Skip to main content

The Cost of Manual Cloud Operations

Cloud operations teams spend countless hours on routine maintenance tasks: security audits, cost reviews, compliance checks, and resource cleanup. These tasks are critical but predictable—and they consume 40-60% of engineering capacity without delivering strategic value. Traditional approach challenges:
  • Repetitive manual work: Weekly security audits take 4-6 hours per account, scaling to 60+ hours for enterprises with 15+ accounts
  • Inconsistency across environments: Different engineers interpret guidelines differently; compliance gaps appear when expertise concentrates in individuals
  • Reactive firefighting: Issues surface during crisis moments (compliance audit, cost spike, security breach) rather than being caught proactively
  • False positives everywhere: Manual scripts flag legitimate backup resources as orphaned, or miss context-aware risks entirely
CloudKeepers solves this by establishing continuous, autonomous guardrails that run 24/7 across your entire cloud estate, catching issues before they become incidents.

What Are CloudKeepers?

CloudKeepers are autonomous pilots that enforce guardrails for cost, security, and operational health. They continuously scan your cloud infrastructure on a schedule you define, identify drift and misconfigurations, and surface intelligent recommendations with step-by-step remediation playbooks. Two specialized pilots:
  • CostOps: Identify unused resources, right-sizing opportunities, and cost anomalies with context-aware analysis
  • SecurityOps: Detect IAM misconfigurations, exposed resources, encryption gaps, and compliance risks
Unlike periodic assessments, CloudKeepers are designed for daily operations—they catch problems early before they escalate.

The CloudKeepers Workflow

1

Configure CloudKeepers pilots

Open CloudKeepers and select Configure CloudKeepers. Enable the CostOps and SecurityOps pilots.
CloudKeepers landing with configure CTA and value cards

CloudKeepers landing page with pilot configuration

2

Set execution schedules

Define cron-style schedules for automated scans (e.g., daily at 15:30 UTC, weekly on Fridays at 08:00). You can also trigger manual scans on-demand.
Pilot configuration modal with schedule fields

Set scan schedules for CostOps and SecurityOps pilots

3

Configure alerting thresholds

Choose notification channels (Email, Slack, In-App) and set minimum severity levels per channel to avoid alert fatigue.
Notification settings showing per-channel toggles

Configure notifications by channel and severity

4

Review findings

Monitor the Findings dashboard showing trend charts, total count, critical/high items, and potential savings. Review Recent Findings organized by pillar.
Findings dashboard with trend chart and recent findings

Findings dashboard with savings and severity breakdown

5

Drill into recommendations

Open any finding to see impact analysis, estimated cost/security impact, effort level, and step-by-step implementation guidelines.
Recommendation detail with impact analysis and implementation checklist

Detailed recommendation with impact analysis

6

Take action

From the Actions modal, choose how to proceed:
  • Run Impact Analytics for deeper cost/risk analysis
  • Generate Guidelines to create shareable runbooks for your team
  • Ask Custom Question to explore edge cases with the AI agent
  • Save to Plan to move findings into your governance workflow
Actions modal with analytics, guidelines, custom prompt, and implement options

Action options for each finding

Use Case 1: Proactive Cost Optimization with CostOps

Scenario: Your infrastructure has grown organically over 18 months. You’re aware costs are climbing, but pinpointing what’s actually unused (vs. reserved for disaster recovery or testing) requires deep investigation. Your CostOps team lacks the bandwidth to do monthly audits. CostOps pilot discovers:
  • Underutilized compute instances: 8 EC2 instances running at 5-15% average CPU (ideal candidates for right-sizing or shutdown)
  • Orphaned storage: 12 unattached EBS volumes and snapshots accumulating $2,400/month
  • Reserved capacity misalignment: Reserved instances for a deprecated service tier, losing $8,500/month in discounts
  • NAT gateway inefficiency: Multi-AZ NAT setup processing minimal traffic, could consolidate to single gateway
CloudKeepers advantage: CostOps agents understand that a volume tagged “daily-backup” from yesterday serves a real purpose, while “test-old” from 18 months ago is genuinely orphaned. It distinguishes instances with intentional low CPU (burst-capable) from those over-provisioned.
Cost optimization analysis with resource utilization and savings recommendations

