What data can Parsivex see?

A detailed breakdown of the AWS data Parsivex reads during a scan — and what we never access.

Last updated July 3, 2026

Parsivex connects to your AWS account through a read-only IAM role. We only request the minimum permissions needed to find waste and estimate savings. This article explains exactly what we can see, what we cannot see, and what we can never do.

Summary

Can seeAWS billing data, resource inventory metadata, CloudWatch metrics
Cannot seeApplication data, secrets, S3 object contents, environment variables
Cannot doCreate, modify, or delete any AWS resource

For the exact IAM policy attached to the role you create, see our Security & Trust page.

Billing data

Parsivex reads Cost Explorer data to understand where your money goes. This includes:

  • Service-level and account-level cost totals
  • Usage patterns over time (daily and monthly aggregates)
  • Reservation and Savings Plans utilization signals

We use billing data to contextualize findings — for example, showing that an idle EC2 instance represents a meaningful share of your monthly spend. We do not store raw billing line items beyond what is needed for your scan report.

Resource inventory metadata

Parsivex inventories AWS resources to detect waste. We read metadata only — configuration, status, and sizing — never the contents inside those resources.

ServiceWhat we readExample use
EC2Instance type, state, launch time, attached volumesIdle instance detection
EBSVolume size, attachment status, snapshot relationshipsOrphaned volume detection
RDSInstance class, storage, multi-AZ configOversized database detection
LambdaMemory, timeout, concurrency settingsRight-sizing recommendations
Elastic Load BalancingLoad balancer type, target health, ageUnused load balancer detection
DynamoDBTable names, capacity mode, item count estimatesInventory context
S3Bucket names, location, lifecycle rules, multipart upload metadataStorage class and lifecycle findings

CloudWatch metrics

Parsivex reads CloudWatch metrics to determine whether resources are actually being used:

  • EC2 CPU and network utilization
  • RDS connection counts and CPU
  • Lambda invocation counts
  • Load balancer request counts

Metrics help distinguish a resource that is intentionally idle (for example, a standby instance) from one that has been forgotten. All metric reads use GetMetricStatistics and ListMetrics — read-only operations.

What Parsivex cannot see

The IAM policy explicitly excludes access to application data and secrets:

  • S3 object contents — we see bucket metadata, not files
  • Database contents — we see RDS instance configuration, not table data
  • Secrets Manager, SSM Parameter Store, KMS — not included in the policy
  • Environment variables on Lambda or EC2 — not accessible
  • IAM credentials — we never read access keys or user passwords

If a permission is not listed in the IAM policy on our security page, Parsivex cannot use it.

What Parsivex cannot do

Every action in the IAM policy is read-only (Describe*, Get*, List*). Parsivex has no write permissions — we cannot:

  • Start, stop, or terminate instances
  • Delete volumes, snapshots, or buckets
  • Change security groups, IAM policies, or billing settings
  • Make purchases or modify reservations

Remediation scripts are generated for you to run in your own terminal. Parsivex never executes changes on your behalf.

How access is protected

Parsivex uses AWS cross-account role assumption with an External ID — a secret token unique to your account. Even if someone knows the Parsivex AWS account ID, they cannot assume your role without your External ID. This prevents confused-deputy attacks.

You can revoke access at any time by deleting the IAM role. Access ends immediately.

Related articles