A read-only scan of your account produces a specific, actionable cost report — idle resources, storage mismatches, Savings Plan gaps — in about ten minutes.
We analyze your actual EC2, RDS, S3, EBS, ElastiCache, and Savings Plan coverage against 30 days of CloudWatch data — then tell you exactly where the money is going.
Run our scanner in your own account, receive a line-item breakdown of every saving we find. No agents, no IAM role for us, no follow-up call.
Each finding is priced against your on-demand rates and actual usage over the last 30 days — not a generic checklist.
One terminal command, using credentials you already have. Nothing installed, no roles granted to us, no agents left behind.
# Use the AWS profile you already have configured docker run --rm \ -e AWS_PROFILE=$AWS_PROFILE \ -v ~/.aws:/root/.aws:ro \ cloudhero/assess:latest \ --scan-id YOUR_SCAN_ID # → Reads inventory + CloudWatch + Cost Explorer # → Encrypts findings locally (AES-256-GCM) # → Uploads encrypted payload, then exits
~/.aws, mounted read-only.arn:aws:iam::aws:policy/ReadOnlyAccess
›
Our scanner asks for AWS-managed ReadOnlyAccess, plus Cost Explorer read. If you prefer least-privilege, here it is:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:Describe*", "rds:Describe*",
"s3:List*", "s3:GetBucketLocation",
"ebs:Describe*", "elasticache:Describe*",
"elasticloadbalancing:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ce:GetCostAndUsage",
"ce:GetSavingsPlansUtilization",
"ce:GetReservationUtilization"
],
"Resource": "*"
}]
}
No iam:*, no *:GetObject, no mutating actions. IAM policies, secrets, and object contents are out of reach.
Payload is AES-256-GCM encrypted on your machine with a fresh key wrapped in our RSA-OAEP public key. Plaintext never leaves your network.
--dry-run --output findings.json to write the payload locally. Diff it, review it, then re-run without the flag.--assume-role.security@cloudhero.io.No call to schedule, no NDA, no agent installed. Just a report.
Start the assessmentWe sent a 6-digit code to .
Run this when you're ready — takes about 5 minutes. We've emailed the full instructions to .
docker run --rm -e AWS_PROFILE=$AWS_PROFILE \ -v ~/.aws:/root/.aws:ro cloudhero/assess:latest \ --scan-id abc123
Reply to the email with questions — a human answers in hours, not days.