Minimizit. Permissions Policy
AWS IAM · CloudFormation
AWS Integration Stack · IAM Role Policy Reference

Minimizit AWS Permissions Policy

Minimizit uses AWS CloudFormation to deploy a cross-account IAM role in your AWS account. This document describes every permission granted — organized by access mode — so you can review exactly what Minimizit can and cannot do.

Read-Only Mode — always applied Admin Mode — optional, requires explicit opt-in

Read-Only Access

Always Applied
These permissions are granted in both Read-Only and Admin modes. They are strictly observational — Minimizit uses them to discover resources, analyse costs, and surface savings recommendations. No production infrastructure is mutated.
🔒
Zero infrastructure mutation. AWS Managed Policy ReadOnlyAccess is enforced at the IAM level. Minimizit cannot create, modify, or delete any resource outside the scoped Minimizit data buckets listed below.
🏛️
AWS Managed Policies
Attached directly via ManagedPolicyArns
AWS Managed
ReadOnlyAccess
Full read access to all AWS services and resources. No write, create, or delete actions permitted.
arn:aws:iam::aws:policy/ReadOnlyAccess
AWSSupportAccess
Allows submitting and managing AWS Support cases on your behalf.
arn:aws:iam::aws:policy/AWSSupportAccess
💰
Cost Explorer Access
Policy: MinimizitCostExplorerAccess · Resource: *
Inline Policy
Action Purpose Effect
ce:GetCostAndUsage Retrieve historical cost and usage data by service, region, or tag Allow
ce:GetCostForecast Generate month-end and future spend forecasts Allow
ce:GetDimensionValues Enumerate available cost dimensions (services, accounts, regions) Allow
ce:GetTags Retrieve cost allocation tag keys and values Allow
🔍
Resource Discovery
Policy: MinimizitResourceDiscovery · Resource: *
Inline Policy
Action Purpose Effect
tag:GetResources Discover all tagged resources across services Allow
tag:GetTagKeys Enumerate tag key names in use Allow
tag:GetTagValues Enumerate values for a given tag key Allow
resource-groups:ListGroups List resource groups in the account Allow
resource-groups:GetGroup Describe a specific resource group Allow
resource-explorer-2:CreateIndex Create a Resource Explorer index for search Allow
resource-explorer-2:UpdateIndexType Promote a local index to an aggregator index Allow
resource-explorer-2:DeleteIndex Remove a Resource Explorer index Allow
resource-explorer-2:GetIndex Describe an existing index Allow
resource-explorer-2:ListIndexes List all Resource Explorer indexes Allow
resource-explorer-2:Search Search for resources across the account Allow
resource-explorer-2:BatchGetView Retrieve details of multiple views at once Allow
resource-explorer-2:ListViews List all Resource Explorer views Allow
resource-explorer-2:TagResource Add tags to Resource Explorer objects Allow
resource-explorer-2:UntagResource Remove tags from Resource Explorer objects Allow
🪣
Minimizit Data Bucket Access
Policy: MinimizitS3Access · Scoped to Minimizit-managed bucket only
Inline Policy
⚠️ Resource Scope — arn:aws:s3:::minimizit-{AccountId}-{Suffix} and arn:aws:s3:::minimizit-{AccountId}-{Suffix}/*
Action Purpose Effect
s3:PutObject Write resource snapshots to Minimizit's own bucket Allow
s3:GetObject Read previously stored snapshot data Allow
s3:DeleteObject Remove stale snapshot objects from the bucket Allow
s3:ListBucket List objects in the Minimizit data bucket Allow
s3:GetBucketLocation Determine the bucket's AWS region Allow
📊
Cost & Usage Report (CUR) Access
Policy: MinimizitCURAccess · Scoped to CUR bucket and CUR service
Inline Policy
⚠️ Resource Scope — arn:aws:s3:::minimizit-cur-{AccountId}-{Suffix} · cur:* actions scoped to *
Action Purpose Effect
s3:GetObject Read CUR report files from the CUR bucket Allow
s3:GetObjectVersion Access versioned CUR report objects Allow
s3:ListBucket List report files in the CUR bucket Allow
s3:GetBucketLocation Determine the CUR bucket's AWS region Allow
cur:DescribeReportDefinitions List CUR report definitions configured in the account Allow
cur:GetClassicReport Retrieve classic (legacy) CUR reports Allow
cur:GetClassicReportPreferences Read preferences set for classic CUR delivery Allow
cur:ValidateReportDestination Verify the CUR delivery destination bucket is accessible Allow

