Read-only AWS access, designed for fast review and easy removal.

What FinOps Pack can read

• AWS account and organization inventory metadata when permitted
• EC2, EBS, RDS, ECS, Lambda, S3, and NAT inventory metadata where applicable
• Cost Explorer spend baseline
• Resource-level Cost Explorer data if enabled and permitted
• Cost Optimization Hub recommendation data

What FinOps Pack cannot do

• Cannot modify infrastructure
• Cannot stop, start, or delete resources
• Cannot deploy resources
• Cannot access application data or AWS passwords
• Cannot log into the AWS console or create long-term access keys

External ID

Why the External ID exists

External ID is AWS's confused-deputy safeguard for cross-account roles. FinOps Pack generates one value per review. The value in your trust policy and the value submitted in the review form must match exactly.

Remove access

Delete access whenever you want.

If you used CloudFormation, delete the finops-pack-readonly stack. If you created the role manually, delete the IAM role and attached policy.

aws cloudformation delete-stack --stack-name finops-pack-readonly
aws cloudformation wait stack-delete-complete --stack-name finops-pack-readonly

Data handling

• Report artifacts may contain account IDs, resource IDs, regions, recommendations, and contact information.
• Hosted reports are retained for the configured number of days, default 7.
• Anyone with the hosted report link can access it until expiration or deletion.
• Request deletion by replying to a report email or booking a savings triage call.

Unsupported regions

GovCloud and China are not included in public v1.

The public review flow covers commercial AWS regions. GovCloud and China need a separate deployment and trust model.