vehiclecloudarq

regionhelsinki

statusoperational

live · operating · 171 checks · 6 pillars

Mission control
for the cloud you
didn't know you owned.

CloudArq runs 171 checks across security, cost, reliability, performance, operations, and sustainability on your AWS account — in a single scan. Read-only IAM. No agents.

133

checks across 6 pillars

pillars · security to sustainability

agents · sidecars · dependencies

FIG.01 ─ ORBITAL SCAN

171 CHECKS · 6 PILLARS

§ 01 · the problem

Your AWS bill went up. Nobody's sure why.

Forgotten EBS volumes. NAT Gateways routing cross-AZ chatter. An S3 bucket with public list permissions that someone enabled at 11 pm in 2023. The cloud doesn't hide these things — but nobody's looking.

Cost Intelligence traces where your AWS spend — including AI / Bedrock usage — actually goes, ranks the quick wins by savings, and flags spend spikes and possible LLMjacking, each with the fix. On Pro and up; the free tier shows the headline number.

Below: an illustrative scan output. Real scans return findings shaped like these against your own account — counts and resources vary.

example · what a first scan findsillustrative

S3 bucket allows public READ

bucket-policy + ACL grants principal:* read access

EXPOSURE

EBS volume unattached for 47+ days

500 GB gp2 · billing without compute

WASTE

IAM user without MFA

legacy automation account · console password enabled

POLICY

RDS automated backups disabled

prod-tier database · 0-day retention

RELIABILITY

§ 02 · how it works

From credentials to remediation plan in three steps.

step 01

Connect via IAM role

Read-only role with ExternalId. One CloudFormation template — copy, deploy, paste the ARN back. No agents to install. No keys to share.

step 02

171 checks · 6 pillars

Security, cost, reliability, performance, operations, sustainability. Every check maps to CIS where applicable. AWS Well-Architected vocabulary throughout.

step 03

Prioritized report

Findings sorted by severity, blast radius, and remediation cost. AI-enriched fixes when ANTHROPIC_API_KEY is set; static remediation otherwise.

§ 03 · pricing

Pay per account. Cancel any time.

One subscription = one AWS connection. No seat math, no “contact us” for self-serve tiers. Tiers gate scan frequency, retention, and integrations.

Starter

$0forever

1 connection · 44 checks · monthly manual scan · cost headline only · 30-day retention

recommended

Pro

$79mo / connection

107 checks · weekly scans · 500 resources/connection · Cost Intelligence (AWS + AI/Bedrock spend, ranked quick wins) · Slack + email alerts

Max

$199mo / connection

171 checks · daily scans · 2000 resources/connection · real-time AI spend-spike alerts + org rollup · API + webhooks + PagerDuty

Organization

custompooled · per contract

Multi-account rollups · SSO (SAML) · pooled resources · signable DPA

AES-GCM credential encryption

Read-only IAM role

ExternalId enforced on every assume-role

GDPR data-export endpoint

Subprocessor list published

sample · redacted

Every scan emits an event stream.

What you see below are the kinds of events CloudArq emits during a typical workday — redacted for tenant privacy. Same vocabulary, no customer attribution.

event stream · redacted for privacytenant identifiers stripped

17:11:57scan.complete████ · ████-region · ██ findings · ██.█s

17:11:57finding.news3.public-read · critical · ████ bucket

17:11:57scan.start████ · ██-region · 171 probes deploying

17:11:57webhook.delivPOST hooks.slack.com/services/██… → 200 · ██ms

17:11:57audit.exportaud_██████ → pdf · █.█ MB · ████ tenant

vehiclecloudarq

phaseready

ignitionon your signal

§ 04 · run

Run your first scan today. Free, no card.

One IAM role. One ARN paste. The scan returns before your coffee finishes brewing.

Mission controlfor the cloud youdidn't know you owned.