-service-role/*

Condition: iam:AWSServiceName equals elasticache.amazonaws.com

S3 Permissions

The S3 permissions are required to create and access buckets for Cost and Usage Report data and Spot instance data feeds.

s3:CreateBucket
s3:PutBucketPolicy
s3:GetObject

Resources:

  • arn:aws:s3:::reserved-ai-cur-*

  • arn:aws:s3:::reserved-ai-spot-*

  • arn:aws:s3:::reserved-ai-cur-*/*

  • arn:aws:s3:::reserved-ai-spot-*/*

CUR Write Permission

The CUR write permission allows Archera to create Cost and Usage Report definitions.

cur:PutReportDefinition

Resource: arn:aws:cur:*:*:definition/reserved-ai-*