You want to know if CloudFix makes changes/updates directly to your AWS accounts.
CloudFix itself does NOT have any permissions to write to your AWS accounts. It can only create change templates and change requests based on approved change templates.
The changes that CloudFix makes using the Fixers are done using the AWS Change Manager. These Fixers can only be run by the AWS Systems manager running in your account after you approve the change template for that Fixer.