Back to Home

Cross Account Role

Pump accesses your AWS account via a cross-account role. In line with AWS IAM policy best practices, Pump requests only the least-privilege permissions. This means we limit the actions we can take and the resources to which those actions can be applied.

We further enhance security by dividing permissions into two separate roles: the read-only role and the auto-pilot role.

Read-only role -

This role is used during the initial onboarding step (Step 1). It requires read-only permissions (see the full list here) to access up to one year of historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the Redshift cluster you are using and whether it is already covered by reserved instances). After ingesting this data, Pump's billing engine calculates optimal savings. Once a user is fully onboarded, the read-only role is used again to display cost and savings on the Pump dashboard, helping users monitor their current spending and the savings achieved by Pump.

[
  {
    "PolicyName": "PumpBillingReadOnly",
    "PolicyDocument": {
      "Statement": [
        {
          "Action": [
            "budgets:Describe*",
            "budgets:View*",
            "ce:Get*",
            "ce:Describe*",
            "ce:List*",
            "cur:Describe*",
            "pricing:DescribeServices",
            "pricing:GetAttributeValues",
            "pricing:GetProducts",
            "organizations:Describe*",
            "organizations:List*",
            "savingsplans:Describe*",
            "rds:Describe*",
            "rds:List*",
            "elasticache:List*",
            "elasticache:Describe*",
            "redshift:Describe*",
            "es:Describe*",
            "es:List*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  }
]

Auto-pilot role -

This role is employed after the final onboarding step. It includes all the permissions from the read-only role, as well as additional read-only permissions for collecting service usage metadata, such as compute instance metadata (see the full list of permissions here). Note that Pump does not collect application data or user data—only usage metadata is collected. In addition to gathering usage metadata, the auto-pilot role also requires permission to buy and sell reserved instances and savings plans. Pump's AI algorithms process the usage metadata and manage cost commitments on behalf of users.

[
  {
    "PolicyName": "PumpOrgInvite",
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "organizations:Describe*",
            "organizations:List*",
            "organizations:AcceptHandshake",
            "iam:CreateServiceLinkedRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  },
  {
    "PolicyName": "PumpReadOnly",
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "budgets:Describe*",
            "budgets:View*",
            "ce:*",
            "ec2:Describe*",
            "ec2:GetCapacityReservationUsage",
            "ec2:GetReservedInstancesExchangeQuote",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "ecs:Describe*",
            "ecs:List*",
            "eks:Describe*",
            "eks:List*",
            "pricing:DescribeServices",
            "pricing:GetAttributeValues",
            "pricing:GetProducts",
            "servicequotas:Get*",
            "servicequotas:List*",
            "application-autoscaling:Describe*",
            "autoscaling:Describe*",
            "aws-portal:ViewBilling",
            "aws-portal:ViewUsage",
            "consolidatedbilling:List*",
            "consolidatedbilling:Get*",
            "rds:Describe*",
            "rds:List*",
            "elasticache:List*",
            "elasticache:Describe*",
            "redshift:Describe*",
            "redshift:GetReservedNodeExchangeConfigurationOptions",
            "redshift:GetReservedNodeExchangeOfferings",
            "es:Describe*",
            "es:List*",
            "tag:Get*",
            "transfer:Describe*",
            "transfer:List*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  },
  {
    "PolicyName": "PumpAutoPilot",
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "ec2:CreateTags",
            "ec2:AcceptReservedInstancesExchangeQuote",
            "ec2:CancelReservedInstancesListing",
            "ec2:CreateReservedInstancesListing",
            "ec2:DeleteQueuedReservedInstances",
            "ec2:PurchaseHostReservation",
            "ec2:PurchaseReservedInstancesOffering",
            "ec2:ModifyReservedInstances",
            "savingsplans:*",
            "rds:PurchaseReservedDbInstancesOffering",
            "elasticache:PurchaseReservedCacheNodesOffering",
            "redshift:PurchaseReservedNodeOffering",
            "redshift:AcceptReservedNodeExchange",
            "es:PurchaseReservedInstanceOffering",
            "servicequotas:RequestServiceQuotaIncrease",
            "support:*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  }
]

Please contact our support team for more information. support@pump.co

PreviousSecurity & AccessNextRole Deployment

Last updated