Security

How CloudFix protects your AWS environment and data.

Finder-Fixer Lifecycle

CloudFix uses a secure four-step lifecycle to analyze and optimize your AWS infrastructure. At every stage, you maintain full control over your data and changes.

1

Connect via CloudFormation StackSet

You connect your AWS account to CloudFix through a CloudFormation StackSet provided by CloudFix. This creates carefully scoped IAM roles with only the permissions needed for analysis and approved optimizations.

2

Metadata Collection (Read-Only)

The Finder role collects resource metadata using standard AWS tools — AWS Cost and Usage Reports (CUR), CloudWatch metrics, and read-only instance metadata. No application data or content is accessed. Only Describe, List, and Get actions are performed.

3

Optimization Recommendations

75+ automated finders analyze the collected metadata to identify cost savings opportunities. Recommendations appear in your CloudFix dashboard with estimated savings, effort, and risk for each finding.

4

Approved Execution via SSM Automation

When you approve a fix, CloudFix executes it through central automation runbooks in AWS SSM Automation. You must explicitly approve the runbook before any changes are made. Changes are executed by a role on your account that CloudFix creates but cannot itself assume or access.

No changes to core services (EC2, Volumes, S3) are made unless a central automation runbook is approved by you. The fixer role is created by CloudFix but cannot be assumed or accessed by CloudFix — you retain full control.

IAM Role Architecture

CloudFix creates a set of minimally-scoped IAM roles in your AWS account. Each role follows the principle of least privilege and is limited to specific service areas.

Core Functionality Roles

cloudfix-athena-query-execution-role — Queries AWS Cost and Usage Reports via Amazon Athena. Manages AWS Organizations data and CloudFormation stack operations. This role processes billing data, not infrastructure data.

Finder Role (Read-Only)

cloudfix-finder-role — Discovers optimization opportunities across your AWS services. This role is strictly read-only and limited to Describe, List, and Get actions across the following services:

EC2 S3 RDS CloudWatch CloudTrail DynamoDB Lambda ECS EKS ElastiCache Aurora Redshift OpenSearch EBS EFS Kinesis SageMaker Bedrock CloudFront VPC ELB EMR Neptune MemoryDB MSK MQ DMS Kendra QuickSight Transfer Family AWS Backup

Fixer Roles (Require Approval)

Fixer roles are created for executing approved optimizations. Critical security property: these roles are created by CloudFix in your account, but CloudFix cannot assume or access them. All fixer actions require explicit approval of central automation runbooks in AWS SSM Automation.

Helper & Cleanup Roles

Auxiliary roles support housekeeping functions like resource cleanup after completed operations. These roles also follow least-privilege principles with account-level and resource-level permissions where possible.

CloudFormation Templates

All CloudFix infrastructure is deployed via CloudFormation. You can review the exact templates before deployment:

TemplatePurposeLink
Onboarding Stack Main org stack — deploys all resources and roles required by CloudFix cloudfix-onboarding.yaml
CUR Stack Sets up Cost and Usage Report, Glue Crawler, Athena workspace cloudfix-cur.yaml
CUR Role IAM role for CUR and Athena query execution cloudfix-cur-role.yaml
Resource Account Roles Finder and fixer IAM roles deployed to resource accounts via StackSets cloudfix-resource-account-roles.yaml

Templates are also available at cloudfix-templates.s3.amazonaws.com — these are the same templates used during onboarding.

Infrastructure Security

  • CloudFix runs on AWS infrastructure with VPC isolation and security groups
  • No public endpoints for data processing
  • Customer onboarding via CloudFormation StackSet — fully auditable IaC
  • All fixes implemented via AWS SSM Automation with explicit customer approval of central automation runbooks
  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)

Application Security

  • SOC 2 Type 2 certified
  • Regular security assessments and penetration testing
  • HTTPS enforced on all endpoints
  • Session management with secure cookies
  • Role-based access control (RBAC) for multi-account setups
  • SSO/SAML available on Scale+ plans

Access Control

  • Principle of least privilege — every IAM role is scoped to only the actions it needs
  • Customer data isolation — per-account isolation ensures data separation
  • Audit logging — all fix operations are logged and auditable
  • No credential storage — CloudFix uses AWS IAM role assumption, not stored credentials

Incident Response

  • Documented incident response plan
  • Customer notification within 24 hours for security incidents
  • Post-incident review and remediation
  • Security contact: use the contact form below

Have security questions?

Contact our security team or request detailed documentation.

Contact Security Team