Cross Account Role
Last updated
Last updated
Pump accesses your AWS account via a cross-account role. In line with AWS IAM policy best practices, Pump requests only the . This means we limit the actions we can take and the resources to which those actions can be applied.
We further enhance security by dividing permissions into two separate roles: the read-only role and the auto-pilot role.
This role is used during the initial . It requires read-only permissions to access up to one year of historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the Redshift cluster you are using and whether it is already covered by reserved instances). After ingesting this data, Pump's billing engine calculates optimal savings. Once a user is fully onboarded, the read-only role is used again to display cost and savings on the Pump dashboard, helping users monitor their current spending and the savings achieved by Pump.
This role is employed after the. It includes all the permissions from the read-only role, as well as additional read-only permissions for collecting service usage metadata, such as compute instance metadata (see the full list of permissions). Note that Pump does not collect application data or user data—only usage metadata is collected. In addition to gathering usage metadata, the auto-pilot role also requires permission to buy and sell reserved instances and savings plans. Pump's AI algorithms process the usage metadata and manage cost commitments on behalf of users.
Please contact our support team for more information.