IAM Permission

IAM Permissions & Deployment Strategy

To enable Tide’s ML-powered FinOps automation, our application requires specific IAM permissions to access your AWS spending data. These permissions are designed to provide minimal access necessary for operation, ensuring your sensitive information remains secure.

Tide Will NOT:

  • Access sensitive data or personal information

  • Modify or view your network configurations

  • Create, modify, start, stop, or pause any instances or machines

  • Access, alter, or duplicate any development, test, or production data

Below is an overview of Tide’s baseline IAM permissions, which are essential for the basic functionality of our application and management system, optimizing your cost-saving strategies. Some advanced products may require additional permissions—please refer to the respective product documentation for specifics.

Important Advisory: We’ve observed that some third-party services tend to grant themselves extensive permissions, which can pose security risks. We strongly recommend that you carefully review and limit these permissions before implementation. For instance, permissions such as "ec2:Describe*" might allow third-party services to access your security groups unnecessarily, increasing the security risk without contributing to cloud cost optimization.

Tide Baseline IAM Permissions (Free & Startup Versions)

These permissions are designed for customers using the free and startup versions of Tide’s services:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ce:Get*",
                "ce:Describe*",
                "ce:List*",
                "ce:Start*",
                "account:GetAccountInformation",
                "billing:Get*",
                "payments:List*",
                "payments:Get*",
                "tax:List*",
                "tax:Get*",
                "consolidatedbilling:Get*",
                "consolidatedbilling:List*",
                "invoicing:List*",
                "invoicing:Get*",
                "cur:Get*",
                "cur:Validate*",
                "freetier:Get*",
                "ec2:DescribeCapacity*",
                "ec2:DescribeReservedInstances*",
                "ec2:DescribeSpot*",
                "rds:DescribeReserved*",
                "rds:DescribeDBRecommendations",
                "rds:DescribeAccountAttributes",
                "ecs:DescribeCapacityProviders",
                "es:DescribeReserved*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "TideCostAndUsageReadOnlyPolicyID"
        }
    ]
}

Tide Premier IAM Permissions (Add-On)

For customers subscribed to our premier service tier, additional IAM permissions are required. These permissions enable more advanced features, and a separate sign-up for the premier version is necessary.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Sid": "TidePremiumPolicy3",
            "Action": [
                "compute-optimizer:*",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ecs:List*",
                "autoscaling:DescribeAutoScalingGroups",
                "lambda:ListFunctions",
                "lambda:ListProvisionedConcurrencyConfigs",
                "organizations:ListAccounts",
                "cloudwatch:GetMetricStatistics",
                "rds:DescribeDBRecommendations",
                "rds:DescribeReservedDBInstances*"
            ],
            "Resource": "*"
        }
    ]
}

Deployment of Tide IAM Permissions

We recommend managing the deployment of IAM permissions directly through the Tide application console. However, if you prefer to deploy these permissions independently, the following methods are available:

CloudFormation Deployment

Deploy the Tide IAM permissions using AWS CloudFormation:

  1. Click on the following link: Tide CloudFormation Quick Create

  2. Acknowledge the terms and click “Create stack.”

Terraform Deployment

For customers using Terraform, deploy the following configuration file:

provider "aws" {
  region = "us-east-1"
}

resource "aws_iam_role" "TideIAMRole" {
  name = "TideCostAndUsageRole"
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          AWS = "arn:aws:iam::471112827161:root" 
        },
        Action = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_policy" "TideIAMPolicy" {
  name        = "TideCostAndUsageReadOnlyPolicy"
  description = "Read-only policy for Tide Inc. cost and usage"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "TideCostAndUsageReadOnlyPolicyID",
        Effect = "Allow",
        Action = [
          "ce:Get*",
          "ce:Describe*",
          "ce:List*",
          "ce:Start*",
          "account:GetAccountInformation",
          "billing:Get*",
          "payments:List*",
          "payments:Get*",
          "tax:List*",
          "tax:Get*",
          "consolidatedbilling:Get*",
          "consolidatedbilling:List*",
          "invoicing:List*",
          "invoicing:Get*",
          "cur:Get*",
          "cur:Validate*",
          "freetier:Get*",
          "ec2:DescribeCapacity*",
          "ec2:DescribeReservedInstances*",
          "ec2:DescribeSpot*",
          "rds:DescribeReserved*",
          "rds:DescribeDBRecommendations",
          "rds:DescribeAccountAttributes",
          "ecs:DescribeCapacityProviders",
          "es:DescribeReserved*"
        ],
        Resource = "*"
      }
    ]
  })

  roles = [aws_iam_role.TideIAMRole.name]
}

output "TideRoleARN" {
  value = aws_iam_role.TideIAMRole.arn
}

CLI Deployment

To deploy the IAM permissions using the AWS CLI, execute the following command:

aws cloudformation create-stack --stack-name TideCostAndUsageReadOnlyCloudFormationStack --template-url https://Tide-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/Tide-read-only-access.yaml --region us-east-1

AWS Console Deployment

To manually create the IAM stack via the AWS Management Console:

  1. Navigate to CloudFormation and click “Create Stack.”

  2. Select "Specify an Amazon S3 template URL" and paste the following URL:

    https://Tide-cloudformation-template-public.s3.amazonaws.com/billing-and-usage-read-only-cf-stack/Tide-read-only-access.yaml

  3. Enter "TideCostAndUsageReadOnlyCloudFormationStack" as the stack name (or a name of your choice).

  4. Proceed through the options and click “Create stack.”

PreviousSecurityNextCompute Saver