In order to scan your AWS account, you need to provide an Access Key and a Secret Access Key with the correct
permissions
We recommend creating a separate user, and only assigning the fewest permissions needed.
These instructions assume that you have already downloaded and configured the AWS v2 CLI
aws iam create-user --user-name cloudcosts.net
This user will not have a password, and will not be able to log in to the console
aws iam attach-user-policy --user-name cloudcosts.net --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
This uses a built-in policy from AWS. You can of course provide your own custom policy (see below)
aws iam create-access-key --user-name cloudcosts.net
This will display the Access Key ID and give you the only chance to view the Secret Access Key. These are the credentials that you need to provide to cloudcosts.net. Keep them safe.
Remember - these credentials only allow access to a single AWS account. If you have multiple accounts, you will have to repeat these steps for each one
aws iam detach-user-policy --user-name cloudcosts.net --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess aws iam list-access-keys --user-name cloudcosts.net aws iam delete-access-key --user-name cloudcosts.net --access-key-id AKIA<YOUR_ACCESS_KEY_ID> aws iam delete-user --user-name cloudcosts.net
Go to the AWS IAM console.
This will display the Access Key ID and give you the only chance to view the Secret Access Key. These are the credentials that you need to provide to cloudcosts.net. Keep them safe.
Here is a minimal policy
We only make read-only calls. You can use CloudTrail to verify this.