IAM Best Practices for CloudWise
This guide covers AWS Identity and Access Management (IAM) best practices when setting up CloudWise to access your AWS account securely.
Overview
CloudWise requires read-only access to your AWS Cost Explorer and billing data to provide cost analysis and optimization recommendations. Following IAM best practices ensures secure access while maintaining the principle of least privilege.
Core Principles
1. Principle of Least Privilege
CloudWise only requests the minimum permissions necessary to function:
- Read-only access to cost and billing data
- No write permissions to any AWS resources
- No access to compute instances, databases, or sensitive data
2. Use IAM Roles Instead of Users
We recommend using IAM roles with temporary credentials rather than IAM users with long-term access keys:
- Roles provide temporary, rotating credentials
- Better security posture with automatic credential rotation
- Easier to audit and manage access
Required Permissions
CloudWise needs the following AWS managed policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansUtilization",
"cur:GetUsageReport",
"ce:ListCostCategoryDefinitions",
"ce:GetCostCategories",
"cur:DescribeReportDefinitions",
"aws-portal:ViewBilling",
"aws-portal:ViewUsage",
"budgets:ViewBudget",
"support:DescribeCases"
],
"Resource": "*"
}
]
}
Step-by-Step Setup
Step 1: Create IAM Role
-
Navigate to IAM Console
- Go to AWS IAM Console
- Click "Roles" in the left sidebar
- Click "Create role"
-
Select Trusted Entity
- Choose "AWS account"
- Select "Another AWS account"
- Enter CloudWise account ID:
123456789012(provided during setup)
-
Configure External ID
- Check "Require external ID"
- Enter the external ID provided by CloudWise (unique to your account)
Step 2: Attach Permissions Policy
-
Create Custom Policy
- Click "Create policy"
- Use the JSON policy above
- Name it "CloudWise-ReadOnly-Policy"
-
Attach to Role
- Attach the custom policy to your CloudWise role
- Add any additional policies if needed (e.g., for specific cost allocation tags)
Step 3: Configure Role Trust Policy
Ensure your role trust policy allows CloudWise to assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-unique-external-id"
}
}
}
]
}
Security Best Practices
1. Regular Access Reviews
- Monthly reviews: Check which roles have access to billing data
- Quarterly audits: Review CloudWatch logs for any unusual access patterns
- Annual assessments: Validate that permissions are still necessary and minimal
2. Enable CloudTrail Logging
Monitor CloudWise access to your AWS account:
{
"eventTime": "2024-01-15T10:30:00Z",
"eventName": "AssumeRole",
"eventSource": "sts.amazonaws.com",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA...:CloudWise",
"arn": "arn:aws:sts::your-account:assumed-role/CloudWise-Role/CloudWise"
}
}
3. Set Up Monitoring Alerts
Create CloudWatch alarms for:
- Unusual role assumption patterns
- Failed authentication attempts
- High-frequency API calls
4. Use Resource Tags
Tag your IAM resources for better organization:
{
"Tags": [
{
"Key": "Purpose",
"Value": "CloudWise-CostOptimization"
},
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Owner",
"Value": "FinOps-Team"
}
]
}
Multi-Account Setup
For organizations with multiple AWS accounts:
1. Cross-Account Role Setup
Set up CloudWise access in each account:
- Create identical IAM roles in each account
- Use the same external ID across all accounts
- Maintain consistent naming conventions
2. AWS Organizations Integration
If using AWS Organizations:
- Set up CloudWise in the master/management account
- Use consolidated billing data for organization-wide insights
- Apply SCPs (Service Control Policies) to restrict unnecessary permissions
3. Account Isolation
Maintain security boundaries:
- Each account should have its own CloudWise role
- Use different external IDs per account if required
- Monitor cross-account access patterns
Troubleshooting Common Issues
Permission Denied Errors
AccessDenied: User is not authorized to perform: ce:GetCostAndUsage
Solution: Ensure the IAM role includes all required Cost Explorer permissions.
Role Assumption Failures
AssumeRole failed: The role defined for the function cannot be assumed by Lambda
Solution: Check that the trust policy allows CloudWise account to assume the role.
Missing Cost Data
If CloudWise can't retrieve cost data:
- Verify billing permissions in the IAM policy
- Check that Cost Explorer is enabled in your AWS account
- Ensure the role has access to the correct billing period
Security Monitoring
Set Up Alerts
Monitor these CloudTrail events:
AssumeRoleevents for the CloudWise role- Failed authentication attempts
- Changes to the CloudWise IAM role or policy
Regular Security Assessments
- Access patterns: Review when and how often CloudWise accesses your account
- Permission usage: Check which permissions are actually being used
- Compliance checks: Ensure setup meets your organization's security policies
Additional Resources
- AWS IAM Best Practices
- AWS Cost Explorer API Reference
- CloudWise AWS Setup Guide
- Security Troubleshooting Guide
Need Help?
If you encounter issues with IAM setup:
- Email: support@cloudcostwise.io
- Documentation: docs.cloudcostwise.io
- AWS Support: For AWS-specific IAM questions