Connect your AWS account to Parsivex in about 10 minutes. This guide walks you through creating a secure, read-only IAM role that lets us analyze your cloud spending.
Why we need access
Parsivex needs read-only access to your AWS account to identify cost-saving opportunities. Here is exactly what we can and cannot do:
What we can see
| Data type | Why we need it |
|---|---|
| Cost and billing data | To identify spending patterns and waste |
| Resource inventory | To find unused or oversized EC2, RDS, Lambda, and S3 resources |
| CloudWatch metrics | To detect idle or underutilized resources |
| Tags and metadata | To provide context in your reports |
What we cannot do
- Create, modify, or delete any resources
- Access your application data (database contents, S3 file contents, etc.)
- Make purchases or change your billing settings
- Access IAM credentials or secrets
The role you create uses AWS's standard cross-account access pattern with an External ID — the same security mechanism used by thousands of SaaS tools that integrate with AWS. See External ID explained for how this protects your account.
Prerequisites
Before you start, make sure you have:
- Administrator access to your AWS account (or IAM permissions to create roles and policies)
- 10 minutes of uninterrupted time
- Your Parsivex External ID (shown in the onboarding wizard when you add an AWS account, or in Integrations → AWS connections)
Don't have admin access? Forward this guide to someone on your team who does.
Step-by-step setup
Step 1: Open the IAM console
- Sign in to your AWS Management Console
- In the search bar at the top, type IAM and select IAM from the results
- You should now see the IAM Dashboard
Step 2: Create a new role
- In the left sidebar, click Roles
- Click the Create role button (top right)
Step 3: Select trusted entity type
- Under Trusted entity type, select AWS account
- Under An AWS account, select Another AWS account
- Enter the Parsivex AWS Account ID shown in your Parsivex dashboard or onboarding wizard
- Check the box for Require external ID
- Enter your External ID from Parsivex (format:
parsivex-xxxxxxxxxxxx) - Click Next
Your unique External ID appears in the onboarding wizard after you save your AWS account ID, and in Integrations → AWS connections. See External ID explained for what it does and why it matters.
Step 4: Attach the read-only policy
- In the search box, type ReadOnlyAccess
- Find and check the box next to ReadOnlyAccess (the AWS managed policy)
- Click Next
This AWS-managed policy grants read-only access across all AWS services. It cannot create, modify, or delete any resources. AWS maintains this policy and it is used by thousands of organizations for audit and monitoring tools.
For a tighter permission set, use the Parsivex minimal policy instead — see Use a more restrictive policy below.
Step 5: Name and create the role
- For Role name, enter:
ParsivexReadOnly - Optionally, add a description:
Read-only access for Parsivex AWS cost optimization - Scroll down and click Create role
- You should see a green success banner: "Role ParsivexReadOnly created"
Step 6: Copy your role ARN
- Click on the role name ParsivexReadOnly to open it
- At the top of the role summary, copy the ARN (Amazon Resource Name). It looks like:
arn:aws:iam::YOUR-ACCOUNT-ID:role/ParsivexReadOnly
- Paste this ARN into the Parsivex onboarding wizard or Integrations → AWS connections when prompted
Verify your connection
After entering your Role ARN in Parsivex:
- Click Test connection in the onboarding wizard (or Verify in Integrations)
- Wait 10–15 seconds for the verification to complete
- You should see a green checkmark with "Connection successful"
If the test fails, see Troubleshooting below or the dedicated Connection troubleshooting article.
Security FAQ
Is this safe?
Yes. The role you created is read-only — it cannot make any changes to your AWS account. This is the same security pattern used by AWS's own partner integrations and tools like Datadog, CloudHealth, and AWS Trusted Advisor.
What is an External ID and why do I need it?
The External ID is a secret shared between you and Parsivex. It prevents a security issue called the "confused deputy problem" where a malicious third party could trick Parsivex into accessing the wrong account. AWS recommends External IDs for all cross-account access.
Read External ID explained for a plain-English walkthrough, or AWS documentation on External IDs.
Can Parsivex access my data (database contents, files, etc.)?
