What Data Does CostSage Access?

AWS Permissions

CostSage connects to AWS using an IAM role with read-only permissions for analysis, and scoped write permissions for approved execution actions only.

Read-Only Analysis Always

Required to understand your cloud costs and identify savings opportunities.

sts:AssumeRole
ce:GetCostAndUsage
ec2:Describe*
cloudwatch:GetMetricData
rds:DescribeDB*
s3:ListAllMyBuckets

Scoped Write Execution Approval Only

Only used after you explicitly approve a recommendation. Actions are scoped to specific resources.

ec2:StopInstances
ec2:ModifyInstanceAttribute
ec2:TerminateInstances
rds:ModifyDBInstance
s3:DeleteObject

Every action logged: All execution actions are logged to CloudTrail for complete auditability. You maintain full visibility and control.

Azure Permissions

CostSage integrates with Azure using RBAC (Role-Based Access Control) with Reader role for analysis and scoped Contributor permissions for approved actions.

RBAC Reader Role Always

Read-only access to understand your Azure subscriptions and identify waste.

Microsoft.Authorization/read
Microsoft.Compute/read
Microsoft.CostManagement/read
Microsoft.Storage/read
Microsoft.Sql/read

Scoped Contributor Approval Only

Limited to specific resource groups you designate for execution-approved actions.

Microsoft.Compute/write
Microsoft.Storage/write
Microsoft.Sql/write
(Scoped to approved RG)

Granular control: You choose which resource groups CostSage can modify. No access to other subscriptions unless explicitly granted.

What We NEVER Access

These are strictly off-limits, regardless of permissions granted.

🚫 Forbidden Data

✗

Source code — No access to CodeCommit, GitHub, or container registries

✗

Application secrets — AWS Secrets Manager, Key Vault stay private

✗

Database contents — We read size/performance metrics only, never data

✗

Customer PII — No access to user data, customer records, or sensitive logs

✗

S3 object contents — Bucket metadata only; object data is never read

✗

Private networking configs — VPC internals, security groups, NACLs stay hidden

Data Storage & Retention

How we protect your data and how long we keep it.

🔐 Encryption

At rest: AES-256 encryption for all stored cost and usage data.

In transit: TLS 1.3 for all API communications with AWS and Azure.

📅 Retention & Compliance

Default retention: 90 days. You can request shorter retention periods.

GDPR compliant: Full data portability and deletion on request. ISO 27001 certified.

Permission Request Flow

Here's exactly what happens when you connect CostSage to your cloud account.

4-Step Connection Process

Connect
Enter AWS or Azure credentials via OAuth/SAML

Grant Read-Only
IAM role or RBAC Reader role

Review Analysis
See savings opportunities

Approve & Execute
Scoped write role for actions

Frequently Asked Questions

Can CostSage delete my resources? ▼

Only if you explicitly approve an action. CostSage never deletes resources autonomously. You review and confirm each recommendation before any write action occurs. All deletions are logged to CloudTrail for full auditability.

What if I want to revoke access? ▼

You can revoke access instantly by deleting the CostSage IAM role (AWS) or removing the app registration (Azure). Your cost data is never retained after revocation. We recommend periodic review of granted permissions in your cloud provider's access management console.

Do you store my AWS or Azure credentials? ▼

Never. We use OAuth 2.0 for AWS and SAML/OAuth for Azure, which means we never handle your passwords or long-lived credentials. You maintain full control of your access tokens through your cloud provider's security settings.

Is data shared between customers? ▼

Absolutely not. Your cloud cost data, recommendations, and execution history are completely isolated. We never share data between customers, use it for competitive analysis, or train models on your data. Each account is entirely separate.

Start Your Free Trial

See exactly what permissions we request

During setup, you'll see every permission CostSage asks for and can review it before granting access.

Free 14-day trial · No credit card · 60-sec setup

🤖 ISO 42001 AI Certified

🛡️ ISO 27001 Security

✅ ISO 9001 Quality