When installing CloudFix templates in your AWS target accounts, you notice that CloudFix creates certain Groups/Roles and grants itself write permissions through 'core' inline-policy. You want to know if these write permissions can be removed and without them, would CloudFix be able to generate at least the recommendations.
- For generating the recommendations, most permissions are Read/List/Describe/Get/Retrieve types. Almost all of them are passive and read-only permissions. They don't make any write changes to any resource or service. They help gather information about the resource so CloudFix can generate meaningful recommendations.
Hence, it's not advisable to manually remove those write permissions even if CloudFix is at the stage of generating recommendations because there are complex inter-dependencies that when broken can prevent workflows from executing normally. We haven't tested the product to see what features will not work if we selective remove certain permissions.
If we exclude ALL write permissions, including that of resources that were created as part of the install, the system won't work at all.
Minimal write permission set is needed, for example on Usage & Reports, Athena, Cloudwatch Logs, SNS, setup AWS Config Recorder, etc. to store usage reports, query those reports, generate log actions, create notifications etc. Therefore, its not advisable to to remove any write permissions.
- Be rest assured that no changes to the core services (like EC2, Volumes, S3), where there is cost savings opportunity are done unless a Change Template is approved by you. When changes need to be made, they are are queued as part of Change Requests after you approve Change Templates. Also, changes to the resources/services will be done by a role on your account which is created by CloudFix but can not be assumed/accessed by CloudFix.