What IAM permissions does the Archera AWS production deployment require?
Last updated: February 11, 2026
The following is a detailed breakdown of the additional Least-Privileged IAM credential required to enable the Production deployment of our AWS Platform Integration. This will enable all the features of our full automation platform and will be able to receive all updates for new services.
Like our trial credential these additional "write" permissions do not allow us to read anything beyond the bare minimum usage and cost metadata. They additionally allow you to automate all commitment management tasks (purchase, exchange, resell, renewal etc.) without having any ability to access or impact any underlying infrastructure in your AWS accounts.
The main technical differences between the production credential and the permissions detailed on our documentation on the trial credential are:
1. The wildcard (*) added to the requested list, read & describe permissions to ensure Archera is robust to new metadata endpoints being added without requiring you to manually update the role.
2. The following block of "write" permissions allowing Archera to automate the purchase as well as management of commitments, which are non-infrastructure/application impacting financial discounts, on your behalf. This includes the lifecycle management of EC2 Guaranteed Commitments, with marketplace listing & resale.
3. The following (optional) block of "write" permissions allowing Archera to automate the AWS organization management of sub-accounts containing only commitments to handle the lifecycle management of non-EC2 Guaranteed Commitments in a non infrastructure/application impacting manner.
Read Permissions (with Wildcards)
The following permissions use wildcards to ensure the platform remains robust to new AWS API endpoints without requiring manual role updates.
Cost Explorer
ce:*Pricing
pricing:*Budgets
budgets:*Support
support:*Well-Architected
wellarchitected:*Compute Optimizer
compute-optimizer:*Trusted Advisor
trustedadvisor:*Service Quotas
servicequotas:List*
servicequotas:Get*
servicequotas:RequestServiceQuotaIncreaseService Catalog
servicecatalog:Describe*
servicecatalog:Get*
servicecatalog:List*Billing Conductor
billingconductor:Get*
billingconductor:List*License Manager
license-manager:Get*
license-manager:List*Tag
tag:Get*Resource Groups
resource-groups:Get*
resource-groups:SearchResources
resource-groups:List*STS
sts:GetCallerIdentityCloudTrail
cloudtrail:LookupEventsRAM (Resource Access Manager)
ram:Get*
ram:List*CloudWatch
cloudwatch:ListMetrics
cloudwatch:ListMetricStreams
cloudwatch:GetMetricStatistics
cloudwatch:GetMetricData
cloudwatch:GetMetricStreamCUR
cur:DescribeReportDefinitionsEC2
ec2:Describe*
ec2:CreateSpotDatafeedSubscription
ec2:GetReservedInstancesExchangeQuote
ec2:GetHostReservationPurchasePreviewRDS
rds:Describe*
rds:List*CloudFront
cloudfront:Get*
cloudfront:List*Redshift
redshift:Describe*
redshift:GetReservedNodeExchangeOfferingsDynamoDB
dynamodb:List*
dynamodb:Describe*ElastiCache
elasticache:List*
elasticache:Describe*MemoryDB
memorydb:List*
memorydb:Describe*EKS
eks:List*
eks:Describe*ElasticSearch
es:Describe*
es:List*ECS
ecs:List*
ecs:Describe*S3
s3:List*
s3:GetBucketLocationOrganizations
organizations:List*
organizations:Describe*Elastic Load Balancing
elasticloadbalancing:Describe*Auto Scaling
autoscaling:Describe*EMR
elasticmapreduce:List*
elasticmapreduce:Describe*SageMaker
sagemaker:List*
sagemaker:Describe*Elastic Beanstalk
elasticbeanstalk:List*
elasticbeanstalk:Describe*Data Pipeline
datapipeline:List*
datapipeline:Describe*Batch
batch:List*
batch:Describe*API Gateway
apigateway:GETLambda
lambda:List*SQS
sqs:List*MQ
mq:List*CloudWatch Logs
logs:Describe*ACM
acm:List*Glue
glue:Get*Kinesis
kinesis:List*Route 53
route53:List*SWF
swf:List*KMS
kms:List*Savings Plans
savingsplans:Describe*
savingsplans:List*
savingsplans:*Write Permissions (Commitment Management)
The following permissions allow Archera to automate the purchase and management of commitments on your behalf. These are non-infrastructure/application impacting financial discounts.
