Security Details & IAM Permissions Required

North connects to your AWS account on a read-only IAM permission basis, supporting maximum security.

North CAN NOT:

  • Read sensitive data

  • View or edit network rules

  • Create, change, alter, stop or pause instances or machines

  • Change or copy any development, test or production data

North's read-only baseline IAM permission and details are listed below. Baseline permissions allow basic functionality of our app and management system in order to fully benefit from the best savings posture. However, additional permissions may be required for some products. See product pages for more details.

Note to the community: It has come to our attention that various third-party services frequently grant themselves excessive permissions. We urge you to exercise caution and thoroughly review these permissions before implementation. For instance, a broad permission like "ec2:Describe*" permits third-party services to access your security groups. Such access is not required for cloud cost optimization and poses an increased security risk to your servers. Please ensure that permissions are appropriately limited to maintain optimal security and functionality.

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
               "ecs:DescribeCapacityProviders" #fargate
               "es:DescribeReserved*" #opensearch/elastic search
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "NorthCostAndUsageReadOnlyPolicyID"

IAM Permission Roles & Least Privilege

North uses limited IAM roles whenever possible to ensure that we cannot view critical machine data, edit machines, create/pause/stop instances or make any networking changes. We regularly hire third-party SecOps consulting to audit our risk exposure and ensure client security.

Connecting to North's Subscription Based Discounts

North offers two ways to connect to our subscription based discounts:

SAVINGS PODS [Direct Billing With AWS]

Savings Pods are AWS member accounts with right-sized Savings Plans or Reservation Instances based on your spend. These accounts are managed by North and delivered to your AWS Organization via invitation. These accounts allow you to benefit from discounting without the hassle of long-term commitments. This allows you to continue your billing with AWS with no interruption. Savings Pods are available to customers with EDPs. More on Savings Pods.

AUTOPILOT [Consolidated Billing With North]

Autopilot offers reservationless savings delivered via AWS Consolidated Billing. This service allows customers to benefit from a more flexible savings posture. Savings Plans and Reserved Instances are spread throughout our member accounts. This service requires users to join our organization and not be locked into an EDP. More on Fully Managed.

North only uses organizational invitation for consolidated billing, meaning we won’t be able to centrally apply the advanced management features. You can view which features the organization has enabled by visiting the AWS Organzations console.

Service control policy documentation:

What are AWS organizations & management accounts?

Last updated