Pump
Back to Home
  • Getting Started
    • Introduction
    • The Hitchhiker's Guide to Pump
    • Joining Pump
      • Our Features
      • Running your Savings Estimate
      • Selecting a mode (Autopilot or Manual Mode)
      • Savings Survey
      • When can I expect to see Savings?
      • Money Back Guarantee
    • Billing Info
      • Billing Process
      • First Month Billing
      • Currencies Supported
      • Supported Payment Methods
      • Invoice Verification or Errors
      • Invoices for Indian Customers
      • Invoices from AWS
      • Sales Tax or Value Added Tax (VAT)
    • How Pump works
    • Real Customers, Real Success Stories
    • Money Back Guarantee
    • FAQ
  • AWS: Joining Pump
    • How to Join Pump (3 easy steps)
      • Step 1 - View Estimate
      • Step 2 - Authorize Pump
      • Step 3 - Know your business
      • Finishing Touches
        • Inviting your team
        • Adding additional AWS accounts
        • Post onboarding
        • AWS Seller Registration
        • Sign up for Auto Pay
    • AWS Multi-account architecture
      • via 'Join Account(s)'
      • via 'Join With A Pre-Existing Org(s)'
      • Join via CTA
      • How Pump handles SSO
      • Leave an AWS Organization
    • AWS Role Deployment and Permissions
  • Maximizing Pump with AWS
    • Using Pump
      • Savings Summary
      • Past Savings
      • Reserved Instances
      • Savings Plans
      • Group buying discounts
      • Payments
      • Sales or Value added tax (VAT)
      • Credit FAQ
    • AWS Discount Prices
    • Pump Secure
    • AWS Credits FAQ
  • GCP: Joining Pump
    • Getting Started with GCP
      • Step 1 - View Savings Estimate
      • Step 2 - Authorize Pump
  • Azure: Joining Pump
    • Azure Role Deployment and Permissions
  • Pump University
    • Welcome to Pump University
  • Support
    • Fast & Free Support
    • Security & Access
      • Cross Account Role
      • Role Deployment
      • Access Management
      • Other Housekeeping
    • Invoices from AWS
    • Invoices from GCP
    • Request a Demo
    • Security Standards
    • Changing Infrastructure while on Pump
Powered by GitBook
On this page
  • Role Permissions
  • Role Deployment
  1. AWS: Joining Pump

AWS Role Deployment and Permissions

PreviousLeave an AWS OrganizationNextUsing Pump

Last updated 9 days ago

Role Permissions

Pump only takes permissions at a billing level, so customers retain full control of their accounts and cloud services.

Pump operates through 2 types of roles: Read-only and Auto-pilot.

Read Only Role

This role is used during the initial . It requires read-only permissions to access up to one year of historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the Redshift cluster you are using and whether it is already covered by reserved instances). After ingesting this data, Pump's billing engine calculates optimal savings. Once a user is fully onboarded, the read-only role is used again to display cost and savings on the Pump dashboard, helping users monitor their current spending and the savings achieved by Pump.

The specific permissions associated with the Read-only role can be found in the dropdown below.

