CloudFix Permission Model

CloudFix is the best cloud cost optimization platform. It scans and analyzes your AWS accounts for cost saving opportunities. When you approve those cost saving opportunities, CloudFix automatically executes those in your AWS accounts.


Think of a Finder as a read-only process that scans and analyzes your AWS accounts for cost saving opportunities. A Fixer is the process that actually executes your cost saving opportunities.

Note: Be aware that the finder has IAM permissions to tag resources. It always uses "cloudfix:" prefix. The changes are non-destructive but might be construed as write permissions. 

Every CloudFix finder always has a corresponding fixer because we do not believe in throwing unactionable recommendations at you.

In order to run Finders to generate cost saving opportunities and to run Fixers to execute on those opportunities, CloudFix needs permissions to perform certain actions on your AWS accounts. This article discusses the Permission Model to help you understand what permissions CloudFix obtains and when/how it obtains those permissions. The guiding principles are:

  • Finders use a combination of AWS Config snapshots, cost & usage reports (CUR) and API calls to CloudWatch and other services to get the necessary usage metrics and metadata that is not in the Config snapshot
    • The Config snapshots & CUR are stored in your account. CloudFix creates a role that can access that data
  • CloudFix uses AWS Change manager to execute fixers. 
    • Thus, fixers can only be run by the AWS Systems manager running in your account once you approve the change template (more on this below). 
    • CloudFix itself has no permissions to write to your account. It can only create change templates and change requests based on approved change templates

Finder-Fixer Lifecycle:


  • You can connect multiple AWS accounts with CloudFix
  • You connect your AWS account with CloudFix by creating a CloudFix specific CloudFormation stack in your AWS account. CloudFix provides this CloudFormation template so that you can create the stack with just one-click approval. This CloudFormation template defines different permissions that CloudFix will use to run Finders and Fixers.
  • When you connect your AWS account with CloudFix, it only gets 'read' permissions so that it can collect metadata to analyze your account and find cost-saving opportunities.
  • Metadata is collected in your own AWS account using AWS standard tools such as AWS Config and AWS Cost & Usage Report (CUR).
  • CloudFix Finders then access this metadata to analyze resources in your account and to recommend cost-saving opportunities. These recommendations are then presented to you on your CloudFix dashboard.
  • This is where CloudFix stops unless you decide to run Fixers and explicitly approve Change Manager templates for each Fixer type.


  • CloudFix uses the AWS Change Manager for performing optimizations in the AWS environments. The AWS Change Manager enables us to establish strict boundaries to perform the fixes in your environment.
  • In order for CloudFix to execute Fixers (via AWS Change Manager Requests), you need to approve the fixer template for each fixer type in each of your AWS accounts (you will do this in your AWS console) - that's how much control you have over what CloudFix can execute in your account.
  • Once the fixer template is approved, CloudFix will initiate Fixer execution via the AWS Change Request which in turn runs SSM runbooks in your account. CloudFix never executes fixers via direct API calls. It always executes fixers through the AWS Change Manager.

Permissions & IAM roles:

CloudFix works through three different IAM roles that are created in your AWS account. However, those still follow the minimal, on-demand permission model that gives you complete control over what gets executed in your AWS account. Here is a high-level overview of what those IAM roles do.


  • Finder role, which follows the approach of 'minimal permissions' is the only role that CloudFix directly uses
  • There are two Fixer roles that get created but CloudFix cannot use those IAM roles unless you approve Change Manager templates in your AWS account (via AWS Console)

CloudFix is completely transparent. When you connect an AWS account with CloudFix, you will be able to inspect the CloudFormation template and when you approve each Change Manager template, you will be able to inspect the template and associated SSM runbooks before approving those templates.

CloudFix is the most secure cloud cost optimization platform. Keep saving with confidence.


Here is a discussion on CloudFix's Permission Model:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request