AWS Savings Review

Read-only AWS review

AWS Savings Review

Create one read-only IAM role and receive a browser-ready report with top savings opportunities, supporting evidence, and a technical appendix.

Start review See setup steps

Setup steps

Create the read-only AWS role before starting.

1

Enable billing prerequisites

Turn on Cost Explorer and Cost Optimization Hub in AWS Billing and Cost Management.

2

Create the read-only role

Use the policy blocks below to create the trust policy and attach the read-only permissions policy.

3

Paste role details

Submit the role ARN and external ID. The review scans active commercial AWS regions automatically.

Start review

Trust and simplicity

One role, read-only access, no shared credentials.

  • Read-only cross-account IAM role only
  • External ID required for assume-role
  • No AWS passwords, console login sharing, or long-term access keys

Coverage

Covers active commercial AWS regions by default.

The review discovers active commercial AWS regions when permissions allow it. GovCloud and China regions are excluded from this public v1 flow.

Trust Policy

Paste this into the role trust policy

Trusted scanner principal arn:aws:iam::952481103459:role/finops-pack-static-fargate-TaskRole-AsKbgagFwWog

Hosted scans run from the ECS Fargate task role. The external ID shown here must exactly match the value you paste into the start form.

Suggested external ID aws-savings-review-customer 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSavingsReviewWithExternalId",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::952481103459:role/finops-pack-static-fargate-TaskRole-AsKbgagFwWog"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "aws-savings-review-customer"
        }
      }
    }
  ]
}

Permissions Policy

Attach this read-only permissions policy

Access mode Read-only

This grants read-only access to billing, inventory, and optimization signals without making changes in your account. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadAccountInventory",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeInstances",
        "ec2:DescribeNatGateways",
        "ec2:DescribeVolumes",
        "ecs:DescribeServices",
        "ecs:DescribeTaskDefinition",
        "ecs:ListClusters",
        "ecs:ListServices",
        "lambda:ListFunctions",
        "cloudwatch:GetMetricStatistics",
        "organizations:ListAccounts",
        "rds:DescribeDBClusters",
        "rds:DescribeDBInstances",
        "s3:GetBucketLocation",
        "s3:GetLifecycleConfiguration",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ReadCostAndOptimizationSignals",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostAndUsageWithResources",
        "cost-optimization-hub:GetRecommendation",
        "cost-optimization-hub:ListEnrollmentStatuses",
        "cost-optimization-hub:ListRecommendationSummaries",
        "cost-optimization-hub:ListRecommendations"
      ],
      "Resource": "*"
    }
  ]
}