AWS Permissions and Security

CloudZero connects to your AWS accounts using read-only, cross-account access. You control all permissions, and connections do not update themselves.

How the connection works (delegated access)

CloudZero uses a delegated access IAM role from CloudZero AWS account 061190967865. You create this role in your AWS account during automated or manual setup. CloudZero assumes the role to read your cost and resource data. All access is read-only.

Billing (Payer) Account permissions

Connecting your billing account gives CloudZero access to your cost data:

• Cost and Usage Reports, Billing APIs, and Organizations API
• The S3 bucket where your Cost and Usage Report is stored
• CloudWatch Metrics
• Read-only metadata service APIs (for resource details used in cost breakdowns)

Resources (Member) Account permissions

Connecting resource accounts is optional. It gives CloudZero deeper visibility into individual resources, which powers more detailed cost breakdowns in the Explorer and savings recommendations in Optimize.

• CloudWatch Metrics
• Read-only metadata service APIs

CloudFormation templates

CloudZero uses CloudFormation to set up the necessary permissions in your AWS account. The templates and IAM policies are open source and available for review in the CloudZero provision-account repository.

To update permissions after connecting, see Update Your AWS Connection.

Non-default AWS regions

If you have resources in AWS regions where STS is not active by default (for example, ap-east-1 or eu-south-1), activate STS for those regions before connecting. See Managing AWS STS in an AWS Region in the AWS documentation.