Documentation
  1. Onboarding
  2. Connecting with AWS

AWS IAM Permissions by Recommendation

This article details the AWS permissions required for each recommendation.

EC2

RecommendationAWS PermissionPurpose
EC2 Idlece:GetRightsizingRecommendationFetch AWS-generated TERMINATE recommendations
EC2 Idleec2:DescribeInstancesList all instances to verify state
EC2 Idlecloudwatch:GetMetricStatisticsCPUUtilization, NetworkIn, NetworkOut per instance (AWS/EC2)
EC2 Right Sizingce:GetRightsizingRecommendationFetch AWS-generated MODIFY recommendations
EC2 Right Sizingec2:DescribeInstancesList all instances + launch/attach times
EC2 Right Sizingcloudwatch:GetMetricStatisticsCPUUtilization (max+avg), NetworkIn, NetworkOut, mem_used_percent (AWS/EC2 + CWAgent namespace)
EC2 Right Sizingec2:DescribeInstanceTypesWindows only - get memory size in MiB to convert MB-remaining to %
EC2 Stopped Instancesec2:DescribeInstancesList all instances + filter stopped
EC2 Stopped Instancesec2:DescribeVolumesList attached EBS volumes to cost them
EC2 Stopped Instancesec2:DescribeInstancesVerify instance still exists / state (completion)

IP / Network

RecommendationAWS PermissionPurpose
IP Unattachedec2:DescribeAddressesGet EIP allocation details per region
IP Unattachedec2:DescribeNatGatewaysCheck if IP is attached to NAT gateway
NAT Gateway Idleec2:DescribeNatGatewaysList all NAT gateways
NAT Gateway Idlecloudwatch:GetMetricStatisticsActiveConnectionCount (AWS/NATGateway)
NAT Gateway Idleec2:DescribeNatGatewaysVerify NAT gateway still exists
VPC Endpoint Idleec2:DescribeVpcEndpointsGet service name / VPC ID / creation time

EBS / Snapshots

RecommendationAWS PermissionPurpose
EBS Unattachedec2:DescribeVolumesList all EBS volumes + attachment state
EBS Unattachedec2:DescribeVolumesVerify volume still exists (completion)
EBS Type Changeec2:DescribeVolumesList volumes to find gp2/io1 candidates
EBS Type Changecloudwatch:GetMetricStatisticsVolumeRead Ops, VolumeWriteOps, ReadBytes, WriteBytes (AWS/EBS)
EBS Outdated Snapshotec2:DescribeSnapshotsList own snapshots + creation time
EBS Outdated Snapshotec2:DescribeImagesExclude snapshots backing AMIs
EBS Outdated Snapshotec2:DescribeSnapshotsVerify snapshot still exists (completion)
AMI Orphaned Snapshotec2:DescribeSnapshotsList snapshots tagged as created by AMI
AMI Orphaned Snapshotec2:DescribeImagesFind deregistered AMIs whose snapshots are orphaned
AMI Orphaned Snapshotec2:DescribeVolumesExclude snapshots backing existing volumes
AMI Orphaned Snapshotec2:DescribeSnapshotsVerify snapshot still exists (completion)
AWS Backup Outdated Snapshotec2:DescribeSnapshotsList snapshots created by AWS Backup
AWS Backup Outdated Snapshotec2:DescribeSnapshotsVerify snapshot still exists (completion)

Load Balancer

RecommendationAWS PermissionPurpose
Load Balancer Idleelasticloadbalancing:DescribeLoadBalancersList all ALBs/NLBs
Load Balancer Idleelasticloadbalancing:DescribeTargetGroupsList target groups
Load Balancer Idleelasticloadbalancing:DescribeTargetHealthCheck if target groups have registered targets
Load Balancer Idlecloudwatch:GetMetricStatisticsConsumed LCUs (AWS/ApplicationELB) - confirm zero traffic
Load Balancer Idleelasticloadbalancing:DescribeLoadBalancersVerify LB still exists (completion)

RDS

RecommendationAWS PermissionPurpose
RDS Idlerds:DescribeDBInstancesList all RDS instances
RDS Idlecloudwatch:GetMetricStatisticsDatabase Connections (AWS/RDS)
RDS Idlerds:DescribeDBInstancesVerify instance still exists (completion)
RDS Generation Upgraderds:DescribeDBInstancesList io1 instances
RDS Generation Upgradecloudwatch:GetMetricStatisticsReadIOPS, WriteIOPS (AWS/RDS)
RDS Right Sizingrds:DescribeDBInstancesList instances for rightsizing
RDS Right Sizingcloudwatch:GetMetricStatisticsCPU, Freeable Memory, etc. (AWS/RDS)
RDS Right Sizingrds:DescribeDBClustersDetermine cluster write/read role
RDS Provisioned IOPSrds:DescribeDBInstancesList instances
RDS Provisioned IOPScloudwatch:GetMetricStatisticsReadIOPS, WriteIOPS (AWS/RDS)
RDS Aurora I/O Optimizedrds:DescribeDBClustersList Aurora clusters for io-optimized analysis
RDS Storage Type Changerds:DescribeDBInstancesList instances
RDS Storage Type Changecloudwatch:GetMetricStatisticsRead IOPS, Write IOPS (AWS/RDS)
RDS Generation Upgraderds:DescribeDBInstancesList instances for engine version check
RDS Reserved Instancerds:DescribeDBInstancesList running instances for RI recommendations
RDS Extended Supportrds:DescribeDBInstancesList instances vs EOL calendar