{
  "Parameters": {
    "PumpID": {
      "Description": "The Pump customer ID that syncs your account. Please don't change or share this.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpExternalID": {
      "Description": "The Pump external ID that authenticates your account. Please don't change or share this.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpIamRole": {
      "Description": "The Pump IAM role that has permission to your account.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpPingbackArn": {
      "Description": "The arn used to communicate back to Pump.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpRoleType": {
      "Description": "The type of the role Pump is creating.",
      "MinLength": "1",
      "Type": "String"
    },
    "AccountState": {
      "Description": "The current state of the account.",
      "MinLength": "0",
      "Type": "String"
    }
  },
  "Resources": {
    "CrossAccountRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Ref": "PumpIamRole"
                }
              },
              "Action": [
                "sts:AssumeRole"
              ],
              "Condition": {
                "StringEquals": {
                  "sts:ExternalId": {
                    "Ref": "PumpExternalID"
                  }
                }
              }
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyName": "PumpBillingReadOnly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Action": [
                    "account:GetContactInformation",
                    "account:ListRegions",
                    "athena:GetCapacityAssignmentConfiguration",
                    "athena:GetCapacityReservation",
                    "athena:ListCapacityReservations",
                    "athena:ListTableMetadata",
                    "bedrock:GetProvisionedModelThroughput",
                    "bedrock:ListProvisionedModelThroughputs",
                    "ce:*",
                    "cur:*",
                    "organizations:Describe*",
                    "organizations:List*",
                    "iam:GetPolicyVersion",
                    "iam:ListPolicies",
                    "freetier:GetFreeTierUsage",
                    "pricing:DescribeServices",
                    "pricing:GetAttributeValues",
                    "pricing:GetProducts",
                    "pricing:ListPriceLists",
                    "savingsplans:Describe*",
                    "servicequotas:Get*",
                    "servicequotas:List*",
                    "taxsettings:Get*",
                    "taxsettings:List*",
                    "ec2:DescribeInstances",
                    "ec2:DescribeReservedInstances",
                    "ec2:DescribeReservedInstancesListings",
                    "ec2:DescribeReservedInstancesModifications",
                    "ec2:DescribeReservedInstancesOfferings",
                    "ec2:GetCapacityReservationUsage",
                    "ec2:GetReservedInstancesExchangeQuote",
                    "redshift:DescribeReservedNodeOfferings",
                    "redshift:DescribeReservedNodes",
                    "redshift:DescribeClusters",
                    "redshift:DescribeReservedNodeExchangeStatus",
                    "redshift:GetReservedNodeExchangeConfigurationOptions",
                    "redshift:GetReservedNodeExchangeOfferings",
                    "rds:DescribeReservedDBInstances",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBClusters",
                    "rds:DescribeReservedDBInstancesOfferings",
                    "elasticache:DescribeReservedCacheNodesOfferings",
                    "elasticache:DescribeServerlessCaches",
                    "elasticache:DescribeReservedCacheNodes",
                    "elasticache:DescribeCacheClusters",
                    "es:DescribeDomainNodes",
                    "es:DescribeReservedElasticsearchInstanceOfferings",
                    "es:DescribeReservedElasticsearchInstances",
                    "es:DescribeReservedInstanceOfferings",
                    "es:DescribeElasticsearchDomain",
                    "es:DescribeDomains",
                    "es:DescribeDomain",
                    "es:DescribeElasticsearchDomains",
                    "es:DescribeReservedInstances",
                    "medialive:ListReservations",
                    "medialive:DescribeReservation",
                    "medialive:ListClusters",
                    "medialive:DescribeCluster",
                    "medialive:DescribeNode",
                    "medialive:ListOfferings",
                    "medialive:DescribeOffering",
                    "medialive:ListNodes",
                    "memorydb:DescribeReservedNodesOfferings",
                    "memorydb:DescribeClusters",
                    "memorydb:DescribeReservedNodes",
                    "dynamodb:DescribeReservedCapacityOfferings",
                    "dynamodb:DescribeReservedCapacity"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
                }
              ]
            }
          }
        ]
      }
    },
    "PumpPingResource": {
      "Type": "Custom::PumpPingResource",
      "DeletionPolicy": "Retain",
      "Version": "1.0",
      "Properties": {
        "ServiceToken": {
          "Ref": "PumpPingbackArn"
        },
        "RoleArn": {
          "Fn::GetAtt": [
            "CrossAccountRole",
            "Arn"
          ]
        },
        "PumpID": {
          "Ref": "PumpID"
        },
        "ExternalID": {
          "Ref": "PumpExternalID"
        },
        "AccountID": {
          "Ref": "AWS::AccountId"
        },
        "RoleType": {
          "Ref": "PumpRoleType"
        },
        "AccountState": {
          "Ref": "AccountState"
        }
      }
    }
  },
  "Outputs": {
    "RoleArn": {
      "Value": {
        "Fn::GetAtt": [
          "CrossAccountRole",
          "Arn"
        ]
      },
      "Description": "The ARN value of the Cross-Account Role with IAM read-only permissions. Add this ARN value to Pump."
    }
  }
}

Auto-pilot Role

The specific permissions associated with the Auto-pilot role can be found in the dropdown below.

