Free · ~10 minutes · No sales call

Find 15–30% of waste hiding in your AWS bill.

A read-only scan of your account produces a specific, actionable cost report — idle resources, storage mismatches, Savings Plan gaps — in about ten minutes.

A real AWS cost report. Not a checklist.

We analyze your actual EC2, RDS, S3, EBS, ElastiCache, and Savings Plan coverage against 30 days of CloudWatch data — then tell you exactly where the money is going.

Ten minutes. One Docker command.

Run our scanner in your own account, receive a line-item breakdown of every saving we find. No agents, no IAM role for us, no follow-up call.

Read-only APIs Runs in your account Encrypted client-side No IAM role for us
01
You run a Docker container
~5 min
02
We analyze encrypted data
~2 min
03
Report lands in your inbox
PDF + web
01 — The Report

What the report tells you, specifically.

Each finding is priced against your on-demand rates and actual usage over the last 30 days — not a generic checklist.

Idle EC2 & RDS
EC2 · RDS
Instances with <5% avg CPU and <1 MB/s network for 14+ days.
$400–$2k/mo
Unattached EBS
EBS
Orphaned volumes and unused snapshots older than 90 days.
$80–$600/mo
GP2 → GP3
EBS
Volumes where GP3 is both cheaper and faster at the same IOPS.
~20% of EBS
Savings Plan gaps
Billing
Uncovered steady-state compute where a 1-yr SP pays back fast.
up to 30%
S3 lifecycle
S3
Hot buckets with cold access — IA, Glacier, Deep Archive candidates.
40–70% on tier
NAT Gateway drag
VPC
High-egress paths that should be VPC endpoints instead.
$150–$3k/mo
RI / SP utilization
Billing
Flag commitments running under 80% — with right-sizes.
recover 5–15%
LBs & Elastic IPs
ELB · EIP
Idle load balancers with 0 targets and unassociated EIPs.
$20–$200/mo
02 — How it runs

What you'll actually do.

One terminal command, using credentials you already have. Nothing installed, no roles granted to us, no agents left behind.

your terminal 
# Export read-only AWS credentials (dedicated role, user, or SSO session)
export AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=...

# We email you a personalised one-liner with UPLOAD_URL / TOKEN / SCAN_ID
docker run --rm \
  -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
  -e AWS_SESSION_TOKEN \
  -e UPLOAD_URL -e UPLOAD_TOKEN -e SCAN_ID \
  public.ecr.aws/f6g2d1g7/cloudhero/scan:latest

# → Reads inventory + CloudWatch + Cost Explorer
# → Encrypts findings locally (AES-256-GCM + RSA-4096)
# → Uploads encrypted payload, then exits
  • Docker installedAny recent version. Pin a hash if you want to audit the image.
  • Read-only AWS credentialsExported as environment variables — use a dedicated IAM role (recommended), a dedicated user, or your existing SSO session. We never read your ~/.aws.
  • ~5 minutes of runtimeLonger only if you have thousands of resources.
Exact IAM permissions arn:aws:iam::aws:policy/ReadOnlyAccess

Our scanner asks for AWS-managed ReadOnlyAccess, plus Cost Explorer read. If you prefer least-privilege, here it is:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ec2:Describe*", "rds:Describe*",
      "s3:ListAllMyBuckets", "s3:GetBucketLocation",
      "s3:GetBucketLifecycleConfiguration", "s3:GetBucketTagging",
      "elasticache:Describe*", "elasticfilesystem:Describe*",
      "eks:List*", "eks:Describe*",
      "es:List*", "es:Describe*",
      "elasticloadbalancing:Describe*",
      "cloudfront:ListDistributions", "cloudfront:GetDistribution",
      "cloudwatch:GetMetricStatistics",
      "logs:DescribeLogGroups",
      "ce:Get*", "savingsplans:Describe*",
      "sts:GetCallerIdentity"
    ],
    "Resource": "*"
  }]
}

No iam:*, no *:GetObject, no mutating actions. IAM policies, secrets, and object contents are out of reach.

03 — Data

What we see. What we don't.

Payload is AES-256-GCM encrypted on your machine with a fresh key wrapped in our RSA-OAEP public key. Plaintext never leaves your network.

What we collect

  • Resource inventory — EC2, RDS, S3 metadata, EBS, ElastiCache, LBs, NAT GWs
  • CloudWatch metrics — CPU, network, cache hit rates (30 days)
  • Cost Explorer — per-service costs, SP & RI utilization
  • Tags — to group findings by team / environment

What we never touch

  • Application data or database contents
  • Secrets, credentials, or encryption keys
  • IAM users, roles, or policy documents
  • S3 object contents or log contents
  • Flow logs, CloudTrail events, packet data
Category
What specifically
Collected?
Inventory
Instance types, sizes, regions, ages, tags
YES
Metrics
CloudWatch aggregates (30 days, 1h granularity)
YES
Billing
Cost Explorer rollups, SP / RI utilization
YES
Object data
S3 file contents, DB rows, logs, secrets
NEVER
IAM
Users, roles, policies, keys, credentials
NEVER
Traffic
Flow logs, CloudTrail events, packet data
NEVER
Inventory CloudWatch Cost Explorer Tags
Object data Secrets IAM DB rows Flow logs
04 — Trust

Teams running this.

"
We ran it between stand-ups. It flagged $2,340/month in oversized RDS and seven orphaned snapshots we'd lost track of after a team rotation. The per-instance rationale with actual PeakCPU and freeable-memory numbers, not a generic checklist, made the case for us. Finance signed off same week.
JK
James K., Platform Engineering Lead at a B2B SaaS company
18%
Median monthly savings found per account
9min
Average scan duration end-to-end
0
IAM roles granted to CloudHero
05 — Honest answers

Questions people actually ask.

Why is it free?+
It's how we introduce engineering teams to CloudHero's ongoing optimization service. Useful? You talk to us. Not useful? You don't hear from us again.
Who runs the scan?+
You do, on your machine, with your own AWS credentials. We never receive a role, a key, or a session. The Docker image is public — pin a hash if you want to audit it.
What happens to my data after?+
Encrypted payload sits in S3 long enough for one Lambda to decrypt and generate the report. The encrypted input and report files are deleted on a 90-day S3 lifecycle; the download link in your email is valid for 7 days. Request earlier deletion anytime by replying to the email.
Can I audit what's sent?+
The scanner logs every AWS API call to stdout as it runs — you see each Describe*, List*, and Get* call before the encrypted payload is uploaded. Pin the image digest instead of :latest to audit the exact binary running in your account.
Multiple accounts?+
Run once per account with credentials exported for that account. For an AWS Organization, use aws sts assume-role to export temporary credentials into your shell for each member account, then run the container. The scan UI issues one upload URL per submission.
What if security says no?+
Point them at the IAM policy above and the encryption flow. Responsible disclosure: security@cloudhero.io.

Ten minutes to a number that'll surprise your CFO.

No call to schedule, no NDA, no agent installed. Just a report.

Start the assessment

Verify your email

We sent a 6-digit code to .

You're set.

Run this when you're ready — takes about 5 minutes. We've emailed the full instructions to .

one-liner
docker run --rm \
  -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
  -e AWS_SESSION_TOKEN \
  -e UPLOAD_URL -e UPLOAD_TOKEN -e SCAN_ID \
  public.ecr.aws/f6g2d1g7/cloudhero/scan:latest

Reply to the email with questions — a human answers in hours, not days.