The Cloud Analyzer policy is shown below.

Use this policy only if you know the Role ARN associated with Cloud Analyzer.

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Sid": "FullPolicy"
            "Action": [
            "Resource": "arn:aws:s3:::sc-customer-*",
            "Effect": "Allow",
            "Sid": "S3SyncPermissions"
            "Action": [
            "Resource": [
                "arn:aws:s3:::<Customer Bucket>/*"
            "Effect": "Allow",
            "Sid": "S3BillingDBR"

Policy Overview

The policy grants the following permissions for operating the Cloud Analyzer system.

  • Access to retrieve billing reports using APIs and S3 for the Detailed Billing Report, the Cost Explorer, and the Cost & Usage Report.
  • Read-only permissions (on the master payer only) for the Amazon services that offer reserved capacity, such as EC2, RDS, RedShift, Elasticache, ElasticSearch, and DynamoDB.
  • Access to Support & Trusted Advisor for monitoring and changes to the reserved instance service limit.

Explanation of Permissions in Policy

S3 Billing Bucket

The following are permissions for the CloudFormation script to read the S3 billing bucket names.

Reserved Capacity Reservations

The following are read-only permissions for the reserved capacity reservations.

Cost & Usage Report

The following provides access to the Cost and Usage Report (CUR).


CostExplorer Data

The following provides access to CostExplorer data.


Service Limit

The following provides access to Service Limit information.


S3 Bucket Billing Data

Support permissions allow Cloud Analyzer to create tickets if it hits any reserved instance related service limits.


Account Organization

The following permissions are used to review account organization information if necessary.

Copy Permissions

The following permissions are required to write information from your AWS Cost & Usage report to the Cloud Analyzer account. These are used to synchronize the Cost & Usage report and are required for the system to work. Do not remove these lines from the policy.

             "Sid": "S3SyncPermissions",
             "Effect": "Allow",
             "Action": [
             "Resource": "arn:aws:s3:::sc-customer-*"