Cross Account Role

Dotted accesses your AWS account via a cross-account role. In line with AWS IAM policy best practices, Dotted requests only the least-privilege permissions. This means we limit the actions we can take and the resources to which those actions can be applied.

We further enhance security by using read-only permissions: the read-only role.

Read-only role

This role is used during the initial onboarding step (Step 1). It requires read-only permissions (see the IAM roles breakdown here) to access up to one year of historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the Redshift cluster you are using and whether it is already covered by reserved instances). After ingesting this data, Dotted's billing engine calculates optimal savings. Once a user is fully onboarded, the read-only role is used again to display cost and savings on the Dotted dashboard, helping users monitor their current spending and the savings achieved by Dotted.

[
  {
    "PolicyName": "DottedBillingReadOnly",
    "PolicyDocument": {
      "Statement": [
        {
          "Action": [
            "budgets:Describe*",
            "budgets:View*",
            "ce:Get*",
            "ce:Describe*",
            "ce:List*",
            "cur:Describe*",
            "cur:Get*",
            "cur:Validate*",
            "pricing:DescribeServices"
            "pricing:GetAttributeValues",
            "pricing:GetProducts",
            "organizations:Describe*",
            "organizations:List*",
            "savingsplans:Describe*",
            "rds:Describe*",
            "rds:List*",
            "elasticache:List*",
            "elasticache:Describe*",
            "redshift:Describe*",
            "es:Describe*",
            "es:List*",
            "billing:Get*",
            "payments:List*",
            "payments:Get*",
            "tax:List*",
            "tax:Get*",
            "consolidatedbilling:Get*",
            "consolidatedbilling:List*",
            "account:GetContactInformation",
            "invoicing:List*",
            "invoicing:Get*",
            "freetier:Get*",
            "ec2:Describe*",
            "lambda:List*",
            "lambda:Get*",
            "ecs:Describe*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  }
]

Please contact our support team for more information. support@usedotted.com.

Atualizado