Aqua CSPM (formerly "CloudSploit") performs read-only API calls to the control plane of the IaaS account. 

For example, in AWS, we make calls to list EC2 instances, S3 buckets, RDS instances, etc. 

CloudSploit never gets visibility into the contents of those resources, only the configuration metadata of how they are deployed. This access level allows us to generate security reports that highlight misconfigurations in your IaaS accounts.