Privacy & Access
This page explains exactly what StackSage reads from AWS, what ends up in your outputs, and what is opt-in. StackSage is privacy-first by default: it runs inside your GitHub Actions runner and does not ingest AWS credentials into a hosted SaaS.
Data flow (high level)
- Run the StackSage workflow (or run locally).
- Assume a customer-controlled read-only role (STS AssumeRole).
- Read resource metadata and (optional) aggregate metrics / spend totals.
- Produce local artifacts (HTML report + JSON/CSV findings) as workflow artifacts under your control.
Privacy guardrails
- No application payloads are accessed.
- No S3 object contents or object keys are accessed.
- CloudWatch utilization (when enabled) uses aggregate statistics only (e.g., Average over a lookback window) with a bounded query budget.
- Cost Explorer (when enabled) uses spend totals only (grouped by service and region).
Opt-ins (explicit)
- Cost Explorer (historical spend) — requires ce:GetCostAndUsage.
- AWS Pricing API (public catalog metadata) — requires pricing:GetProducts.
- Tagging compliance checks — may surface tag values; keep this opt-in to reduce noise.
What we output (and what we avoid)
Outputs typically include resource identifiers needed for actionability (instance IDs, volume IDs, etc.), regions/AZs, estimated monthly cost and savings, and evidence/provenance (for example: whether CloudWatch/Cost Explorer were enabled, and per-metric status like measured/no data/access denied/skipped).
We avoid collecting secrets/credentials, S3 object names/keys or contents, and CloudWatch Logs event payloads.
Permissions matrix (by feature)
This is a representative set of read-only APIs used for common checks. Exact usage can vary by enabled features.
Core inventory (default)
| Feature | AWS API(s) | What we read | What appears in outputs |
|---|---|---|---|
| Region discovery | ec2:DescribeRegions | Enabled regions list | Regions scanned |
| EC2 inventory | ec2:DescribeInstances | Instance metadata (type/state/tags if present) | Instance IDs + type/state + region in findings |
| EBS inventory | ec2:DescribeVolumes | Volume metadata (size/type/attachments/tags) | Volume IDs + size/type/region in findings |
| Snapshot inventory | ec2:DescribeSnapshots | Snapshot metadata (size/start time/tags) | Snapshot IDs + age/size/region in findings |
| S3 inventory (minimal) | s3:ListAllMyBuckets, s3:GetBucketLocation | Bucket list + region | Bucket names + region in findings |
| RDS inventory | rds:DescribeDBInstances | DB metadata (class/engine/status/VPC) | DB identifier/class/region in findings |
CloudWatch utilization (opt-in)
| Feature | AWS API(s) | What we read | What appears in outputs |
|---|---|---|---|
| Utilization metrics | cloudwatch:GetMetricStatistics | Aggregate datapoints (Average) | Aggregates + status; provenance + budget counters |
Cost Explorer (opt-in)
| Feature | AWS API(s) | What we read | What appears in outputs |
|---|---|---|---|
| Spend totals | ce:GetCostAndUsage | Service/region totals for a time window | Total spend + top services/regions tables |
Questions? Email hello@stacksageai.com.