If you are concerned about unwittingly giving access to your AWS account then hopefully this article will help clarify your doubts about what permissions are being granted to Billgist.
If you inspected the template you would see that it creates an IAM role with only AWS Cost Explorer permissions (that's the "ce:*" reference in the template) to the Billgist application.
You can see the role created by the Billgist and the policy attached to the role in the AWS IAM roles in the AWS console.
By this time you must be wondering how can I validate all this by myself. AWS provides an interface to display the role, trusted relationships and the policies attached to the role.
You can follow the steps below to see how.
Navigate to AWS roles and search for the role start with "billgist*" or see the previous screenshot to get actual name of the role. Once you searched for the role click on it to see the details.
Billgist does not require any permissions except the read only Cost Explorer API. We recommended that you do not modify this policy and role by yourself.
If you want to revoke these permissions, remove the integration from Billgist and delete policy and role respectively.