EC2 Reserved Instances
ec2:ModifyReservedInstances
ec2:PurchaseReservedInstancesOffering
ec2:AcceptReservedInstancesExchangeQuote
ec2:CreateReservedInstancesListing
ec2:CancelReservedInstancesListingEC2 Scheduled Instances
ec2:PurchaseScheduledInstances
ec2:RunScheduledInstancesEC2 Capacity Reservations
ec2:ModifyCapacityReservation
ec2:ModifyInstanceCapacityReservationAttributes
ec2:CreateCapacityReservation
ec2:CancelCapacityReservationEC2 Host Reservations
ec2:PurchaseHostReservationEC2 Spot Instances
ec2:RequestSpotFleet
ec2:RequestSpotInstances
ec2:CancelSpotFleetRequests
ec2:CancelSpotInstanceRequests
ec2:ModifySpotFleetRequestElastiCache
elasticache:PurchaseReservedCacheNodesOfferingMemoryDB
memorydb:PurchaseReservedNodesOfferingRDS
rds:PurchaseReservedDBInstancesOfferingRedshift
redshift:PurchaseReservedNodeOffering
redshift:AcceptReservedNodeExchangeElasticSearch
es:PurchaseReservedElasticsearchInstanceOfferingSavings Plans
savingsplans:CreateSavingsPlan
savingsplans:DeleteQueuedSavingsPlanOrganizations Write Permissions (Optional)
The following permissions allow Archera to automate the AWS organization management of sub-accounts containing only commitments to handle the lifecycle management of non-EC2 Guaranteed Commitments in a non infrastructure/application impacting manner.
organizations:InviteAccountToOrganization
organizations:RemoveAccountFromOrganization
organizations:CreateAccount
organizations:MoveAccountIAM Permissions
The IAM Read and Simulate permissions, restricted explicitly to Archera.ai related roles, is required to allow this role to verify the permissions it is allowed to operate under, and ensure a valid installation.
iam:GetRolePolicy
iam:ListRolePolicies
iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion
iam:SimulatePrincipalPolicyResources:
arn:aws:iam::*:role/ReservedAI
arn:aws:iam::*:role/ReservedAI-Read
arn:aws:iam::*:role/ReservedAI-Write
arn:aws:iam::*:policy/ReservedAI
arn:aws:iam::*:policy/ReservedAI-Read
arn:aws:iam::*:policy/ReservedAI-Write
Service Linked Role Creation
The following permissions allow Archera to create service-linked roles required for certain AWS services to function properly.
Service Quotas
iam:CreateServiceLinkedRoleResource: arn:aws:iam::*:role/aws-service-role/*
Condition: iam:AWSServiceName equals servicequotas.amazonaws.com
ElastiCache
iam:CreateServiceLinkedRoleResource: arn:aws:iam::*:role/aws-service-role/*
Condition: iam:AWSServiceName equals elasticache.amazonaws.com
S3 Permissions
The S3 permissions are required to create and access buckets for Cost and Usage Report data and Spot instance data feeds.
s3:CreateBucket
s3:PutBucketPolicy
s3:GetObjectResources:
arn:aws:s3:::reserved-ai-cur-*
arn:aws:s3:::reserved-ai-spot-*
arn:aws:s3:::reserved-ai-cur-*/*
arn:aws:s3:::reserved-ai-spot-*/*
CUR Write Permission
The CUR write permission allows Archera to create Cost and Usage Report definitions.
cur:PutReportDefinitionResource: arn:aws:cur:*:*:definition/reserved-ai-*