# Required AWS Permissions

Noros follows the principle of least privilege. We request only the minimum permissions necessary to provide cost visibility and cloud spending insights for your AWS environment.

### What Noros Cannot Do

Noros **cannot**:

* Read sensitive workload data
* Edit network rules or security groups
* Create, stop, or terminate instances
* Change, copy, or delete your data
* Modify any AWS resources

### Permissions

During onboarding, Noros deploys a CloudFormation stack that creates a read-only IAM role in your AWS account. This role grants access to cost and billing data only.

#### Cost & Billing Data

| Permission                            | Purpose                           |
| ------------------------------------- | --------------------------------- |
| `ce:Get*`, `ce:Describe*`, `ce:List*` | Cost Explorer read access         |
| `cur:Get*`, `cur:Validate*`           | Cost and Usage Report access      |
| `billing:Get*`                        | Billing data access               |
| `account:GetAccountInformation`       | Account metadata                  |
| `ec2:DescribeReservedInstances*`      | Reserved Instance information     |
| `rds:DescribeReserved*`               | RDS Reserved Instance information |

#### CUR Data Access

For advanced data querying, Noros needs access to your Cost and Usage Report files:

| Permission      | Purpose                   |
| --------------- | ------------------------- |
| `s3:GetObject`  | CUR report file access    |
| `s3:ListBucket` | CUR report bucket listing |

The CloudFormation stack may include additional read-only permissions for services like payments, tax, invoicing, and other billing-related data. All permissions are strictly read-only.

### Optional: External ID

During onboarding, you can configure an **External ID** for the cross-account IAM role. This is an AWS security best practice that adds an additional layer of protection against confused deputy attacks.

### Transparency

Noros is committed to transparency in the permissions it uses. All permissions are scoped to read-only access of cost and billing data. If you have specific security requirements or need customized permissions, contact <support@noros.ai>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.noros.ai/getting-started/permissions-required/required-aws-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.