DynamoDB / ElastiCache / Redshift / OpenSearch / DocDB / Kinesis / Neptune

RecommendationAWS PermissionCloudWatch Metric
Dynamo DB Idledynamodb:ListTablesConsumedWriteCapacityUnits, ConsumedReadCapacityUnits (AWS/DynamoDB)
Dynamo DB Idledynamodb:DescribeTableVerify table still exists (completion)
ElastiCache Idleelasticache:DescribeCacheClustersCurrConnections (AWS/ElastiCache)
Redshift Idleredshift:DescribeClustersDatabaseConnections (AWS/Redshift)
Redshift Reserved Instanceredshift:DescribeClusters(no CloudWatch — DB only)
Elasticsearch Idlees:ListDomainNamesIndexingRate, SearchRate (AWS/ES)
Elasticsearch Idlees:DescribeElasticsearchDomains
OpenSearch Reserved Instanceopensearch:ListDomainNames
OpenSearch Reserved Instanceopensearch:DescribeDomains
OpenSearch Extended Supportopensearch:ListDomainNames
OpenSearch Extended Supportopensearch:DescribeDomains
OpenSearch Extended Supportopensearch:GetCompatibleVersions
DocumentDB Idlerds:DescribeDBClusters (docdb)DatabaseConnections (AWS/DocDB)
DocumentDB Extended Supportrds:DescribeDBClusters (docdb)(no CloudWatch)
Kinesis Idlekinesis:ListStreamsPutRecord.Bytes, PutRecords.Bytes (AWS/Kinesis)
Kinesis Idlekinesis:DescribeStream
Neptune DB Idlerds:DescribeDBClusters (neptune)GremlinRequestsPerSec, SparqlRequestsPerSec (AWS/Neptune)
ElastiCache Reserved Instanceelasticache:DescribeCacheClusters(no CloudWatch)
ElastiCache Extended Supportelasticache:DescribeCacheClusters(no CloudWatch)

S3

RecommendationAWS PermissionPurpose
S3 Inactives3:ListBucketsGet bucket creation dates
S3 Storage Classs3:ListBucketsGet bucket creation dates
S3 Storage Classs3:GetBucketVersioningCheck if versioning enabled
S3 Storage Classs3:GetBucketLifecycleConfigurationCheck existing lifecycle rules
S3 Storage Classcloudwatch:GetMetricStatisticsNumberOfObjects (AWS/S3)
S3 Storage Classcloudwatch:GetMetricStatisticsNonCurrentVersionStorageBytes, NonCurrentVersionObjectCount (AWS/S3/Storage-Lens)
S3 Storage Classcloudwatch:ListMetricsDiscover Storage Lens dimensions for bucket
S3 Versioning(same as S3 Storage Class)(no CloudWatch)
S3 Multipart uploads3:ListBucketsGet bucket creation dates
S3 Multipart uploads3:ListMultipartUploadsEnumerate incomplete multipart uploads
S3 Multipart uploads3:ListPartsSize each part to calculate wasted storage cost

ECS / EKS / K8S

RecommendationAWS PermissionPurpose
ECS Fargate Right-sizingcompute-optimizer:GetECSServiceRecommendationsGet AWS Compute Optimizer Fargate rightsizing data
EKS Extended Supporteks:ListClustersGet cluster version to compare against EKS EOL calendar
EKS Extended Supporteks:DescribeCluster
K8s Workload Rightsizing(inherits AWS base, K8s source)K8s metrics-server / Prometheus, not AWS APIs

CloudTrail / CloudWatch / KMS / Secrets Manager / Bedrock

RecommendationAWS PermissionPurpose
Duplicate CloudTrailcloudtrail:DescribeTrailsList all trails per region to detect duplicates
Disabled KMSkms:ListKeysFind disabled customer-managed keys
Disabled KMSkms:DescribeKey
Old KMSkms:ListKeysFind keys not rotated within threshold
Old KMSkms:DescribeKey
Old KMSkms:ListKeyRotations
Old KMSkms:DescribeKeyVerify key still exists (completion)
Unused Secretssecretsmanager:ListSecretsFind secrets not accessed within threshold
Unused Secretssecretsmanager:DescribeSecretVerify secret still exists (completion)
Bedrock Provisioned Throughput Commitmentbedrock:ListProvisionedModelThroughputsFind provisioned throughput allocations

Updated about 12 hours ago