AutoSavings is built with a strong focus on security and least-privilege access when connecting to your AWS environment. It requires minimal permissions to analyze your usage and optimize costs safely and efficiently.
✅ 1. Role-Based Delegated Access (via IAM)
- AutoSavings connects to your AWS account using a delegated IAM role, not by storing credentials.
- You create a trusted role ARN that allows OpsNow to securely access your environment via AWS STS.
✅ 2. Required Permissions: Read-Only by Default
- In most cases, AutoSavings works with read-only permissions, such as
ReadOnlyAccess, to collect:- Usage data for EC2, RDS, and other services
- Billing and cost-related information
- RI and SP commitment details
✅ 3. Additional Permissions for Automation (Optional)
- To enable automated purchasing and reselling of commitments, additional permissions are required:
ec2:PurchaseReservedInstancesOfferingec2:ModifyReservedInstancesec2:SellReservedInstances
These are granted explicitly and transparently, and customers can review or revoke them at any time.
✅ 4. Security Architecture
- AutoSavings uses AWS Secure Token Service (STS) for temporary session-based access, ensuring no sensitive credentials are stored.
- All user access within OpsNow is governed by Role-Based Access Control (RBAC), and only organization owners can manage AWS connections.
