Updating Permissions for an AWS Account

Sometimes AWS requires us to update permissions. For example, AWS updated their Billing and Cost Management Permissions in January 2023.

You are in complete control of the permissions you grant CloudZero. Neither the automated nor manual Connections can update themselves.

We maintain the Provision Account Open Source repository so you can review all of our permissions. In addition, we publish useful resources, policies and CloudFormation templates, from that repository to S3 for your use. This document covers a few workflows for updating your CloudZero permissions using those resources.

Automated Connections

If you connected to CloudZero using our Automated Connections. You can use these steps to update the cloudzero-connected-account CloudFormation stack.


  1. Open CloudFormation Console in the appropriate AWS Account
  2. Select the cloudzero-connected-account Stack
  3. Click Update
  4. Select Replace current template
  5. Paste https://cz-provision-account.s3.amazonaws.com/latest/services/connected_account.yaml into the Amazon S3 URL Text Box
  6. Click Next, Next, and Next (yup, 3 times)
  7. At the bottom of the screen, Check the boxes for CAPABILITIES
    [✅] I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    [✅] I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
  8. Click Submit



Requirements for this One-Liner

Unfortunately, the AWS CLI update-stack command does not have an option to "keep existing Parameters".
This bash snippet will do that for you. It requires these two commands be present in your shell:

  1. AWS CLI
  2. jq command.
aws cloudformation update-stack \
  --stack-name cloudzero-connected-account \
  --template-url https://cz-provision-account.s3.amazonaws.com/latest/services/connected_account.yaml \
  --parameters "$(aws cloudformation describe-stacks --stack-name cloudzero-connected-account | jq .Stacks[0].Parameters)"

Manual Connections


  1. Open CloudFormation Console in the appropriate AWS Account
  2. Find the Cross Account Role with a trust relationship with CloudZero
    1. You can do this by searching your Roles for one with Trusted entities containing Account: 061190967865
    2. Click on the role name hyperlink
  3. On the Role page, Click on the attached Customer inline policy
  4. Click on the JSON tab
  5. Copy the contents of the appropriate policy, payer or resource owner, into the text editor.
  6. Click Review policy
  7. Click Save changes



Requirements for this script

It takes a few commands to find and update roles and their policies.
This bash snippet will do that for you:

  1. AWS CLI
  2. jq command.
# Find roles with Trust Relationships with CloudZero
aws iam list-roles | jq -r -e '.Roles | map(select(.AssumeRolePolicyDocument.Statement[0].Principal.AWS == "arn:aws:iam::061190967865:root")) | map(.RoleName)[] | .'

# For each of the roles from the output of the previous command
aws iam list-role-policies --role-name <role-name> | jq -r -e '.PolicyNames[]'

# Now we have the list of policies to update
# For each role and policy:
aws iam put-role-policy \
  --role-name <role-name> \
  --policy-name <policy-name> \
  --policy-document "$(curl -XGET https://cz-provision-account.s3.amazonaws.com/latest/policies/resource_owner.json)"  # change resource_owner.json to master_payer.json if this is a billing account role and policy