AWS Permissions for Waste Detection

Two Levels of Monitoring

Scamallteoir monitors your AWS account at two levels:

1. Cost Monitoring (works now)

Using ce:GetCostAndUsage and ce:GetCostForecast, we track daily spending, detect anomalies, and send digest reports.

2. Waste Detection (requires EC2 describe permissions)

With additional EC2 read-only permissions, we auto-discover all regions and scan for:

• Unattached EBS volumes — volumes in "available" state with no attached instance
• Unassociated Elastic IPs — allocated IPs not bound to any resource ($3.65/mo each since Feb 2024)

Updated IAM Policy

Add these actions to your existing Scamallteoir IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ec2:DescribeRegions",
        "ec2:DescribeVolumes",
        "ec2:DescribeAddresses"
      ],
      "Resource": "*"
    }
  ]
}

How It Works

1. We call ec2:DescribeRegions to auto-discover all opted-in regions
2. For each region, we scan for unattached EBS volumes and unassociated Elastic IPs
3. Results appear on the Cost Bleed page with estimated monthly waste

Security Note

All three EC2 actions are read-only — they cannot modify, create, or delete any resources. The scan runs during your normal sync cycle.

What Works Without EC2 Permissions

All cost monitoring features work with just Cost Explorer permissions:

• Daily cost reports and anomaly detection
• Service-level cost breakdown
• Email and Slack notifications

The waste detection scan is non-fatal — if the permissions are missing, cost monitoring continues normally.