Cost optimization recommendations with savings analysis

Workflow:
  1. Schedule runs: CostOps scan runs every Wednesday at 10:00 UTC
  2. Review findings: Your FinOps team reviews the dashboard each Thursday morning, seeing $14,200/month in identified savings
  3. Assess impact: For the EC2 right-sizing recommendation, generate impact guidelines and share with engineering to validate performance assumptions
  4. Save to Plan: Move high-confidence items (orphaned volumes, NAT consolidation) to Plan for approval and scheduling
  5. Execute and track: Plan workflows handle approvals, scheduling, and execution with full audit trails
Time savings: From 6-8 hours monthly on spreadsheets and console navigation → 30 minutes weekly to review findings and make governance decisions

Use Case 2: Continuous Security Posture Monitoring with SecurityOps

Scenario: Your organization maintains 12 AWS accounts across dev, staging, and production. Security compliance requires monthly audits, but inconsistent findings (different engineers miss different issues) and no standardized remediation creates gaps. A recent audit found IAM policies that hadn’t been reviewed in 8 months. SecurityOps pilot discovers:
  • IAM configuration drift: 23 IAM users/roles with overly-broad permissions (Developer policy attached when ReadOnlyAccess would suffice)
  • Exposed resources: 2 S3 buckets with public read access (not intentional); 1 RDS database with public accessibility enabled
  • Encryption gaps: 15 EBS volumes without encryption; 3 S3 buckets lacking default encryption
  • Access anomalies: Root account used for day-to-day operations; detected unused service accounts not cleaned up
  • Network exposure: 4 security groups allowing 0.0.0.0/0 SSH access (high-risk for compute; acceptable for ALBs)
CloudKeepers advantage: SecurityOps agents understand operational context. They know HTTP/HTTPS from 0.0.0.0/0 is standard for load balancers but dangerous for databases. They prioritize actual exploitability: a root account access key is critical; a read-only service account is low-risk.
Security audit recommendations with remediation steps

Security audit recommendations with remediation steps

Workflow:
  1. Schedule runs: SecurityOps scan runs every Friday at 14:00 UTC (before your Monday compliance standup)
  2. Alert on critical findings: Your security team receives Slack notifications immediately for high-severity items (exposed database, root account in use)
  3. Review full report: Monday morning, your security team reviews the findings dashboard—23 medium-risk IAM findings, 2 critical exposure risks
  4. Generate playbooks: For the S3 bucket fix, generate implementation guidelines with AWS CLI commands; distribute to the owning team
  5. Save to Plan: Move findings requiring multi-team coordination (e.g., “remove root account access key”) to Plan for assignment, approval, and tracking
  6. Close findings: After remediation, mark findings as resolved or ignored to tune alert tuning
Time savings: From 4-6 hours weekly on manual IAM reviews, S3 audits, and cross-account checks → 20 minutes to triage alerts and assign remediation tasks

Integration with Plan for Governance

CloudKeepers findings begin as drafts in your infrastructure view. When you’re ready to act, you save them to Plan, where they become work items with:
  • Full audit trails: Every finding, its status, and remediation steps are documented automatically
  • Approvals and assignment: Route findings to the right teams (security, FinOps, platform engineering) for review and sign-off
  • Execution tracking: Plan tracks status (pending, approved, in progress, completed) with timestamps and ownership
  • Compliance evidence: For audits, Plan provides timestamped records of when issues were identified and how they were resolved
This transforms CloudKeepers from an alerting system into a complete governance platform where findings are tracked through remediation with full accountability.

Why CloudKeepers Beat Manual Processes

DimensionManual AuditsCloudKeepers
Execution frequencyMonthly (if lucky)Daily/weekly—continuous guardrails
Time investment4-8 hours per session2-5 min setup; 15-30 min weekly review
ConsistencyVaries by engineerIdentical analysis every run
Context understandingRelies on engineer judgmentDomain expertise baked into agents
Scaling with accountsLinear growth (4-6 hrs per account)Constant time regardless of scale
False positivesHigh (scripts miss context)95% reduction via intelligent filtering
Issue detection timeWeeks to discoveryHours to detection
Knowledge transferLost when experts leavePersistent in agent behavior
Audit evidenceManual documentationAutomatic comprehensive logs

Getting Started

  1. Open CloudKeepers in your workspace
  2. Configure pilots: Enable CostOps and SecurityOps with your preferred schedules
  3. Set notifications: Choose channels and severity thresholds
  4. Run your first scan: Manually trigger a scan to see findings immediately
  5. Review and save: Save high-impact findings to Plan for team review and remediation tracking
CloudKeeper scheduler setup interface showing pilot configuration and scheduling options

CloudKeeper scheduler setup interface

Your cloud infrastructure can now maintain continuous guardrails autonomously, freeing your team to focus on strategic initiatives instead of operational toil. Learn more: CloudKeepers Documentation