I've generated a custom IAM policy that grants me the permissions I need but won't allow me to alter anything. It permits me to:
- see your billing information (but not payment methods),
- list descriptions and metadata about all of your AWS resources
- view metrics on these resources from Amazon's Cloudwatch.
Note that due to IAM character limits the IAM policy will need to be added to a group rather than to a specific user.
The Short Version
The Step By Step Version
To create this user, follow these steps:
- Visit https://console.aws.amazon.com/iam/home#/users.
- Select 'Users' from the left menu and click 'Add user'.
- Name the user something appropriate ('quinnadvisory' works). Be sure to select both checkboxes on this page, permitting programmatic access (via API calls, which much of my tooling requires) and console access (handy for edge cases that are difficult to work with via the API), then click Next.
- Click 'Attach existing policies directly', then 'Create policy'. This opens a new tab or window. Select 'Create Your Own Policy', name the policy ('quinnadvisory-readonly' works as a default), paste in the Policy Document I've built, and click Create Policy. Go back to the tab or window AWS pulled you away from.
- Attach the policy created in the previous step (you may have to click the AWS refresh button / search for the policy by name), and click Next.
- Review the user. It should have a managed policy attached. If you're satisfied, click 'Create user'.
- Add yourself a calendar reminder to deactivate / delete the user, group, and policy in a month.