diff --git a/.github/workflows/bench_ec2_all.yml b/.github/workflows/bench_ec2_all.yml
index 61bb325fd..1138f9b29 100644
--- a/.github/workflows/bench_ec2_all.yml
+++ b/.github/workflows/bench_ec2_all.yml
@@ -6,12 +6,10 @@ on:
   pull_request:
     branches: ["main"]
     types: [ "labeled" ]
+permissions: write-all
 jobs:
   bench-gv2:
     name: Graviton2
-    permissions:
-      contents: 'read'
-      id-token: 'write'
     uses: ./.github/workflows/bench_ec2_reusable.yml
     if: github.repository_owner == 'pq-code-package' && (github.event.label.name == 'benchmark' || github.ref == 'refs/heads/main')
     with:
@@ -22,9 +20,6 @@ jobs:
     secrets: inherit
   bench-gv3:
     name: Graviton3
-    permissions:
-      contents: 'read'
-      id-token: 'write'
     uses: ./.github/workflows/bench_ec2_reusable.yml
     if: github.repository_owner == 'pq-code-package' && (github.event.label.name == 'benchmark' || github.ref == 'refs/heads/main')
     with:
diff --git a/.github/workflows/bench_ec2_reusable.yml b/.github/workflows/bench_ec2_reusable.yml
index ee40bce3b..0926e4710 100644
--- a/.github/workflows/bench_ec2_reusable.yml
+++ b/.github/workflows/bench_ec2_reusable.yml
@@ -18,15 +18,13 @@ on:
         type: string
         description: Custom ARCH flags for compilation
         default: -march=armv8.2-a
+permissions: write-all
 env:
   AWS_ROLE: arn:aws:iam::559050233797:role/mlkem-c-aarch64-gh-action
   AWS_REGION: us-east-1
 jobs:
   start-ec2-runner:
     name: Start ${{ github.event.inputs.ec2_instance_type }} instance
-    permissions:
-      contents: 'read'
-      id-token: 'write'
     runs-on: ubuntu-latest
     outputs:
       label: ${{ steps.start-ec2-runner.outputs.label }}
@@ -80,9 +78,6 @@ jobs:
           cat output.json
   stop-ec2-runner:
     name: Stop ${{ inputs.ec2_instance_type }} instance
-    permissions:
-      contents: 'read'
-      id-token: 'write'
     needs:
       - start-ec2-runner
       - bench # required to wait when the main job is done