{
  "Parameters": {
    "PumpID": {
      "Description": "The Pump customer ID that syncs your account. Please don't change or share this.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpExternalID": {
      "Description": "The Pump external ID that authenticates your account. Please don't change or share this.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpIamRole": {
      "Description": "The Pump IAM role that has permission to your account.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpPingbackArn": {
      "Description": "The arn used to communicate back to Pump.",
      "MinLength": "1",
      "Type": "String"
    },
    "PumpRoleType": {
      "Description": "The type of the role Pump is creating.",
      "MinLength": "1",
      "Type": "String"
    },
    "AccountState": {
      "Description": "The current state of the account.",
      "MinLength": "0",
      "Type": "String"
    }
  },
  "Resources" : {
    "CrossAccountRole" : {
      "Type" : "AWS::IAM::Role",
      "Properties" : {
        "AssumeRolePolicyDocument" : {
          "Statement" : [{
            "Effect" : "Allow",
            "Principal" : {
              "AWS" : {"Ref": "PumpIamRole"}
            },
            "Action" : [
              "sts:AssumeRole"
            ],
            "Condition" : {
              "StringEquals" : {
                "sts:ExternalId" : {"Ref": "PumpExternalID"}
              }
            }
          }]
        },
        "Path": "/",
        "Policies" : [
          {
            "PolicyName": "PumpOrgInvite",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Action": [
                    "organizations:Describe*",
                    "organizations:List*",
                    "organizations:AcceptHandshake",
                    "iam:CreateServiceLinkedRole"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
                }
              ]
            }
          },
          {
            "PolicyName": "PumpReadOnly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Action": [
                    "account:GetContactInformation",
                    "account:ListRegions",
                    "athena:GetCapacityAssignmentConfiguration",
                    "athena:GetCapacityReservation",
                    "athena:ListCapacityReservations",
                    "athena:ListTableMetadata",
                    "bedrock:GetProvisionedModelThroughput",
                    "bedrock:ListProvisionedModelThroughputs",
                    "ce:*",
                    "cur:*",
                    "organizations:Describe*",
                    "organizations:List*",
                    "iam:GetPolicyVersion",
                    "iam:ListPolicies",
                    "freetier:GetFreeTierUsage",
                    "pricing:DescribeServices",
                    "pricing:GetAttributeValues",
                    "pricing:GetProducts",
                    "pricing:ListPriceLists",
                    "savingsplans:Describe*",
                    "servicequotas:Get*",
                    "servicequotas:List*",
                    "taxsettings:Get*",
                    "taxsettings:List*",
                    "ec2:DescribeInstances",
                    "ec2:DescribeReservedInstances",
                    "ec2:DescribeReservedInstancesListings",
                    "ec2:DescribeReservedInstancesModifications",
                    "ec2:DescribeReservedInstancesOfferings",
                    "ec2:GetCapacityReservationUsage",
                    "ec2:GetReservedInstancesExchangeQuote",
                    "redshift:DescribeReservedNodeOfferings",
                    "redshift:DescribeReservedNodes",
                    "redshift:DescribeClusters",
                    "redshift:DescribeReservedNodeExchangeStatus",
                    "redshift:GetReservedNodeExchangeConfigurationOptions",
                    "redshift:GetReservedNodeExchangeOfferings",
                    "rds:DescribeReservedDBInstances",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBClusters",
                    "rds:DescribeReservedDBInstancesOfferings",
                    "elasticache:DescribeReservedCacheNodesOfferings",
                    "elasticache:DescribeServerlessCaches",
                    "elasticache:DescribeReservedCacheNodes",
                    "elasticache:DescribeCacheClusters",
                    "es:DescribeDomainNodes",
                    "es:DescribeReservedElasticsearchInstanceOfferings",
                    "es:DescribeReservedElasticsearchInstances",
                    "es:DescribeReservedInstanceOfferings",
                    "es:DescribeElasticsearchDomain",
                    "es:DescribeDomains",
                    "es:DescribeDomain",
                    "es:DescribeElasticsearchDomains",
                    "es:DescribeReservedInstances",
                    "medialive:ListReservations",
                    "medialive:DescribeReservation",
                    "medialive:ListClusters",
                    "medialive:DescribeCluster",
                    "medialive:DescribeNode",
                    "medialive:ListOfferings",
                    "medialive:DescribeOffering",
                    "medialive:ListNodes",
                    "memorydb:DescribeReservedNodesOfferings",
                    "memorydb:DescribeClusters",
                    "memorydb:DescribeReservedNodes",
                    "dynamodb:DescribeReservedCapacityOfferings",
                    "dynamodb:DescribeReservedCapacity"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
                }
              ]
            }
          },
          {
            "PolicyName": "PumpAutoPilot",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Action": [
                    "athena:CancelCapacityReservation",
                    "athena:CreateCapacityReservation",
                    "athena:DeleteCapacityReservation",
                    "athena:PutCapacityAssignmentConfiguration",
                    "athena:UpdateCapacityReservation",
                    "bedrock:CreateProvisionedModelThroughput",
                    "bedrock:DeleteProvisionedModelThroughput",
                    "bedrock:UpdateProvisionedModelThroughput",
                    "cloudfront:CreateSavingsPlan",
                    "cloudfront:UpdateSavingsPlan",
                    "dynamodb:PurchaseReservedCapacityOfferings",
                    "ec2:AcceptReservedInstancesExchangeQuote",
                    "ec2:CancelReservedInstancesListing",
                    "ec2:CreateReservedInstancesListing",
                    "ec2:DeleteQueuedReservedInstances",
                    "ec2:ModifyReservedInstances",
                    "ec2:PurchaseHostReservation",
                    "ec2:PurchaseReservedInstancesOffering",
                    "ec2:CreateTags",
                    "elasticache:PurchaseReservedCacheNodesOffering",
                    "es:PurchaseReservedInstanceOffering",
                    "es:PurchaseReservedElasticsearchInstanceOffering",
                    "medialive:PurchaseOffering",
                    "rds:PurchaseReservedDbInstancesOffering",
                    "redshift:AcceptReservedNodeExchange",
                    "redshift:PurchaseReservedNodeOffering",
                    "savingsplans:*",
                    "servicequotas:RequestServiceQuotaIncrease",
                    "support:*",
                    "budgets:Describe*",
                    "budgets:View*",
                    "budgets:List*",
                    "autoscaling:Describe*",
                    "autoscaling:GetPredictiveScalingForecast",
                    "application-autoscaling:Describe*",
                    "application-autoscaling:GetPredictiveScalingForecast",
                    "application-autoscaling:ListTagsForResource",
                    "autoscaling-plans:GetScalingPlanResourceForecastData",
                    "autoscaling-plans:DescribeScalingPlans",
                    "autoscaling-plans:DescribeScalingPlanResources",
                    "memorydb:PurchaseReservedNodesOffering",
                    "memorydb:TagResource"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
                }
              ]
            }
          }
        ]
      }
    },
    "PumpPingResource" : {
      "Type" : "Custom::PumpPingResource",
      "DeletionPolicy" : "Retain",
      "Version" : "1.0",
      "Properties" : {
        "ServiceToken" : {
          "Ref": "PumpPingbackArn"
        },
        "RoleArn" : {
          "Fn::GetAtt": [ "CrossAccountRole", "Arn" ]
        },
        "PumpID" : {
          "Ref": "PumpID"
        },
        "ExternalID": {
          "Ref": "PumpExternalID"
        },
        "AccountID": {
          "Ref": "AWS::AccountId"
        },
        "RoleType": {
          "Ref": "PumpRoleType"
        },
        "AccountState": {
          "Ref": "AccountState"
        }
      }
    }
  },
  "Outputs" : {
    "RoleArn" : {
      "Value" : {"Fn::GetAtt": [ "CrossAccountRole", "Arn" ]},
      "Description" : "The ARN value of the Cross-Account Role with IAM read-only permissions. Add this ARN value to Pump."
    }
  }
}

