Creating a ReadOnlyAccess Role (ARN Role) in the AWS Console


***Information Regarding Creating the ReadOnlyAccess Role for Billing*** 

If this role is set for all linked accounts that purchase RIs, the SES billing process delivers the reduction benefit of the RI rates to the end customer.  If the ARN role is not setup, and the AWS account has purchases an RI, then the benefits (price reduction) may not be properly applied to the customer's billing data.******************  



AWS credentials are needed for each AWS account to ensure SES captures usage and RI inventory data. The Amazon Resource Name (ARN) specifies the role.  For SES, the AWS 'readonly' permission policy is used.  

Creating the access rights to an account is typically done during the linking process.


From the SES Management Console 

  • Select your customer
  • Click on an AWS Account Number
  • Click [Role ARN]



We recommend you use two browsers so you can toggle between the AWS console and the SES platform.
The instructions below are also provided in SES under the Cloud Account window.


From the AWS Console complete the following steps:


1.            Login to your Amazon IAM console

2.            Select "Roles" from the menu list

3.            Click "Create Role"

4.            Click "Another AWS Account"

5.            Enter the following:


       Account ID: 328676173091

       External ID: CA****** (This ID number is unique to each AWS account)


Note: Leave the "Require MFA" field blank - MFA for third-party access is not supported at this time and accounts used for access have MFA enabled.


5b. Check mark "Options" to enter the "Require external ID (Best practice when a third party will assume this role)"



6. Click "Next: Permissions"


7. In the policy list, search for "ReadOnlyAccess" policy and check the box on the left.


***Optional:  To add the policy for the Security and Compliance Report, in the policy list, search for  AWSSupportAccess and check the box on the left.  (Again, this is optional, but highly recommended.  For more information, please read the knowledge Base article: AWS Security and Compliance Report)


8. Add tags are optional – Skip Tags and click “Next: Review”


9. Enter a Role Name 

Please note: The Role Name cannot contain spaces. Use alphanumeric and '+=,.@-_' characters. Maximum 64 characters.


10. Enter a Role Description

Please note: Maximum 1000 characters. Use alphanumeric and '+=,.@-_' characters.


11. Click "Create Role"




12.  On the next page, click on the Role name to access Summary Screen

13. Click on the Role Name to access Summary Screen


14. Click the “Copy to Clipboard” icon located on the right of the Role ARN value, to copy the value.


15. Back to SES, at the bottom of the Create IAM Role dialog box, paste the value in the AWS Role ARN field.   


16. Click the “Not Checked/Check Now” action function button to confirm the role validates in the platform. Once you see the green Verified status appears, click “Save”. If a red “No Access” message appears, please recheck the Role ARN value.  Make sure the role is correct and there are no spaces in front or behind the value when pasted. If the ARN Value is still not validating once corrected, please contact the account Admin or Owner to confirm the ReadOnlyAccess policy added.


17. Enter the Role description (optional)


18. Save





Reminder:  Information Regarding Creating the Read-only Role for Billing.  


If this role is set for all linked accounts that purchase RIs, the SES billing process delivers the reduction benefit of the RI rates to the end customer. If the ARN role is not setup, and the AWS account has purchases an RI, then the benefits (price reduction) may not be properly applied to the customer's billing data.  


If you have questions on how the platform calculates RI charges, please contact us by opening a support ticket in the SES portal.