# Cross Account Role

Dotted accesses your AWS account via a cross-account role. In line with AWS IAM policy best practices, Dotted requests only the [least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). This means we limit the actions we can take and the resources to which those actions can be applied.

We further enhance security by using read-only permissions: [the read-only role](#user-content-fn-1)[^1].

#### Read-only role - <a href="#h_115da0c078" id="h_115da0c078"></a>

This role is used during the initial [onboarding step (Step 1)](https://help.usedotted.com/como-comecar/etapas/step-1-junte-se-a-dotted). It requires read-only permissions [(see the full list here)](#user-content-fn-1)[^1] to access up to one year of historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the Redshift cluster you are using and whether it is already covered by reserved instances). After ingesting this data, Dotted's billing engine calculates optimal savings. Once a user is fully onboarded, the read-only role is used again to display cost and savings on the Dotted dashboard, helping users monitor their current spending and the savings achieved by Dotted.

```
[
  {
    "PolicyName": "DottedBillingReadOnly",
    "PolicyDocument": {
      "Statement": [
        {
          "Action": [
            "budgets:Describe*",
            "budgets:View*",
            "ce:Get*",
            "ce:Describe*",
            "ce:List*",
            "cur:Describe*",
            "cur:Get*",
            "cur:Validate*",
            "pricing:DescribeServices"
            "pricing:GetAttributeValues",
            "pricing:GetProducts",
            "organizations:Describe*",
            "organizations:List*",
            "savingsplans:Describe*",
            "rds:Describe*",
            "rds:List*",
            "elasticache:List*",
            "elasticache:Describe*",
            "redshift:Describe*",
            "es:Describe*",
            "es:List*",
            "billing:Get*",
            "payments:List*",
            "payments:Get*",
            "tax:List*",
            "tax:Get*",
            "consolidatedbilling:Get*",
            "consolidatedbilling:List*",
            "account:GetContactInformation",
            "invoicing:List*",
            "invoicing:Get*",
            "freetier:Get*",
            "ec2:Describe*",
            "lambda:List*",
            "lambda:Get*",
            "ecs:Describe*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  }
]
```

Please contact our support team for more information. <support@usedotted.com>.

[^1]: Incluir json


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.usedotted.com/ajuda-e-suporte/acessos-e-seguranca/cross-account-role.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.