# What IAM Permissions Does the Production Deployment Require?

## Overview

The following is a detailed breakdown of the additional Least-Privileged IAM credential required to enable the Production deployment of our AWS Platform Integration. This enables all the features of our full automation platform and will receive all updates for new services.

Like our trial credential, these additional "write" permissions do not allow us to read anything beyond the bare minimum usage and cost metadata. They additionally allow you to automate all commitment management tasks (purchase, exchange, resell, renewal, etc.) without having any ability to access or impact any underlying infrastructure in your AWS accounts.

## Key Technical Differences from Trial Credential

### 1. Wildcard Permissions

The wildcard (`*`) added to the requested list ensures Archera is robust to new metadata endpoints being added without requiring you to manually update the role.

### 2. Write Permissions for Commitment Management

The following "write" permissions allow Archera to automate the purchase and management of commitments on your behalf:

```
ec2:ModifyReservedInstances
ec2:PurchaseReservedInstancesOffering
ec2:AcceptReservedInstancesExchangeQuote
ec2:CreateReservedInstancesListing
ec2:CancelReservedInstancesListing
ec2:PurchaseScheduledInstances
ec2:RunScheduledInstances
ec2:ModifyCapacityReservation
ec2:ModifyInstanceCapacityReservationAttributes
ec2:CreateCapacityReservation
ec2:CancelCapacityReservation
ec2:PurchaseHostReservation
ec2:RequestSpotFleet
ec2:RequestSpotInstances
ec2:CancelSpotFleetRequests
ec2:CancelSpotInstanceRequests
rds:PurchaseReservedDbInstancesOffering
redshift:GetReservedNodeExchangeOfferings
redshift:PurchaseReservedNodeOffering
redshift:AcceptReservedNodeExchange
elasticache:PurchaseReservedCacheNodesOffering
es:PurchaseReservedElasticsearchInstance
es:PurchaseReservedElasticsearchInstanceOffering
memorydb:PurchaseReservedNodesOffering
servicequotas:RequestServiceQuotaIncrease
savingsplans:CreateSavingsPlan
savingsplans:DeleteQueuedSavingsPlan
savingsplans:ReturnSavingsPlan
```

### 3. Organization Management Permissions (Optional)

The following optional "write" permissions allow Archera to automate AWS organization management of sub-accounts containing only commitments:

```
organizations:InviteAccountToOrganization
organizations:RemoveAccountFromOrganization
organizations:CreateAccount
```

## Related Resources

* [What IAM permissions does the Archera AWS trial deployment require?](https://docs.archera.ai/help-center/aws-onboarding/iam-permissions-trial)
* [How Does Archera Access my AWS Environment?](https://docs.archera.ai/help-center/security/aws-access)
* [What is the Archera AWS account ID?](https://docs.archera.ai/help-center/aws-onboarding/aws-account-id)