Before on-boarding AWS account to CoreStack Governance you should have the following access provided in your AWS account.

ec2 – Full Access

ecs – Full Access

cloudtrail – Full Access


Get – Full Access

List – Full Access

Create – Bucket

Head – Bucket


  • Object
  • BucketTagging
  • BucketPolicy
  • ObjectTagging
  • EncryptionConfiguration
  • BucketAcl


  • Object
  • Bucket


Describe – Full Access

Get – Full Access

List – Full Access

Put – MetricAlarm

Delete – Alarms



  • Role
  • RolePolicy
  • AccessKeyLastUsed
  • CredentialReport


  • AssumeRolePolicy
  • RoleDescription
  • Role

Pass – Role


  • Roles
  • RolePolicies
  • GroupsForUser
  • AttachedUserPolicies
  • Users
  • AccessKeys


  • Role
  • User
  • AccessKey
  • LoginProfile


  • Role
  • AccessKey
  • RolePolicy
  • User
  • LoginProfile

Put – RolePolicy

Generate – CredentialReport

Attach – UserPolicy

Remove – UserFromGroup

Add – UserToGroup

Detach – UserPolicy

To have Cost Usage Report you should have the following access in your AWS account.

  • You should be a “Root User
  • You should have enabled Reports (through Services -> Billing -> Enable Reports) and time unit should be ‘hourly’.
  • Cost allocation tags should be Active
  • S3 bucket name should be provided


Step 1:

Select Cost Allocation Tags

Step 2:

Choose Activate button.


Step 1:

Step 2:

Step 3:

Step 4:

Step 5:


Other Requirements

1. S3 Bucket for CUR Reports: CoreStack requires the name of the S3 Bucket in which the CUR Reports are placed. This is required to be able to fetch the usage info from your AWS Account and provide Cost Analytics and Governance. This is required only for Master (Payer) Accounts.

2. Cloud Trail in all Regions: While onboarding the account, CoreStack automatically creates cloud trails for all AWS regions to be able to track even any inadvertent usage in any of the regions. CoreStack does not overwrite or reuse any existing trails. It will create a new trail with webhook configured to push the activities to CoreStack. These trails will be automatically removed if you decide to remove the account from CoreStack later.

a. S3 Bucket in all Regions: As part of the Cloud Trail configurations, S3 buckets are also created in all AWS regions to collect the logs. These buckets will also be automatically removed if you decide to remove the account from CoreStack later.