Skip to main content
CloudArq
cloudarq · eu-north-1 · operational

See every misconfiguration and wasted dollar in your AWS — with the exact fix.

Mission control for your cloud account. Agentless, read-only, specific down to the resource ARN.

176
checks
6
pillars
0
agents
§ 01 · the problem

Your AWS bill went up. Nobody's sure why.

The console has 300+ services and no single answer. Spreadsheets go stale the moment you close them. The risk and the waste are both real — just scattered across regions, accounts, and tabs.

findingsillustrative example
Public S3 bucket (read)
arn:aws:s3:::example-org-assets
Critical
Unattached EBS volume, billing monthly
vol-0example · 500 GB gp3 · —/mo
High
RDS instance without Multi-AZ
db-example-orders
High
IAM key, no MFA, 400+ days old
AKIA… · admin
Medium
§ 02 · see a fix

Not just “you have a problem.” The exact way to fix it.

Pick a finding. Get the fix in your tool of choice — copy, paste, done.

CriticalSecurityillustrative example

S3 bucket allows public read

arn:aws:s3:::example-org-assets

The bucket policy grants s3:GetObject to Principal "*". Any anonymous user on the internet can list and download every object.

1. S3 → example-org-assets → Permissions
2. Block public access (bucket settings) → Edit
3. Enable "Block all public access" → Save
4. Remove the "Principal": "*" statement from the
   bucket policy.
§ 03 · how it works

Three steps. No agents to install.

  1. 01

    Connect a read-only role

    Launch one CloudFormation stack. We assume a read-only IAM role with an ExternalId — no keys, no agents, no write access.

  2. 02

    180 checks across 6 pillars

    The orbital scan runs every pillar against your account in parallel — security, cost, reliability, performance, operations, sustainability.

  3. 03

    Prioritized report with fixes

    Findings ranked by severity and dollar impact, each with a copy-paste fix for Console, CLI, Terraform or CloudFormation.

§ 04 · six pillars

One scan, six lenses on the same account.

Because they run together, cross-cutting issues surface that a single-purpose tool misses — e.g. exposed Bedrock keys show up as both a cost anomaly and a security breach (LLMjacking).

Security50 checks
Public S3 buckets & ACLs
IAM keys without MFA
Security groups open to 0.0.0.0/0
CIEM over-privileged roles
Cost34 checks
Idle EC2 / RDS instances
Unattached EBS & idle EIPs
gp2 → gp3 migration
Savings Plan coverage
Reliability31 checks
Backups configured
Multi-AZ databases
Deletion protection
Cross-AZ failover
Performance22 checks
Throttled APIs
Undersized instances
Missing caching
Hot partitions
Operations25 checks
CloudTrail enabled
Tagging coverage
Config drift
Log retention
Sustainability18 checks
Idle resource waste
Oversized volumes
Region efficiency
Graviton candidates

50 + 34 + 31 + 22 + 25 + 18 = 180 checks — the total is exact; the per-pillar split is illustrative.

§ 05 · trust & security

Read-only by design. Nothing leaves without you.

Verify the exact role policy yourself →
AES-256-GCM
All stored findings encrypted at rest.
Read-only IAM
The role grants describe/list only — never write.
ExternalId
Every role assumption is scoped with your unique ExternalId.
EU-hosted
Findings stored in Helsinki (Finland), in the EU.
GDPR export
Export or delete your data on demand.

CloudArq the product scans against 8 compliance frameworks. The business holds no certifications — those are two separate facts and we never blur them.

§ 06 · pricing

Start free. Scale when it pays for itself.

Starter
$0/mo
core checks · 1 connection
1 AWS connection
On-demand scans
Severity-ranked report
Email summary
Start free scan
Recommended
Pro
$79/mo
4 frameworks · 108 checks
Scheduled scans
Copy-paste fixes (all formats)
Cost + reliability pillars
Slack alerts
Start free trial
Max
$199/mo
8 frameworks · all 180 checks
All six pillars
Sustainability + CIEM
AI remediation
Trend history
Start free trial
Organization
Custom
8 frameworks · pooled accounts
SSO / SAML
Pooled multi-account
Audit log & RBAC
Dedicated support
Talk to us

Frameworks tier-gated: Pro = 4, Max / Org = 8. The shipped pricing page is the source of truth.

§ 07 · inside the app

Every workspace you sign in to.

A preview of the client workspace — score, waste, posture trend and severity-ranked findings at a glance. The shipped app wires it to your account's live scan.

Dashboard
last scan · just now · eu-north-1
product preview · illustrative
Security score
82/100
▲ 6 vs last scan
Open findings
37
3 critical · 9 high
Monthly waste
$1,240/mo
across 14 resources
Connections
3
all healthy
Posture trend12 scans
Trending up as fixes land.
Top findingsseverity-ranked
Public S3 bucket (read)Critical
IAM key, no MFA, 400+ daysHigh
RDS without Multi-AZHigh
Unattached EBS volumeMedium
gp2 volume — migrate to gp3Low

Representative layout — the shipped app wires every tile, chart, and finding to your account's live scan data.

Run your first scan today.

Free, no card. Read-only access, results in minutes.

Start free scan