Skip to main content

The Cost of Manual Cloud Operations

Cloud operations teams spend countless hours on routine maintenance tasks: security audits, cost reviews, compliance checks, and resource cleanup. These tasks are critical but predictable—and they consume 40-60% of engineering capacity without delivering strategic value. Traditional approach challenges:
  • Repetitive manual work: Weekly security audits take 4-6 hours per account, scaling to 60+ hours for enterprises with 15+ accounts
  • Inconsistency across environments: Different engineers interpret guidelines differently; compliance gaps appear when expertise concentrates in individuals
  • Reactive firefighting: Issues surface during crisis moments (compliance audit, cost spike, security breach) rather than being caught proactively
  • False positives everywhere: Manual scripts flag legitimate backup resources as orphaned, or miss context-aware risks entirely
CloudKeepers solves this by establishing continuous, autonomous guardrails that run 24/7 across your entire cloud estate, catching issues before they become incidents.

What Are CloudKeepers?

CloudKeepers are autonomous pilots that enforce guardrails for cost, security, and operational health. They continuously scan your cloud infrastructure on a schedule you define, identify drift and misconfigurations, and surface intelligent recommendations with step-by-step remediation playbooks. Two specialized pilots:
  • CostOps: Identify unused resources, right-sizing opportunities, and cost anomalies with context-aware analysis
  • SecurityOps: Detect IAM misconfigurations, exposed resources, encryption gaps, and compliance risks
Unlike periodic assessments, CloudKeepers are designed for daily operations—they catch problems early before they escalate.

The CloudKeepers Workflow

1

Enable keepers

Open CloudKeepers and click Enable Your First Keepers. Select keepers by provider and pillar, then review detection rules and autonomy levels.
CloudKeepers onboarding page with Enable Your First Keepers CTA and value cards

CloudKeepers onboarding page

2

Configure keepers and schedules

The two-step wizard lets you select keepers, then fine-tune detection rules per keeper. Set autonomy levels (Suggest, Approve, or Autonomous) and configure cron schedules in the Settings tab.
Two-step setup wizard with keeper selection and per-rule configuration

Select keepers and review detection rules

3

Review the dashboard

Each keeper’s Dashboard tab shows stat cards for open findings, critical/high count, potential savings, and this week’s detections, along with a findings-over-time trend chart.
AWS Cost Optimization dashboard with stat cards and findings over time chart

Keeper dashboard with savings and severity breakdown

4

Triage findings

Switch to the Findings tab to see a Kanban board with columns for Pending, In Progress, Implemented, and Ignored. Each card shows estimated savings, effort, and risk severity.
Findings Kanban board with pending finding card showing savings and risk

Findings Kanban board for triage

5

Review detection runs

The Runs tab shows every detection run with status, summary, duration, and findings created — an audit trail to verify keepers are running on schedule.
Runs tab showing completed detection run with summary and findings count

Detection run history

6

Configure detection rules

In the Settings tab, set the cron schedule and toggle individual detection rules on or off. Each rule describes what it detects and supports per-rule autonomy and threshold configuration.
Settings tab with cron schedule and detection rule toggles

Schedule and detection rule configuration

Use Case 1: Proactive Cost Optimization with CostOps

Scenario: Your infrastructure has grown organically over 18 months. You’re aware costs are climbing, but pinpointing what’s actually unused (vs. reserved for disaster recovery or testing) requires deep investigation. Your CostOps team lacks the bandwidth to do monthly audits. CostOps pilot discovers:
  • Underutilized compute instances: 8 EC2 instances running at 5-15% average CPU (ideal candidates for right-sizing or shutdown)
  • Orphaned storage: 12 unattached EBS volumes and snapshots accumulating $2,400/month
  • Reserved capacity misalignment: Reserved instances for a deprecated service tier, losing $8,500/month in discounts
  • NAT gateway inefficiency: Multi-AZ NAT setup processing minimal traffic, could consolidate to single gateway
CloudKeepers advantage: CostOps agents understand that a volume tagged “daily-backup” from yesterday serves a real purpose, while “test-old” from 18 months ago is genuinely orphaned. It distinguishes instances with intentional low CPU (burst-capable) from those over-provisioned.
Cost optimization analysis with resource utilization and savings recommendations

Cost optimization recommendations with savings analysis

Workflow:
  1. Schedule runs: CostOps scan runs every Wednesday at 10:00 UTC
  2. Review findings: Your FinOps team reviews the dashboard each Thursday morning, seeing $14,200/month in identified savings
  3. Assess impact: For the EC2 right-sizing recommendation, generate impact guidelines and share with engineering to validate performance assumptions
  4. Save to Plan: Move high-confidence items (orphaned volumes, NAT consolidation) to Plan for approval and scheduling
  5. Execute and track: Plan workflows handle approvals, scheduling, and execution with full audit trails
Time savings: From 6-8 hours monthly on spreadsheets and console navigation → 30 minutes weekly to review findings and make governance decisions

