CloudFix Permission Model

CloudFix provides an automated solution for identifying and implementing cost-saving opportunities within your AWS accounts. It leverages AWS services and best practices to analyze your cloud infrastructure and suggest optimizations. Upon receiving your approval, CloudFix can proceed with the application of these optimizations.


Key Components

  • Finder: A read-only operation that identifies potential cost-saving opportunities by analyzing your AWS accounts.
  • Fixer: Optional and executes the approved cost-saving opportunities, subject to your approval.

Permissions and Operations

Finder Permissions

  • The Finder operation is granted IAM permissions to tag resources, using a "cloudfix:" prefix. This operation is non-destructive, though it involves permissions that allow for resource tagging.

Operation Model

  • Not every recommendation by a Finder results in a corresponding Fixer operation, allowing you to choose which optimizations to apply.

Permission Model

CloudFix's approach to accessing and analyzing your AWS environment includes:

  • Data Analysis: Leverages Amazon CloudWatch, AWS Cost and Usage Reports, and additional AWS services to gather necessary metrics and metadata.
  • Data Access: A role created within your AWS account by CloudFix facilitates access to the required data.
  • Execution Mechanism: When applicable, Fixers are implemented through AWS Systems Manager Change Manager, which orchestrates the changes based on templates you approve, ensuring operations are conducted securely within your account's established parameters.

Finder-Fixer Lifecycle:

  • Connection to AWS Account: You connect your AWS account to CloudFix via a CloudFormation StackSet provided by CloudFix, outlining the permissions needed for its operations.
  • Metadata Collection: Utilizes standard AWS tools such as AWS Cost and Usage Reports and CloudWatch to collect necessary data.
  • Optimization Recommendations: Finders analyze collected data to identify potential cost savings, presented through the CloudFix dashboard.
  • Execution of Optimizations: Execution of Fixers, where applicable, requires your explicit approval of templates through AWS Systems Manager Change Manager.


Using AWS Systems Manager Change Manager

CloudFix employs AWS Systems Manager Change Manager for executing optimizations, ensuring operations are performed within a controlled and secure environment. Approval of Fixer templates for each optimization type is done through your AWS console, granting you full control over the actions CloudFix can execute in your account.


IAM Roles and Permissions

CloudFix operates under a principle of minimal, necessary permissions through distinct IAM roles:

  • Finder Role: Uses minimal permissions necessary for identifying cost-saving opportunities.
  • Fixer Roles: Created for executing optimizations but require your explicit approval before they can be used.


CloudFix is designed with transparency and security at its forefront. Before you approve any actions, you can inspect both the AWS CloudFormation and AWS Systems Manager Change Manager templates, ensuring you're informed about the optimizations CloudFix proposes for your AWS environment. This model supports a secure and controlled approach to cloud cost optimization, empowering you with the knowledge and control to manage your AWS expenses efficiently.

Here is a discussion on CloudFix's Permission Model:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request