All Resources
Doc5 min readApr 2, 2026

Managed Discounts Connection Process — AWS

Purpose

To enable secure access to billing, usage, and optimization services in your AWS environment.

Who Needs to Attend

  • A team member with AdministratorAccess or equivalent permissions in the AWS Management Account.
  • A team member with permissions to deploy CloudFormation templates and StackSets.

Capabilities Required

  • Ability to create IAM roles and policies.
  • Ability to grant cross-account access.
  • Ability to create or approve linked accounts if required.

Process Summary

1. CloudFormation Template Deployment

You will deploy one CloudFormation stack in your AWS Management Account. This stack creates a role that grants our platform the necessary permissions to access billing data and associated resource metadata securely.

2. CloudFormation StackSet Deployment

You will also deploy a CloudFormation StackSet across all linked accounts in your AWS Organization. This creates roles in each account, allowing us to collect usage and resource metadata centrally.

Permissions Required

Read-only — billing, usage, and resource visibility

  • Includes access to billing and usage data
  • Includes access to resource metadata (tags, configurations)

Write (optional) — resource tagging

  • Tag write access is configurable and limited to automation workflows

Purchase-only — discount instruments (RIs, SPs)

  • Limited to purchasing Reserved Instances and Savings Plans; does not include modify or delete rights

Create-only — linked accounts

  • Limited to creating new linked accounts used solely for housing discount instruments

No permissions to create, modify, or delete other workloads, configurations, or customer-managed resources.

Detailed Permission List

Read-only permissions

ce:Get*
cur:Describe*
cur:Get*
organizations:Describe*
organizations:List*
savingsplans:Describe*
ec2:Describe*
rds:Describe*
redshift:Describe*
elasticache:Describe*
dynamodb:Describe*
lambda:List*
lambda:Get*
tag:Get*
tag:GetResources
tag:GetTagKeys
tag:GetTagValues

Discount purchase permissions (purchase-only)

ec2:PurchaseReservedInstancesOffering
rds:PurchaseReservedDBInstancesOffering
redshift:PurchaseReservedNodeOffering
elasticache:PurchaseReservedCacheNodesOffering
dynamodb:PurchaseReservedCapacityOfferings
savingsplans:CreateSavingsPlan

Linked account creation (create-only)

organizations:CreateAccount

Security Notes

  • You retain full control over the roles and permissions.
  • You can revoke access at any time.

Want to see how this applies to your environment?

Get your free savings assessment