How can we help you?

When registering an AWS account in OpsNow FinOps Plus, permissions are automatically provisioned using an AWS CloudFormation stack.
This ensures that only the minimum required privileges are granted, based on the principle of least privilege, to support functions such as cost analysis, resource monitoring, and tag-based management.
‍

✅ CloudFormation-Based Role Setup

Once the CloudFormation stack is launched from OpsNow, it automatically creates and configures:

• A secure CrossAccountRole that allows OpsNow to access your AWS account
• A predefined set of IAM policies tailored to cost, usage, and resource visibility
• External ID and AssumeRole conditions to enhance cross-account security
  ‍

📂 Key Permissions Included

• Cost & usage tracking: ce:Get*, cur:DescribeReportDefinitions, s3:GetObject
• Resource monitoring: ec2:Describe*, cloudwatch:ListMetrics, autoscaling:Describe*
• Tag-based analysis: tag:GetResources, tag:GetTagValues
• Read-only IAM access: iam:List*, iam:Get* (for visibility only, not modification)

📌 These permissions are read-only and strictly scoped, with no execution or deletion capabilities.
‍

🔍 How to verify and manage permissions

• After registration, you can review all permission settings in the [Settings > Cloud Accounts] menu
• You may also audit and modify the role and policy details in the AWS IAM console at any time
• If needed, OpsNow supports custom role scoping to meet your organization’s internal security policies

📌 Using CloudFormation for automated IAM role provisioning reduces configuration errors, ensures consistency, and enforces secure and transparent access for cloud cost and usage monitoring.

‍