Admin Access

Opt-In · Admin Mode Only
These permissions are granted only when you select Admin mode during account connection (PermissionLevel = admin). They enable Minimizit to execute one-click cleanup actions — stopping idle instances, releasing unused addresses, deleting orphaned volumes — directly from the dashboard.
⚠️
Write permissions are included in Admin mode. Actions such as ec2:TerminateInstances and rds:DeleteDBInstance are irreversible. Only enable Admin mode if you trust Minimizit to act on your behalf. You can reconnect an account in Read-Only mode at any time.
🖥️
EC2 Instance Management
Policy: MinimizitEC2Management · Resource: *
Inline Policy
Action Purpose Effect
ec2:StartInstances Start a stopped EC2 instance Allow
ec2:StopInstances Stop a running EC2 instance to eliminate compute costs Allow
ec2:TerminateInstances Permanently terminate an idle EC2 instance Allow
ec2:RebootInstances Reboot an EC2 instance Allow
ec2:DescribeInstanceStatus Check the current status of EC2 instances Allow
ec2:ReleaseAddress Release an unattached Elastic IP address to stop charges Allow
ec2:DisassociateAddress Disassociate an Elastic IP from an instance or network interface Allow
ec2:DeleteVolume Delete an unattached EBS volume Allow
ec2:DeleteSnapshot Delete obsolete EBS snapshots Allow
ec2:DeregisterImage Deregister an unused AMI to free associated snapshot storage Allow
ec2:DeleteNatGateway Delete an idle NAT Gateway to eliminate hourly charges Allow
ec2:DeleteSecurityGroup Remove unused security groups Allow
🗄️
RDS Instance Management
Policy: MinimizitRDSManagement · Resource: *
Inline Policy
Action Purpose Effect
rds:StartDBInstance Start a stopped RDS database instance Allow
rds:StopDBInstance Stop an idle RDS instance to reduce compute costs Allow
rds:RebootDBInstance Reboot a database instance Allow
rds:DeleteDBInstance Delete a decommissioned RDS instance Allow
🔷
Redshift Cluster Management
Policy: MinimizitRedshiftManagement · Resource: *
Inline Policy
Action Purpose Effect
redshift:PauseCluster Pause an idle Redshift cluster to suspend compute billing Allow
redshift:ResumeCluster Resume a paused Redshift cluster Allow
redshift:DeleteCluster Delete a decommissioned Redshift cluster Allow
🤖
SageMaker Notebook Management
Policy: MinimizitSageMakerManagement · Resource: *
Inline Policy
Action Purpose Effect
sagemaker:StopNotebookInstance Stop an idle SageMaker notebook to eliminate instance costs Allow
sagemaker:StartNotebookInstance Start a previously stopped notebook instance Allow
sagemaker:DeleteNotebookInstance Permanently delete an unused notebook instance Allow
🚀
App Runner Service Management
Policy: MinimizitAppRunnerManagement · Resource: *
Inline Policy
Action Purpose Effect
apprunner:PauseService Pause an App Runner service to stop compute charges Allow
apprunner:ResumeService Resume a paused App Runner service Allow
apprunner:DeleteService Delete a decommissioned App Runner service Allow
💡
Lightsail Instance Management
Policy: MinimizitLightsailManagement · Resource: *
Inline Policy
Action Purpose Effect
lightsail:StartInstance Start a stopped Lightsail instance Allow
lightsail:StopInstance Stop an idle Lightsail instance Allow
lightsail:DeleteInstance Permanently delete a Lightsail instance Allow
🖱️
WorkSpaces Management
Policy: MinimizitWorkSpacesManagement · Resource: *
Inline Policy
Action Purpose Effect
workspaces:StopWorkspaces Stop idle WorkSpaces to reduce hourly costs Allow
workspaces:StartWorkspaces Start a previously stopped WorkSpace Allow
workspaces:TerminateWorkspaces Permanently terminate an unused WorkSpace Allow