No. The read-only policy only allows reading metadata and metrics — not the contents of your databases, S3 objects, or application data. We see that you have a file, not what is in it.
Use a more restrictive policy
Yes — you can use the Parsivex minimal custom policy instead of the broad AWS-managed ReadOnlyAccess. Our policy includes only the specific permissions Parsivex needs:
| Service | Actions | Purpose |
|---|---|---|
| Cost Explorer | ce:Get*, ce:Describe* | Cost and usage analysis |
| CloudWatch | cloudwatch:Get*, cloudwatch:Describe*, cloudwatch:List* | Resource metrics |
| EC2 | ec2:Describe* | Instance and EBS inventory |
| RDS | rds:Describe* | Database inventory |
| Lambda | lambda:Get*, lambda:List* | Function inventory |
| S3 | s3:GetBucket*, s3:List* | Bucket metadata only |
Automated deployment (recommended)
Use our Infrastructure-as-Code templates for one-click deployment — see Deploy with CloudFormation or Terraform for required parameters and CLI examples.
- CloudFormation — Use the Deploy with CloudFormation button in the onboarding wizard, or download the template from the security page
- Terraform — Download the Terraform module from the security page
Manual setup
If you prefer manual setup, copy the policy JSON from our security page and attach it to your role:
- In IAM, go to Policies → Create policy
- Click the JSON tab and paste the policy from /security
- Name it
ParsivexReadOnlyPolicy - When creating the role, attach this policy instead of ReadOnlyAccess
The trust policy on /security also shows the exact Principal and External ID condition Parsivex expects.
How do I revoke access?
To disconnect Parsivex from your AWS account:
- Go to IAM → Roles in the AWS Console
- Search for ParsivexReadOnly
- Select the role and click Delete
- Confirm the deletion
Access is revoked immediately. No further scans will be possible until you create a new role.
Do you store my AWS credentials?
No. We store only the Role ARN and External ID. When we need to access your account, we use AWS's AssumeRole API to get temporary credentials that expire after one hour. We never have or store long-term credentials for your account.
Troubleshooting
"Access Denied" or "Not authorized to perform sts:AssumeRole"
Cause: The trust relationship is not configured correctly.
Fix:
- Go to IAM → Roles → ParsivexReadOnly
- Click the Trust relationships tab
- Click Edit trust policy
- Verify it matches the trust policy on our security page
Make sure:
- The Account ID matches the Parsivex Account ID from your dashboard
- The External ID matches exactly (case-sensitive, no extra spaces)
"Invalid External ID"
Cause: The External ID in AWS does not match what Parsivex is sending.
Fix:
- Copy the External ID from your Parsivex dashboard again
- Go to IAM → Roles → ParsivexReadOnly → Trust relationships
- Update the External ID to match exactly
See External ID explained for more context.
"Role does not exist" or "Invalid ARN"
Cause: The Role ARN was entered incorrectly in Parsivex.
Fix:
- Go to IAM → Roles → ParsivexReadOnly
- Copy the full ARN (starts with
arn:aws:iam::) - Paste it in Parsivex, making sure there are no extra spaces
"Insufficient permissions" during scan
Cause: The role is missing required permissions.
Fix:
- Verify the ReadOnlyAccess policy (or Parsivex minimal policy) is attached to the role
- Go to IAM → Roles → ParsivexReadOnly → Permissions
- If the policy is not listed, click Add permissions → Attach policies and attach it
Connection was working but stopped
Cause: The role may have been modified or deleted.
Fix:
- Check that the role still exists in IAM → Roles
- Verify the trust policy still references the correct Parsivex Account ID
- Confirm the read-only policy is still attached
Still having trouble?
Contact us at support@parsivex.com with:
- Your AWS Account ID (visible in the top-right of AWS Console)
- The error message you are seeing
- A screenshot of your role's Trust relationships tab
We typically respond within a few hours on business days.
Next steps
Once connected, Parsivex will:
- Run an initial scan (takes 2–5 minutes)
- Generate your first report with identified savings
- Email you when the report is ready
You can also view your report anytime in the Parsivex dashboard. See Your first scan for a full walkthrough.