Read-Only Access
Always Applied
These permissions are granted in both Read-Only and Admin modes. They are strictly
observational — Minimizit uses them to discover resources, analyse costs, and surface savings
recommendations. No production infrastructure is mutated.
🔒
Zero infrastructure mutation. AWS Managed Policy
ReadOnlyAccess
is enforced at the IAM level. Minimizit cannot create, modify, or delete any resource
outside the scoped Minimizit data buckets listed below.
ReadOnlyAccess
Full read access to all AWS services and resources. No write, create, or delete actions permitted.
arn:aws:iam::aws:policy/ReadOnlyAccess
AWSSupportAccess
Allows submitting and managing AWS Support cases on your behalf.
arn:aws:iam::aws:policy/AWSSupportAccess
| Action |
Purpose |
Effect |
ce:GetCostAndUsage |
Retrieve historical cost and usage data by service, region, or tag |
Allow |
ce:GetCostForecast |
Generate month-end and future spend forecasts |
Allow |
ce:GetDimensionValues |
Enumerate available cost dimensions (services, accounts, regions) |
Allow |
ce:GetTags |
Retrieve cost allocation tag keys and values |
Allow |
| Action |
Purpose |
Effect |
tag:GetResources |
Discover all tagged resources across services |
Allow |
tag:GetTagKeys |
Enumerate tag key names in use |
Allow |
tag:GetTagValues |
Enumerate values for a given tag key |
Allow |
resource-groups:ListGroups |
List resource groups in the account |
Allow |
resource-groups:GetGroup |
Describe a specific resource group |
Allow |
resource-explorer-2:CreateIndex |
Create a Resource Explorer index for search |
Allow |
resource-explorer-2:UpdateIndexType |
Promote a local index to an aggregator index |
Allow |
resource-explorer-2:DeleteIndex |
Remove a Resource Explorer index |
Allow |
resource-explorer-2:GetIndex |
Describe an existing index |
Allow |
resource-explorer-2:ListIndexes |
List all Resource Explorer indexes |
Allow |
resource-explorer-2:Search |
Search for resources across the account |
Allow |
resource-explorer-2:BatchGetView |
Retrieve details of multiple views at once |
Allow |
resource-explorer-2:ListViews |
List all Resource Explorer views |
Allow |
resource-explorer-2:TagResource |
Add tags to Resource Explorer objects |
Allow |
resource-explorer-2:UntagResource |
Remove tags from Resource Explorer objects |
Allow |
⚠️ Resource Scope —
arn:aws:s3:::minimizit-{AccountId}-{Suffix}
and
arn:aws:s3:::minimizit-{AccountId}-{Suffix}/*
| Action |
Purpose |
Effect |
s3:PutObject |
Write resource snapshots to Minimizit's own bucket |
Allow |
s3:GetObject |
Read previously stored snapshot data |
Allow |
s3:DeleteObject |
Remove stale snapshot objects from the bucket |
Allow |
s3:ListBucket |
List objects in the Minimizit data bucket |
Allow |
s3:GetBucketLocation |
Determine the bucket's AWS region |
Allow |
⚠️ Resource Scope —
arn:aws:s3:::minimizit-cur-{AccountId}-{Suffix}
·
cur:*
actions scoped to
*
| Action |
Purpose |
Effect |
s3:GetObject |
Read CUR report files from the CUR bucket |
Allow |
s3:GetObjectVersion |
Access versioned CUR report objects |
Allow |
s3:ListBucket |
List report files in the CUR bucket |
Allow |
s3:GetBucketLocation |
Determine the CUR bucket's AWS region |
Allow |
cur:DescribeReportDefinitions |
List CUR report definitions configured in the account |
Allow |
cur:GetClassicReport |
Retrieve classic (legacy) CUR reports |
Allow |
cur:GetClassicReportPreferences |
Read preferences set for classic CUR delivery |
Allow |
cur:ValidateReportDestination |
Verify the CUR delivery destination bucket is accessible |
Allow |
Admin Access
Opt-In · Admin Mode Only
These permissions are granted only when you select Admin mode during account
connection (PermissionLevel = admin). They enable
Minimizit to execute one-click cleanup actions — stopping idle instances, releasing unused
addresses, deleting orphaned volumes — directly from the dashboard.
⚠️
Write permissions are included in Admin mode. Actions such as
ec2:TerminateInstances and
rds:DeleteDBInstance are irreversible.
Only enable Admin mode if you trust Minimizit to act on your behalf. You can reconnect
an account in Read-Only mode at any time.
| Action |
Purpose |
Effect |
ec2:StartInstances |
Start a stopped EC2 instance |
Allow |
ec2:StopInstances |
Stop a running EC2 instance to eliminate compute costs |
Allow |
ec2:TerminateInstances |
Permanently terminate an idle EC2 instance |
Allow |
ec2:RebootInstances |
Reboot an EC2 instance |
Allow |
ec2:DescribeInstanceStatus |
Check the current status of EC2 instances |
Allow |
ec2:ReleaseAddress |
Release an unattached Elastic IP address to stop charges |
Allow |
ec2:DisassociateAddress |
Disassociate an Elastic IP from an instance or network interface |
Allow |
ec2:DeleteVolume |
Delete an unattached EBS volume |
Allow |
ec2:DeleteSnapshot |
Delete obsolete EBS snapshots |
Allow |
ec2:DeregisterImage |
Deregister an unused AMI to free associated snapshot storage |
Allow |
ec2:DeleteNatGateway |
Delete an idle NAT Gateway to eliminate hourly charges |
Allow |
ec2:DeleteSecurityGroup |
Remove unused security groups |
Allow |
| Action |
Purpose |
Effect |
rds:StartDBInstance |
Start a stopped RDS database instance |
Allow |
rds:StopDBInstance |
Stop an idle RDS instance to reduce compute costs |
Allow |
rds:RebootDBInstance |
Reboot a database instance |
Allow |
rds:DeleteDBInstance |
Delete a decommissioned RDS instance |
Allow |
| Action |
Purpose |
Effect |
redshift:PauseCluster |
Pause an idle Redshift cluster to suspend compute billing |
Allow |
redshift:ResumeCluster |
Resume a paused Redshift cluster |
Allow |
redshift:DeleteCluster |
Delete a decommissioned Redshift cluster |
Allow |
| Action |
Purpose |
Effect |
sagemaker:StopNotebookInstance |
Stop an idle SageMaker notebook to eliminate instance costs |
Allow |
sagemaker:StartNotebookInstance |
Start a previously stopped notebook instance |
Allow |
sagemaker:DeleteNotebookInstance |
Permanently delete an unused notebook instance |
Allow |
| Action |
Purpose |
Effect |
apprunner:PauseService |
Pause an App Runner service to stop compute charges |
Allow |
apprunner:ResumeService |
Resume a paused App Runner service |
Allow |
apprunner:DeleteService |
Delete a decommissioned App Runner service |
Allow |
| Action |
Purpose |
Effect |
lightsail:StartInstance |
Start a stopped Lightsail instance |
Allow |
lightsail:StopInstance |
Stop an idle Lightsail instance |
Allow |
lightsail:DeleteInstance |
Permanently delete a Lightsail instance |
Allow |
| Action |
Purpose |
Effect |
workspaces:StopWorkspaces |
Stop idle WorkSpaces to reduce hourly costs |
Allow |
workspaces:StartWorkspaces |
Start a previously stopped WorkSpace |
Allow |
workspaces:TerminateWorkspaces |
Permanently terminate an unused WorkSpace |
Allow |