If you are concerned about unwittingly giving access to your AWS account then hopefully this article will help clarify your doubts about what permissions are being granted to Billgist.
When you integrate your AWS account a CloudFormation stack is created with this Billgist template. Feel free to click on that Billgist template to go through it.
If you inspected the template you would see that it creates an IAM role with only AWS Cost Explorer permissions (that's the "ce:*" reference in the template) to the Billgist application.
You can see the role created by the Billgist and the policy attached to the role in the AWS IAM roles in the AWS console.
Additionally, you can also see the created resources in the Resources tab of the CloudFormation console once you started integration process.
By this time you must be wondering how can I validate all this by myself. AWS provides an interface to display the role, trusted relationships and the policies attached to the role.
You can follow the steps below to see how.
Navigate to AWS roles and search for the role start with "billgist*" or see the previous screenshot to get actual name of the role. Once you searched for the role click on it to see the details.
"Permissions" tab will be selected by default and here you will be able to see the attached policies. Click on the policy and verify which service(s) access has been granted to the role.
- In the "Trust relationship" tab you will be able to verify what are the trusted entities for the role. Make sure the trusted entity should be "825617374672" which is the Billgist AWS account
Conclusion:
Billgist does not require any permissions except the read only Cost Explorer API. We recommended that you do not modify this policy and role by yourself.
If you want to revoke these permissions, remove the integration from Billgist and delete policy and role respectively.