Overview
This guide walks you through the IAM permissions granted when running CloudFormation (CF) templates for Ripple.
Alphaus provides these CF templates to simplify the setup of Cost and Usage Reports (CUR) and to provide the API access and permissions required to accurately retrieve cost-related information such as Reserved Instances and Savings Plans.
Which Template Is Used
There are currently three active CF templates. The template that runs depends on the option selected in the Payer Account registration screen in Ripple:
Scenario | Template |
Registering a new Payer Account with Setup CloudFormation using default configurations selected | Template 3 (all permissions below) |
Updating a registered Payer Account — Allow API Access | Template 2 |
Updating a registered Payer Account — Verify CUR export settings | Template 3 |
Updating a registered Payer Account — Setup S3 bucket in a different region | Template 1 |
Template 1 — alphauscurexportbucket-v1.yml
Creates an S3 bucket for exporting CUR data.
Purpose: Required to export CUR to an S3 bucket
Target resource:
CurS3BucketName(the target S3 bucket)
s3:GetBucketAcl
s3:GetBucketPolicy
s3:PutObject
Template 2 — alphausdefaultcostaccess-v1.yml
Sets up an IAM role for Alphaus to access cost-related information in your account. Also includes permissions for other Ripple features.
Cost access permissions
Purpose: Retrieves cost and reservation-related data
Target resources: All
# Required to retrieve AWS Organizations information:
organizations:List*
organizations:Describe*
# Required to access cost-related information: ec2:DescribeReservedInstances
ec2:GetCapacityReservationUsage
rds:DescribeReservedDBInstances
elasticache:DescribeReservedCacheNodes es:DescribeReservedElasticsearchInstances
redshift:DescribeReservedNodes
savingsplans:DescribeSavingsPlan*
cur:Describe*
budgets:Describe*
ce:Describe*
ce:Get*
ce:List*
# Required to create Billing Groups from AWS Billing Conductor and configure proforma CUR:
billingconductor:List*
cur:PutReportDefinition
Notes The Organizations permissions are not yet in use. They are included in preparation for a planned future feature to sync AWS Organizations with Ripple Billing Groups.
Role update permissions
Purpose: Required to update the
AlphausCostAccessRolecreated above in the future, in response to new Ripple features or AWS specification changesTarget resource:
AlphausCostAccessRoleonly
iam:GetRole* iam:PutRolePolicy
CF stack update permissions
Purpose: When additional API access is required for new features, Ripple will request the necessary changes via the Ripple UI — updates are only applied upon your approval. This eliminates the need to manually update the CF stack in the AWS Console
Target resource:
AlphausCostAccessstack (this stack)
cloudformation:DescribeStack*
cloudformation:UpdateStack*
Template 3 — alphauscurexportdef-v1.yml
Includes all permissions from Template 2, plus CUR export configuration.
Need More Help?
If any errors occur during the process or if you have any questions, please reach out to us:
📧 Email: ripple_cs@alphaus.cloud
💬 Live Chat: Available in the bottom-right corner of your dashboard
📖 Help Center: https://help.alphaus.cloud/