Cost Optimization AWS Permissions for StratusGrid Engineers

Name: StratusGrid
Brand: StratusGrid
Rating: 5 (1 reviews)

Describes the AWS IAM permissions used by StratusGrid cloud engineers to perform cost optimization assessment and remediation.

Trevor Sullivan

Jul 14, 2025

Other blogs you may be interested in:

How to Audit Amazon DynamoDB Table Access

How to Remediate Over-provisioned AWS Lambda Functions with Stratusphere™ FinOps

How to Remediate AWS EC2 Instances Consolidation for Microsoft SQL Server with Stratusphere™ FinOps

Need additional support?

During StratusGrid's success-based cost optimization projects, StratusGrid engineers required AWS read-only permissions for the assessment phase. After the assessment and customer approval of a remediation plan, additional AWS write permissions will be required by engineers.

CloudFormation templates for StackSet deployment.

The CloudFormation templates may be deployed to standalone AWS accounts, or to AWS accounts that belong to either an organization or a specific organizational unit (OU).

When deployed in an organization, the CloudFormation templates must be deployed in the management account of an AWS organization. These create resources in all AWS accounts that belong to either an organization or a specific organizational unit (OU).

sg-restricted-read-only.json: this CloudFormation template creates an IAM role with restricted read-only permissions for the assessment phase of cost optimization projects.
sg-restricted-power-user.json: this CloudFormation template creates an IAM role with restricted power-user permissions for the remediation phase of cost optimization projects.

AWS Cloudformation StackSet creation instructions

The below instructions are for deploying the Stackset in a management account. For individual accounts, you can simply deploy the template as an individual stack.

Navigate to the AWS Console and log in to your AWS Organization Management Account.
- Switch to the region where you want to deploy the StackSet.
Go to the CloudFormation section of the AWS Console and select StackSets.
Click Create StackSet.
Select Upload a template file, click Choose file, and select sg-restricted-read-only.json. Click Next
Enter the StackSet name, for instance, StratusGrid-IAM-ReadOnly. Click Next.
Scroll to the bottom of the page. Check to acknowledge that IAM role resources are being created, then click Submit.
Enter the AWS Organization Root ID. The resource being created is an IAM role, and IAM is a global service; however, a region must be specified. Select the region where you are creating the StackSet, then click Next.
Scroll to the bottom of the page, then click Submit.
The StackSet will then deploy!

Write Permissions

Repeat the CloudFormation stackset creation process for template sg-restricted-power-user.json