Standalone Setup
A Standalone Connection links frugally.app to a single AWS account. No Organisation or wizard required — you create one IAM role in AWS and fill in one form in frugally.app.
Open the Add Connection form →
When to use standalone
- You have a single AWS account (not part of an AWS Organisation)
- You want to connect one specific account without onboarding your entire organisation
- You are evaluating frugally.app and want the simplest setup path
If you have multiple accounts under an AWS Organisation, consider the Organisation setup instead — it automates discovery and policy generation.
Prerequisites
- A frugally.app account — sign in
- Your 12-digit AWS account ID
- IAM permissions to create roles and policies in that account
Step 1 — Create the IAM policy in AWS
Sign in to the AWS IAM console for the account you want to connect.
Create a new IAM policy with the permissions frugally.app needs. The connection form in the dashboard shows the exact policy based on the services and features you select. A minimal example for EC2-only scheduling:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FrugallyResourceDiscovery",
"Effect": "Allow",
"Action": [
"tag:GetResources",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "FrugallyEC2Actions",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:ModifyInstanceAttribute"
],
"Resource": "*"
}
]
}
For the full policy covering all supported services (EC2, RDS, Lambda, ECS, NAT Gateway, VPC Endpoint) and optional features (Cost Explorer, CloudTrail, CUR), see the IAM policy reference.
The dashboard connection form generates the exact policy you need based on your selections. Use that instead of copying the minimal example above.
Step 2 — Create the IAM role in AWS
- In the IAM Roles console, click Create role.
- Select Another AWS account as the trusted entity type.
- Enter the frugally.app account ID:
829513654501. - Check Require external ID and paste the External ID shown in the frugally.app connection form.
- Click Next and attach the policy you created in Step 1.
- Name the role (default:
FrugallyAccessRole). The name must match what you enter in the frugally.app form. - Click Create role.
[SCREENSHOT: aws-account-create-role.png — AWS console create role screen]
The External ID is a unique token (ULID) auto-generated by frugally.app. It is included in the IAM trust policy to prevent confused-deputy attacks. Only frugally.app knows this value, so only frugally.app can assume the role.
The trust policy attached to the role will look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::829513654501:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}
Step 3 — Fill in the connection form
Back in frugally.app, fill in the connection form:
| Field | Description |
|---|---|
| Connection Name | A friendly label (e.g. Production, Dev Account, Staging US-East). |
| AWS Account ID | Your 12-digit AWS account ID. |
| Role Name | The IAM role name you created in Step 2. Default: FrugallyAccessRole. |
| External ID | Auto-generated. Must match the External ID in your IAM trust policy. |
| Environment | Production or Non-Production. Used for access control via Scopes. |
| Tier | (Non-production only) Optional sub-label: Dev, Staging, Test, or Sandbox. |
Optional features
Toggle any features you want to enable for this Connection:
| Feature | What it adds |
|---|---|
| CloudTrail | Read access to CloudTrail audit logs. |
| Cost Explorer | Read access to AWS Cost Explorer spend data. AWS charges $0.01 per API call — frugally.app enforces daily and monthly caps. |
| CUR | Read access to Cost and Usage Reports stored in S3. |
Each feature requires additional IAM permissions on the role. See Features for details and IAM policy reference for the exact permissions.
[SCREENSHOT: standalone-connection-form.png — add connection form with all fields]
Step 4 — Verify
Click Save. frugally.app immediately verifies the Connection by assuming the IAM role and testing each enabled feature.
| Result | What it means |
|---|---|
| Connected | Everything works. |
| Degraded | Role assumption works, but one or more features failed detection. |
| Missing Permissions | Role assumption failed. Check the role name, External ID, and trust policy. |
If verification fails, see the account health troubleshooting guide.
[SCREENSHOT: connections-list.png — connections list with verified connection showing green status]
After setup
Once your Standalone Connection is verified:
- Create Targets — Group resources by service, region, and tags. See Creating Targets.
- Run an Execution — Test with a manual action. See Running an Execution.
- Create a Schedule — Automate recurring start/stop actions. See Creating a Schedule.
Converting to an Organisation later
If you later set up an AWS Organisation and want to bring standalone Connections under it, you can run the Organisation Setup Wizard. Existing standalone Connections are not automatically migrated — you would create new member Connections through the wizard and then remove the standalone ones.