Role Deployment

Users only need to click the quick-create link and then click "deploy" to have the role deployed to their AWS account. The CFN templates are stored publicly, allowing users to review them before agreeing to the deployment. These can be viewed in the section above.

Viewing, Deleting, and Redeploying Roles

Pump gains billing-level access to your accounts through IAM roles. You can view any active role in the IAM console on the AWS platform.

Roles can also be deleted at any time from the IAM console. Deleting a role will not affect the status of your workloads or interrupt access to cloud resources. However, deleting or editing roles will cause Pump to lose visibility on your cloud usage and interrupt your savings services.

In the event that you accidentally delete our role or need to deploy an additional role, role deployments can be done through our platform for existing customers. To deploy a role from our platform, begin by navigating to Settings > Integrations. Click the three dots next to the account you wish to deploy a role to, and select which role you wish to deploy.

During deployment, after role creation, a list of properties is sent to Pump's management account:

  • Pump ID

  • Cross-account role ARN

  • Pump external ID

  • User's account ID

  • Role type (read-only or auto-pilot)

Additional Info

This role is employed after the. It includes all the permissions from the read-only role, as well as additional read-only permissions for collecting service usage metadata, such as compute instance metadata. Note that Pump does not collect application data or user data—only usage metadata is collected. In addition to gathering usage metadata, the auto-pilot role also requires permission to buy and sell reserved instances and savings plans. Pump's AI algorithms process the usage metadata and manage cost commitments on behalf of users.

Pump automates cross-account role deployment using (CFN) and, more specifically, "" These links enable Pump to pass a CFN template along with user-specific parameters, such as the cross-account role, external ID, Pump ID, and more.

If CloudFormation deployments do not work for your infrastructure, we also offer deployments on Terraform. Please contact our support team for more information at

onboarding step (Step 1)
Read-only Role JSON
final onboarding step
Auto-pilot Role JSON
AWS CloudFormation
quick-create links.
support@pump.co