Free · ~10 minutes · No sales call

Find 15–30% of waste hiding in your AWS bill.

A read-only scan of your account produces a specific, actionable cost report — idle resources, storage mismatches, Savings Plan gaps — in about ten minutes.

A real AWS cost report. Not a checklist.

We analyze your actual EC2, RDS, S3, EBS, ElastiCache, and Savings Plan coverage against 30 days of CloudWatch data — then tell you exactly where the money is going.

Ten minutes. One Docker command.

Run our scanner in your own account, receive a line-item breakdown of every saving we find. No agents, no IAM role for us, no follow-up call.

Read-only APIs Runs in your account Encrypted client-side No IAM role for us

You run a Docker container

~5 min

We analyze encrypted data

~2 min

Report lands in your inbox

PDF + web

01 — The Report

What the report tells you, specifically.

Each finding is priced against your on-demand rates and actual usage over the last 30 days — not a generic checklist.

Idle EC2 & RDS

EC2 · RDS

Instances with <5% avg CPU and <1 MB/s network for 14+ days.

$400–$2k/mo

Unattached EBS

EBS

Orphaned volumes and unused snapshots older than 90 days.

$80–$600/mo

GP2 → GP3

EBS

Volumes where GP3 is both cheaper and faster at the same IOPS.

~20% of EBS

Savings Plan gaps

Billing

Uncovered steady-state compute where a 1-yr SP pays back fast.

up to 30%

S3 lifecycle

Hot buckets with cold access — IA, Glacier, Deep Archive candidates.

40–70% on tier

NAT Gateway drag

VPC

High-egress paths that should be VPC endpoints instead.

$150–$3k/mo

RI / SP utilization

Billing

Flag commitments running under 80% — with right-sizes.

recover 5–15%

LBs & Elastic IPs

ELB · EIP

Idle load balancers with 0 targets and unassociated EIPs.

$20–$200/mo

02 — How it runs

What you'll actually do.

One terminal command, using credentials you already have. Nothing installed, no roles granted to us, no agents left behind.

your terminal

# Use the AWS profile you already have configured
docker run --rm \
  -e AWS_PROFILE=$AWS_PROFILE \
  -v ~/.aws:/root/.aws:ro \
  cloudhero/assess:latest \
  --scan-id YOUR_SCAN_ID

# → Reads inventory + CloudWatch + Cost Explorer
# → Encrypts findings locally (AES-256-GCM)
# → Uploads encrypted payload, then exits

Docker installedAny recent version. Pin a hash if you want to audit the image.
An AWS CLI profileWith the permissions below. We use ~/.aws, mounted read-only.
~5 minutes of runtimeLonger only if you have thousands of resources.

Exact IAM permissions arn:aws:iam::aws:policy/ReadOnlyAccess ›

Our scanner asks for AWS-managed ReadOnlyAccess, plus Cost Explorer read. If you prefer least-privilege, here it is:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ec2:Describe*",   "rds:Describe*",
      "s3:List*",       "s3:GetBucketLocation",
      "ebs:Describe*",  "elasticache:Describe*",
      "elasticloadbalancing:Describe*",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:ListMetrics",
      "ce:GetCostAndUsage",
      "ce:GetSavingsPlansUtilization",
      "ce:GetReservationUtilization"
    ],
    "Resource": "*"
  }]
}

No iam:*, no *:GetObject, no mutating actions. IAM policies, secrets, and object contents are out of reach.

03 — Data

What we see. What we don't.

Payload is AES-256-GCM encrypted on your machine with a fresh key wrapped in our RSA-OAEP public key. Plaintext never leaves your network.

What we collect

Resource inventory — EC2, RDS, S3 metadata, EBS, ElastiCache, LBs, NAT GWs
CloudWatch metrics — CPU, network, cache hit rates (30 days)
Cost Explorer — per-service costs, SP & RI utilization
Tags — to group findings by team / environment

What we never touch

Application data or database contents
Secrets, credentials, or encryption keys
IAM users, roles, or policy documents
S3 object contents or log contents
Flow logs, CloudTrail events, packet data

Teams running this.

The report found $4,200/month in idle RDS and NAT egress we'd stopped looking at. We had the first fix in production the same afternoon.

Maya R. — Staff SRE · Fintech series B [placeholder]

18%

Median monthly savings found per account

9min

Average scan duration end-to-end

IAM roles granted to CloudHero

05 — Honest answers

Questions people actually ask.

Why is it free?+

It's how we introduce engineering teams to CloudHero's ongoing optimization service. Useful? You talk to us. Not useful? You don't hear from us again.

Who runs the scan?+

You do, on your machine, with your own AWS credentials. We never receive a role, a key, or a session. The Docker image is public — pin a hash if you want to audit it.

What happens to my data after?+

Encrypted payload sits in S3 long enough for one Lambda to decrypt and generate the report. Payload deleted after 90 days; report after 7. Request deletion anytime by replying to the email.

Can I audit what's sent?+

Yes — run with --dry-run --output findings.json to write the payload locally. Diff it, review it, then re-run without the flag.

Multiple accounts?+

Run once per account with the matching AWS profile. For an Organization, run from a member account or use --assume-role.

What if security says no?+

Point them at the IAM policy above and the encryption flow. Responsible disclosure: security@cloudhero.io.

Ten minutes to a number that'll surprise your CFO.

No call to schedule, no NDA, no agent installed. Just a report.

Start the assessment

Verify your email

We sent a 6-digit code to .

You're set.

Run this when you're ready — takes about 5 minutes. We've emailed the full instructions to .

one-liner

docker run --rm -e AWS_PROFILE=$AWS_PROFILE \
  -v ~/.aws:/root/.aws:ro cloudhero/assess:latest \
  --scan-id abc123

Reply to the email with questions — a human answers in hours, not days.