Parsivex connects to your AWS account through a read-only IAM role. We only request the minimum permissions needed to find waste and estimate savings. This article explains exactly what we can see, what we cannot see, and what we can never do.
Summary
| Can see | AWS billing data, resource inventory metadata, CloudWatch metrics |
| Cannot see | Application data, secrets, S3 object contents, environment variables |
| Cannot do | Create, modify, or delete any AWS resource |
For the exact IAM policy attached to the role you create, see our Security & Trust page.
Billing data
Parsivex reads Cost Explorer data to understand where your money goes. This includes:
- Service-level and account-level cost totals
- Usage patterns over time (daily and monthly aggregates)
- Reservation and Savings Plans utilization signals
We use billing data to contextualize findings — for example, showing that an idle EC2 instance represents a meaningful share of your monthly spend. We do not store raw billing line items beyond what is needed for your scan report.
Resource inventory metadata
Parsivex inventories AWS resources to detect waste. We read metadata only — configuration, status, and sizing — never the contents inside those resources.
| Service | What we read | Example use |
|---|---|---|
| EC2 | Instance type, state, launch time, attached volumes | Idle instance detection |
| EBS | Volume size, attachment status, snapshot relationships | Orphaned volume detection |
| RDS | Instance class, storage, multi-AZ config | Oversized database detection |
| Lambda | Memory, timeout, concurrency settings | Right-sizing recommendations |
| Elastic Load Balancing | Load balancer type, target health, age | Unused load balancer detection |
| DynamoDB | Table names, capacity mode, item count estimates | Inventory context |
| S3 | Bucket names, location, lifecycle rules, multipart upload metadata | Storage class and lifecycle findings |
For S3, we can see that a bucket exists, how large it is, and whether lifecycle rules are configured. We cannot read, list, or download the objects inside your buckets.
CloudWatch metrics
Parsivex reads CloudWatch metrics to determine whether resources are actually being used:
- EC2 CPU and network utilization
- RDS connection counts and CPU
- Lambda invocation counts
- Load balancer request counts
Metrics help distinguish a resource that is intentionally idle (for example, a standby instance) from one that has been forgotten. All metric reads use GetMetricStatistics and ListMetrics — read-only operations.
What Parsivex cannot see
The IAM policy explicitly excludes access to application data and secrets:
- S3 object contents — we see bucket metadata, not files
- Database contents — we see RDS instance configuration, not table data
- Secrets Manager, SSM Parameter Store, KMS — not included in the policy
- Environment variables on Lambda or EC2 — not accessible
- IAM credentials — we never read access keys or user passwords
If a permission is not listed in the IAM policy on our security page, Parsivex cannot use it.
What Parsivex cannot do
Every action in the IAM policy is read-only (Describe*, Get*, List*). Parsivex has no write permissions — we cannot:
- Start, stop, or terminate instances
- Delete volumes, snapshots, or buckets
- Change security groups, IAM policies, or billing settings
- Make purchases or modify reservations
Remediation scripts are generated for you to run in your own terminal. Parsivex never executes changes on your behalf.
How access is protected
Parsivex uses AWS cross-account role assumption with an External ID — a secret token unique to your account. Even if someone knows the Parsivex AWS account ID, they cannot assume your role without your External ID. This prevents confused-deputy attacks.
You can revoke access at any time by deleting the IAM role. Access ends immediately.
Related articles
- Security FAQ — common security questions, data retention, and account deletion
- Revoking Parsivex access — how to disconnect and what happens to your data