IAM Role Breakdown
Atualizado
Isto foi útil?
Atualizado
Isto foi útil?
Each of the AWS IAM (Identity and Access Management) roles listed provides specific access permissions to various AWS services and resources.
Here's a breakdown of what each role grants access to, along with relevant AWS documentation references:
Budgets Permissions:
budgets:Describe*
budgets:View*
With permissions like budgets:Describe* and budgets:View*, users can only read (describe and view) budget information. They can retrieve details about existing budgets and view budget reports but cannot modify or create new budgets.
Reference:
Cost Explorer Permissions:
ce:Get*
ce:Describe*
ce:List*
Permissions such as ce:Get*, ce:Describe*, and ce:List* allow users to retrieve (get), describe, and list cost and usage data using the AWS Cost Explorer API. Users can analyze spending patterns, generate cost reports, and explore usage metrics.
Reference:
Cost and Usage Report Permissions:
cur:Describe*
cur:Get*
cur:Validate*
Permissions like cur:Describe*, cur:Get*, and cur:Validate* enable users to read (describe, get, validate) the AWS Cost and Usage Report. They can access detailed usage and cost data for analysis and reporting purposes.
Reference:
Pricing Permissions:
pricing:DescribeServices
pricing:GetAttributeValues
pricing:GetProducts
Permissions such as pricing:DescribeServices, pricing:GetAttributeValues, and pricing:GetProducts allow users to retrieve information about AWS services, attributes, and pricing. Users can query pricing data but cannot modify or set pricing.
Reference:
Organizations Permissions:
organizations:Describe*
organizations:List*
Permissions like organizations:Describe* and organizations:List* enable users to read (describe, list) information about AWS Organizations, such as organizational units, accounts, and policies. They can view the organizational structure but cannot modify it.
Reference:
Savings Plans Permissions:
savingsplans:Describe*
Permissions such as savingsplans:Describe* allow users to read (describe) information about AWS Savings Plans, such as plan details and utilization. They can view savings plan data but cannot modify savings plans.
Reference:
Database Services Permissions:
rds:Describe*
rds:List*
elasticache:List*
elasticache:Describe*
redshift:Describe*
es:Describe*
es:List*
Permissions like rds:Describe*, elasticache:List*, redshift:Describe*, and es:Describe* allow users to read (describe, list) information about specific database services such as Amazon RDS, ElastiCache, Redshift, and Amazon Elasticsearch Service. They can retrieve details about instances, clusters, and related resources.
Reference: , , ,
Billing and Payments Permissions:
billing:Get*
payments:List*
payments:Get*
tax:List*
tax:Get*
consolidatedbilling:Get*
consolidatedbilling:List*
account:GetContactInformation
invoicing:List*
invoicing:Get*
freetier:Get*
Permissions such as billing:Get*, payments:List*, tax:List*, consolidatedbilling:Get*, account:GetContactInformation, and invoicing:List* enable users to read (get, list) billing, payment, tax, and invoicing information. They can view billing details, payment methods, tax documents, and invoicing data.
Reference:
Compute Services Permissions:
ec2:Describe*
lambda:Describe*
ecs:Describe*
Permissions like ec2:Describe*, lambda:Describe*, and ecs:Describe* allow users to read (describe) information about Amazon EC2 instances, AWS Lambda functions, and Amazon ECS containers. They can retrieve details about compute resources but cannot modify them.
Reference: , ,
Note: None of these permissions grant write or create access. Dotted is only allowed to read and retrieve information, meaning we cannot modify existing resources or create new resources within the AWS environment.
Please ensure to review the specific permissions and adjust them based on the principle of least privilege to ensure security and compliance within your AWS environment.