You shouldn't have to hand over the keys to your kingdom to get a better cloud strategy. With tools like AWS IAM, Google Cloud IAM or Azure Active Directory, you never should.
It all starts with read-only, programmatic permissions to just a few services (find out how to set up an IAM credential for Sunshower.io). For AWS, our currently supported cloud, those permissions look like this:
We recommend you follow the AWS docs on creating a user with programmatic access to your system.
First, we need "Describe" permissions to autoscaling and EC2 -- this helps us learn what instances you have running. It doesn't give us any information about what's running on them, just things like the instance type, the instance ID, whether it's on or off, and more. (Check out the AWS documents on EC2 or autoscaling for more.) All we get is metadata, no application data or application access.
After we have that, we need information from CloudWatch. We can't crunch numbers for metrics we don't have access to, so if you don't have CloudWatch running or don't have the CloudWatch memory agent installed, you won't get the full benefit of our optimization. But still -- no access to your system for us, only knowledge about what the resource utilization of your workloads is.