Connections Overview
A Connection is the link between frugally.app and a single AWS account. It lets frugally.app discover resources, run start/stop executions, and — optionally — read cost and audit data.
Under the hood, every Connection works the same way: frugally.app assumes a cross-account IAM role in your AWS account using an External ID for security. No long-lived credentials are stored.
How it works
┌──────────────┐ STS AssumeRole ┌──────────────────┐
│ frugally.app │ ──────────────────────────────► │ Your AWS Account│
│ │ (IAM Role + External ID) │ │
│ │ ◄────────────────────────────── │ IAM Role: │
│ │ Temporary credentials │ FrugallyAccess │
└──────────────┘ └──────────────────┘
- You create an IAM role in your AWS account with a trust policy that allows the frugally.app AWS account to assume it.
- The trust policy includes an External ID — a unique token generated by frugally.app — to prevent confused-deputy attacks.
- When frugally.app needs to interact with your account, it calls
sts:AssumeRolewith the External ID to obtain temporary credentials. - Those temporary credentials are used for the specific operation and are never persisted.
Two setup paths
frugally.app supports two ways to create Connections depending on how your AWS accounts are structured.
AWS Organisation setup (recommended for multi-account)
Use the Organisation Setup Wizard if you manage multiple AWS accounts under a single AWS Organisation.
The wizard:
- Connects to your management account first
- Discovers all member accounts automatically
- Lets you select which accounts to onboard
- Generates the exact IAM policies you need for each account
- Supports exporting policies as JSON, CloudFormation, or Terraform
Each member account becomes a separate Connection (scope: Member) linked to the Organisation.
Read the full Organisation setup guide →
Standalone setup
Use a Standalone Connection if you have a single AWS account, or if you want to connect an account that is not part of an AWS Organisation.
You create one IAM role and one Connection manually. No wizard required — just fill in the form.
Read the full Standalone setup guide →
Which should I choose?
| Scenario | Recommended path |
|---|---|
| Multiple accounts under one AWS Organisation | Organisation setup |
| Single AWS account | Standalone |
| Account is in an org but you only want to connect one account | Standalone |
| You want consolidated Cost Explorer billing from the management account | Organisation setup |
| Testing frugally.app for the first time | Standalone (simpler to start) |
Optional features
Every Connection (or Organisation) can enable additional features beyond the core resource scheduling:
| Feature | What it does |
|---|---|
| Cost Explorer | Queries the AWS Cost Explorer API to show spend data, forecasts, and savings. AWS charges $0.01 per API call. |
| CloudTrail | Reads CloudTrail audit logs to track who changed what in your account. |
| Cost and Usage Reports (CUR) | Reads detailed billing data from S3 for granular cost analysis. |
Features are toggled on or off per Connection (or at the Organisation level for member accounts). Each feature requires additional IAM permissions.
Read the full features guide →
Connection health
After a Connection is created, frugally.app verifies it by assuming the IAM role and testing each enabled feature. The result is a health status:
| Status | Meaning |
|---|---|
| Connected | IAM role works and all enabled features are verified. |
| Degraded | IAM role works but one or more enabled features could not be verified. |
| Missing Permissions | frugally.app cannot assume the IAM role, or required permissions are missing. |
| Disabled | Connection has been deactivated (manually or due to plan limits). |
| Unknown | Not yet verified. |
Read the full account health guide →
Key terminology
| Term | Definition |
|---|---|
| Connection | A link between frugally.app and one AWS account via an IAM role. |
| Organisation | A link to an AWS Organisation management account that groups member Connections. |
| IAM Role | The AWS role frugally.app assumes in your account. Default name: FrugallyAccessRole (standalone) or FrugallyOrganizationRole (management account). |
| External ID | A unique identifier (ULID) generated by frugally.app and embedded in the IAM trust policy for security. |
| Trust Policy | The IAM policy that controls who can assume the role. It specifies the frugally.app AWS account and the External ID. |
| Execution Policy | The IAM policy that defines what actions frugally.app can perform once it assumes the role. |
| Scope | Whether a Connection is Standalone (independent) or a Member (belongs to an Organisation). |
| Environment | A label you assign to a Connection: Production or Non-Production. Used for access control via Scopes. |
| Tier | An optional sub-label for non-production environments: Dev, Staging, Test, or Sandbox. |
Prerequisites
Before creating any Connection you need:
- A frugally.app account — sign in
- An AWS account (12-digit account ID)
- IAM permissions in that AWS account to create roles and policies
- For Organisation setup: access to the AWS Organisation management account