Use Case 2: Continuous Security Posture Monitoring with SecurityOps

Scenario: Your organization maintains 12 AWS accounts across dev, staging, and production. Security compliance requires monthly audits, but inconsistent findings (different engineers miss different issues) and no standardized remediation creates gaps. A recent audit found IAM policies that hadn’t been reviewed in 8 months. SecurityOps pilot discovers:
  • IAM configuration drift: 23 IAM users/roles with overly-broad permissions (Developer policy attached when ReadOnlyAccess would suffice)
  • Exposed resources: 2 S3 buckets with public read access (not intentional); 1 RDS database with public accessibility enabled
  • Encryption gaps: 15 EBS volumes without encryption; 3 S3 buckets lacking default encryption
  • Access anomalies: Root account used for day-to-day operations; detected unused service accounts not cleaned up
  • Network exposure: 4 security groups allowing 0.0.0.0/0 SSH access (high-risk for compute; acceptable for ALBs)
CloudKeepers advantage: SecurityOps agents understand operational context. They know HTTP/HTTPS from 0.0.0.0/0 is standard for load balancers but dangerous for databases. They prioritize actual exploitability: a root account access key is critical; a read-only service account is low-risk.
Security audit recommendations with remediation steps

Security audit recommendations with remediation steps

Workflow:
  1. Schedule runs: SecurityOps scan runs every Friday at 14:00 UTC (before your Monday compliance standup)
  2. Alert on critical findings: Your security team receives Slack notifications immediately for high-severity items (exposed database, root account in use)
  3. Review full report: Monday morning, your security team reviews the findings dashboard—23 medium-risk IAM findings, 2 critical exposure risks
  4. Generate playbooks: For the S3 bucket fix, generate implementation guidelines with AWS CLI commands; distribute to the owning team
  5. Save to Plan: Move findings requiring multi-team coordination (e.g., “remove root account access key”) to Plan for assignment, approval, and tracking
  6. Close findings: After remediation, mark findings as resolved or ignored to tune alert tuning
Time savings: From 4-6 hours weekly on manual IAM reviews, S3 audits, and cross-account checks → 20 minutes to triage alerts and assign remediation tasks

Integration with Plan for Governance

CloudKeepers findings begin as drafts in your infrastructure view. When you’re ready to act, you save them to Plan, where they become work items with:
  • Full audit trails: Every finding, its status, and remediation steps are documented automatically
  • Approvals and assignment: Route findings to the right teams (security, FinOps, platform engineering) for review and sign-off
  • Execution tracking: Plan tracks status (pending, approved, in progress, completed) with timestamps and ownership
  • Compliance evidence: For audits, Plan provides timestamped records of when issues were identified and how they were resolved
This transforms CloudKeepers from an alerting system into a complete governance platform where findings are tracked through remediation with full accountability.

Why CloudKeepers Beat Manual Processes

DimensionManual AuditsCloudKeepers
Execution frequencyMonthly (if lucky)Daily/weekly—continuous guardrails
Time investment4-8 hours per session2-5 min setup; 15-30 min weekly review
ConsistencyVaries by engineerIdentical analysis every run
Context understandingRelies on engineer judgmentDomain expertise baked into agents
Scaling with accountsLinear growth (4-6 hrs per account)Constant time regardless of scale
False positivesHigh (scripts miss context)95% reduction via intelligent filtering
Issue detection timeWeeks to discoveryHours to detection
Knowledge transferLost when experts leavePersistent in agent behavior
Audit evidenceManual documentationAutomatic comprehensive logs

Getting Started

  1. Open CloudKeepers in your workspace
  2. Configure pilots: Enable CostOps and SecurityOps with your preferred schedules
  3. Set notifications: Choose channels and severity thresholds
  4. Run your first scan: Manually trigger a scan to see findings immediately
  5. Review and save: Save high-impact findings to Plan for team review and remediation tracking
CloudKeeper scheduler setup interface showing pilot configuration and scheduling options

CloudKeeper scheduler setup interface

Your cloud infrastructure can now maintain continuous guardrails autonomously, freeing your team to focus on strategic initiatives instead of operational toil.

What’s Next

CloudKeepers Reference

Full CloudKeepers documentation — configuration, scheduling, and pilot types

Cost Optimization

AI-generated cost recommendations with effort, risk, and savings estimates

Security Assessment

Run a Well-Architected assessment across all 6 pillars with actionable findings

Notifications

Configure how and where CloudKeeper alerts are delivered