The Eco policy is shown below.

The policy below is relevant only for customers who have not yet signed a contract for Eco. If you have signed a contract and need the Eco policy, please contact Spot Support.

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Sid": "FullPolicy"
            "Action": [
            "Resource": "arn:aws:s3:::sc-customer-*",
            "Effect": "Allow",
            "Sid": "S3SyncPermissions"
            "Action": [
            "Resource": [
                "arn:aws:s3:::<Customer Bucket>/*"
            "Effect": "Allow",
            "Sid": "S3BillingDBR"

Policy Overview

The policy grants the following permissions for operating the Eco system.

  • Access to retrieve billing reports using APIs and S3 for the Detailed Billing Report, the Cost Explorer, and the Cost & Usage Report.
  • Read-only permissions (on the master payer only) for the Amazon services that offer reserved capacity, such as EC2, RDS, RedShift, Elasticache, ElasticSearch, and DynamoDB.
  • Access to Support & Trusted Advisor for monitoring and changes to the reserved instance service limit.

Explanation of Permissions in Policy

S3 Billing Bucket

The following are permissions for the CloudFormation script to read the S3 billing bucket names.

Reserved Capacity Reservations

The following are read-only permissions for the reserved capacity reservations.

Cost & Usage Report

The following provides access to the Cost and Usage Report (CUR).


CostExplorer Data

The following provides access to CostExplorer data.


Service Limit

The following provides access to Service Limit information.


S3 Bucket Billing Data

Support permissions allow Eco to create tickets if it hits any reserved instance related service limits.


Account Organization

The following permissions are used to review account organization information if necessary.

Copy Permissions

The following permissions are required to write information from your AWS Cost & Usage report to the Eco account. These are used to synchronize the Cost & Usage report and are required for the system to work. Do not remove these lines from the policy.

             "Sid": "S3SyncPermissions",
             "Effect": "Allow",
             "Action": [
             "Resource": "arn:aws:s3:::sc-customer-*"
IAM Role

This role and the corresponding permissions are issued to the Eco production and DR accounts.

"CloudAnalyzerRole": {
     "Type": "AWS::IAM::Role",
     "Properties": {
       "AssumeRolePolicyDocument": {
         "Version": "2012-10-17",
         "Statement": [
             "Effect": "Allow",
             "Principal": {
               "AWS": ["arn:aws:iam::393649089167:root",
             "Action": "sts:AssumeRole"
       "ManagedPolicyArns": [
           "Ref": "CloudAnalyzerManagedPolicy"