Noros follows the principle of least privilege. We request only the minimum permissions necessary to provide cost visibility and cloud spending insights for your AWS environment.
Noros cannot:
Read sensitive workload data
Edit network rules or security groups
Create, stop, or terminate instances
Change, copy, or delete your data
Modify any AWS resources
During onboarding, Noros deploys a CloudFormation stack that creates a read-only IAM role in your AWS account. This role grants access to cost and billing data only.
ce:Get*, ce:Describe*, ce:List*
Cost Explorer read access
cur:Get*, cur:Validate*
Cost and Usage Report access
billing:Get*
Billing data access
account:GetAccountInformation
Account metadata
ec2:DescribeReservedInstances*
Reserved Instance information
rds:DescribeReserved*
RDS Reserved Instance information
For advanced data querying, Noros needs access to your Cost and Usage Report files:
s3:GetObject
CUR report file access
s3:ListBucket
CUR report bucket listing
The CloudFormation stack may include additional read-only permissions for services like payments, tax, invoicing, and other billing-related data. All permissions are strictly read-only.
During onboarding, you can configure an External ID for the cross-account IAM role. This is an AWS security best practice that adds an additional layer of protection against confused deputy attacks.
Noros is committed to transparency in the permissions it uses. All permissions are scoped to read-only access of cost and billing data. If you have specific security requirements or need customized permissions, contact support@noros.ai.
Last updated