Security & Trust

Parsivex needs read-only access to your AWS account to scan for waste. Here's exactly what that means — and what it doesn't.

Security help center

Expanded guides on data access, revocation, and common security questions live in our help center. The IAM policy JSON below remains the canonical reference.

Browse all AWS access articles in the help center.

What Parsivex can — and cannot — do

Can see
AWS billing data, resource inventory, CloudWatch metrics
Cannot see
Application data, secrets, S3 object contents, environment variables
Cannot do
Create, modify, or delete any AWS resource

Read-only IAM role with External ID protection

  • You create a read-only IAM role in your account and grant Parsivex permission to assume it
  • The role is locked to the minimum permissions required — no write access, ever
  • We use an External ID (a secret token unique to your account) to prevent confused deputy attacks — even if someone knows our AWS account ID, they cannot assume your role without the External ID
  • You can revoke access instantly by deleting the IAM role — we lose all access immediately

IAM policy

This is the exact read-only policy attached to the role you create:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ParsivexReadOnly",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetReservationUtilization",
        "ce:GetSavingsPlansPurchaseRecommendation",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters",
        "elasticloadbalancing:Describe*",
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "lambda:ListFunctions",
        "lambda:GetFunctionConcurrency",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": "*"
    }
  ]
}

FAQ

Common questions are answered in our Security FAQ help article, including data retention, where data is stored, and account deletion scope. Quick answers:

Can Parsivex see my application data or secrets?
No. The IAM policy does not grant access to S3 object contents, Secrets Manager, SSM Parameter Store, or any service that stores application data. See full data access breakdown →
Can Parsivex make changes to my infrastructure?
No. All actions in the policy are read-only (Describe*, Get*, List*). There are no write permissions.
How do I revoke access?
Delete the IAM role from your AWS console. Access is revoked immediately. Revocation guide →

Contact

Questions? Email us at hello@parsivex.com — we're happy to walk through the access model on a call.