# How Does Archera Access my AWS Environment? ## Is my AWS Environment and Data securely accessed? We are an AWS Select technology partner and have had our stack and solution audited by AWS to be in line with their "well-architected" best practices. ## How does Archera access my account? Our system connects to your AWS master billing account using the Amazon Managed IAM System and the official vendor Assume Role process with External ID — the best practice recommended by AWS for providing access to an AWS account owned by a 3rd party. ## What permissions does Archera request? The IAM policy we request follows a **"Least Privileged"** approach, granting the minimal access required to deliver our savings analysis and automation. We ask for access to read your billing and usage metadata from AWS, which is no more permissive than what standard monitoring tools like Datadog or Grafana ask for. This lets us see aggregate costs, machines up/down, and resource utilization — but never gives us access to read data from or make changes to running infrastructure. ## How is access audited? By using only Amazon managed APIs to access your account, all operations taken by Archera can be audited by your team in CloudTrail. We have also implemented SOC2-defined controls for managing customer data, including enforcement that all customer data is encrypted at rest as well as in transit, and regular internal audits on all access to user data. ## Related Resources * [What IAM permissions does the Archera AWS trial deployment require?](/help-center/aws-onboarding/iam-permissions-trial.md) * [What IAM permissions does the Archera AWS production deployment require?](/help-center/aws-onboarding/iam-permissions-production.md) * [What is the Archera AWS account ID?](/help-center/aws-onboarding/aws-account-id.md) * [Can I test Archera in an AWS Sub-Account?](/help-center/aws-onboarding/test-in-subaccount.md) * [Do I Need to Grant Archera Access to my GovCloud Account?](/help-center/security/govcloud-access.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.archera.ai/help-center/security/aws-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.