StratusGrid Knowledge Base | Your Source for AWS Cloud Expertise

Cost Optimization AWS Permissions for StratusGrid Engineers

Written by Trevor Sullivan | Jul 14, 2025 4:42:29 PM

During StratusGrid's success-based cost optimization projects, StratusGrid engineers required AWS read-only permissions for the assessment phase. After the assessment and customer approval of a remediation plan, additional AWS write permissions will be required by engineers.

CloudFormation templates for StackSet deployment.

The CloudFormation templates may be deployed to standalone AWS accounts, or to AWS accounts that belong to either an organization or a specific organizational unit (OU).

When deployed in an organization, the CloudFormation templates must be deployed in the management account of an AWS organization. These create resources in all AWS accounts that belong to either an organization or a specific organizational unit (OU).

  • sg-restricted-read-only.json: this CloudFormation template creates an IAM role with restricted read-only permissions for the assessment phase of cost optimization projects.

  • sg-restricted-power-user.json: this CloudFormation template creates an IAM role with restricted power-user permissions for the remediation phase of cost optimization projects.

AWS Cloudformation StackSet creation instructions

The below instructions are for deploying the Stackset in a management account. For individual accounts, you can simply deploy the template as an individual stack.

  • Navigate to the AWS Console and log in to your AWS Organization Management Account.
    • Switch to the region where you want to deploy the StackSet.
  • Go to the CloudFormation section of the AWS Console and select StackSets.
  • Click Create StackSet
  • Select Upload a template file, click Choose file, and select sg-restricted-read-only.json. Click Next 
  • Enter the StackSet name, for instance, StratusGrid-IAM-ReadOnly. Click Next.
  • Scroll to the bottom of the page. Check to acknowledge that IAM role resources are being created, then click Submit
  • Enter the AWS Organization Root ID. The resource being created is an IAM role, and IAM is a global service; however, a region must be specified. Select the region where you are creating the StackSet, then click Next.
  • Scroll to the bottom of the page, then click Submit.
  • The StackSet will then deploy!

Write Permissions

Repeat the CloudFormation stackset creation process for template sg-restricted-power-user.json
View full post