--- title: 'IAM Permissions' description: 'Complete breakdown of every IAM permission ParkMyAWS requires, why each is needed, and how to revoke access at any time.' order: 2 icon: FileKey2 jsonLd: '@context': 'https://schema.org' '@type': 'BreadcrumbList' itemListElement: - { '@type': 'ListItem', position: 1, name: 'Home', item: 'https://parkmyaws.com' } - { '@type': 'ListItem', position: 2, name: 'Docs', item: 'https://parkmyaws.com/docs/getting-started' } - { '@type': 'ListItem', position: 3, name: 'IAM Permissions' } --- # IAM Permissions A complete breakdown of every IAM permission ParkMyAWS requires, why it's needed, and how to revoke access at any time. ## Overview ParkMyAWS connects to your AWS account using an IAM Cross-Account Role. This is the approach AWS recommends for third-party access — no static access keys are stored, and you retain full control over the role in your account. The role requires two components: a **trust policy** that allows ParkMyAWS to assume the role, and a **permission policy** that defines what actions the role can perform. ## Trust Policy The trust policy allows ParkMyAWS (account `074681445306`) to assume the role using STS AssumeRole. The `ExternalId` condition prevents the "confused deputy" attack — only requests with your unique external ID are accepted. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::074681445306:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" } } } ] } ``` > **Confused-deputy protection.** The `ExternalId` condition means only requests carrying your unique external ID can assume the role. > {.callout .callout-tip} ## Permission Policy The permission policy contains three statements, each scoped to a specific purpose: ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "ParkMyAwsResourceDiscovery", "Effect": "Allow", "Action": [ "autoscaling:Describe*", "ce:GetReservationCoverage", "ce:GetReservationUtilization", "ce:GetSavingsPlansCoverage", "ce:GetSavingsPlansUtilization", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "eks:Describe*", "eks:List*", "rds:Describe*", "rds:ListTagsForResource" ], "Resource": "*" }, { "Sid": "ParkMyAwsResourceManagement", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ecs:UpdateService", "eks:UpdateNodegroupConfig", "rds:StartDBCluster", "rds:StartDBInstance", "rds:StopDBCluster", "rds:StopDBInstance" ], "Resource": "*" }, { "Sid": "ParkMyAwsEncryptedResources", "Effect": "Allow", "Action": ["kms:CreateGrant"], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": ["ec2.*.amazonaws.com", "rds.*.amazonaws.com"] } } } ] } ``` ## Statement: ParkMyAwsResourceDiscovery These read-only permissions allow ParkMyAWS to discover and list your resources. No data is modified. ### `autoscaling:Describe*` Discovers Auto Scaling groups so ParkMyAWS can safely manage EC2 instances that belong to ASGs. ### `ce:GetReservationCoverage, ce:GetReservationUtilization, ce:GetSavingsPlansCoverage, ce:GetSavingsPlansUtilization` Reserved for upcoming account-level Reserved Instance and Savings Plan insights. These permissions are not currently used to calculate savings. ### `ec2:Describe*` Lists EC2 instances, their states, tags, and associated volumes across all regions. ### `ecs:Describe*, ecs:List*` Discovers ECS services and clusters for future scheduling support. ### `eks:Describe*, eks:List*` Discovers EKS clusters and node groups for future scheduling support. ### `rds:Describe*, rds:ListTagsForResource` Lists RDS instances and Aurora clusters, their states, tags, and configuration. ## Statement: ParkMyAwsResourceManagement These permissions allow ParkMyAWS to start and stop resources according to your schedules. ### `ec2:StartInstances, ec2:StopInstances` Starts and stops EC2 instances according to the schedules you configure. ### `ecs:UpdateService` Scales ECS services to zero when parking and restores the original count when unparking. ### `eks:UpdateNodegroupConfig` Scales EKS node groups to zero when parking and restores the original count when unparking. ### `rds:StartDBInstance, rds:StopDBInstance, rds:StartDBCluster, rds:StopDBCluster` Starts and stops RDS instances and Aurora clusters according to your schedules. ## Statement: ParkMyAwsEncryptedResources This permission is needed to start EC2 instances and RDS databases that use encrypted EBS volumes or storage. ### `kms:CreateGrant` Required by AWS when starting instances with encrypted volumes. The condition key `kms:ViaService` restricts this permission so it can only be used through EC2 and RDS — not any other AWS service. ## What We Cannot Access The ParkMyAWS IAM policy explicitly does not include permissions for: - **S3** — no access to any S3 buckets or objects - **Lambda** — no access to functions or their code - **Application data** — no access to database contents, logs, or secrets - **IAM** — no ability to create, modify, or delete IAM users, roles, or policies - **Networking** — no access to VPC configuration, security groups, or network ACLs - **Billing** — no access to invoices or payment methods. Cost Explorer access is limited to account-level Reserved Instance and Savings Plan coverage and utilization insights. ## How to Revoke Access You can revoke ParkMyAWS access at any time using either method: ### Option 1: Delete the IAM Role 1. Open the AWS IAM Console 2. Navigate to Roles 3. Find the ParkMyAWS role (CloudFormation names it `ParkMyAws-Integration`; manual setup may use a different name) 4. Delete the role This immediately and permanently revokes all access. ParkMyAWS will no longer be able to interact with your AWS account. ### Option 2: Remove from ParkMyAWS 1. Go to AWS Accounts in ParkMyAWS 2. Click the account you want to disconnect 3. Click "Delete Account" This removes the account from ParkMyAWS and stops all scheduled actions. For complete security, also delete the IAM role from your AWS console.