Find AWS risks, waste, and operational drift before they become bigger problems.
Cloud Savant gives AWS admins prioritized security, cost, and Well-Architected findings directly in the app — using read-only AWS access and clear next steps that show what to fix first.
Who this is for
Cloud Savant is built for teams that need AWS findings organized into practical next steps, not another platform to operate.
Built for
- AWS admins managing one or more accounts
- Small teams without a dedicated cloud governance platform
- Consultants and MSPs reviewing client AWS environments
- Teams that want prioritized findings without building custom dashboards
Not built for
- Teams looking for automated resource remediation
- Teams that need a full SIEM, CSPM, or enterprise CNAPP
- Non-AWS cloud environments today
Why AWS account reviews stall
AWS already gives teams plenty of signals, but they are scattered across services, accounts, regions, and consoles. Cost, security, reliability, and Well-Architected issues often sit in different places, making it hard to know what changed, what matters, and what to fix first.
Too many consoles
Cost, security, reliability, and Well-Architected signals live across different AWS services. That makes routine account reviews slower than they should be.
Too little prioritization
AWS surfaces valuable data, but teams still have to decide what matters most, which account is affected, and which findings deserve attention first.
Not enough fix guidance
A finding is only useful if someone knows what to do next. Cloud Savant helps turn cloud signals into clear, actionable next steps.
From visibility to prioritized next steps
Cloud Savant combines AWS security posture, cost signals, usage optimization, reliability checks, and Well-Architected health into findings you can act on quickly.
Connect read-only AWS access
Connect AWS accounts or AWS Organizations through a read-only CloudFormation role and let Cloud Savant collect cost, security, and operational signals.
Review prioritized findings
Get continuously updated visibility into spend trends, forecasts, spend drivers, and Well-Architected health — all framed as clear next steps.
Act before small issues grow
Use explainable findings for rightsizing, savings coverage, risky configurations, and reliability improvements before small issues become expensive problems.
Built on AWS-native signals
Start with read-only access, connect the environments you actually run, and let Cloud Savant organize cost, security, and reliability findings into decisions.
Built for AWS Organizations
Designed for single AWS accounts and AWS Organizations with a least-privilege, read-only setup.
AWS-native signal sources
Uses Cost Explorer, savings plan and reserved capacity coverage/utilization, Compute Optimizer findings, and security/reliability findings.
Why not just use AWS native tools?
AWS already provides powerful signals, but they are spread across services and accounts. Cloud Savant does not replace AWS-native tools — it organizes their signals into a mobile-first view with prioritized findings and clear next steps.
Example findings Cloud Savant surfaces
Cloud Savant turns scattered AWS signals into prioritized findings across cost, security, reliability, and operations.
Cost Optimization
- Unattached EBS volumes
- Old EBS snapshots
- Unassociated Elastic IPs
- NAT gateway cost signals
- Underutilized EC2 or EBS findings
- Savings Plan / Reserved Instance coverage gaps
Security
- IAM users without MFA
- Old or unused access keys
- S3 public access posture
- CloudTrail coverage gaps
- GuardDuty and Security Hub findings
Reliability / Operations
- Load balancers with no healthy targets
- Backup visibility gaps
- Well-Architected pillar score changes
- Account-level risk and severity trends
Each finding shows what changed, why it matters, and what to do next.
How it works
Connect read-only AWS access, review prioritized findings, and start with the next best action instead of digging through disconnected dashboards.
Connect your account or Organization
Deploy a read-only CloudFormation role so Cloud Savant can analyze cost, usage, security, and reliability signals without changing resources.
See what changed
Review spend trends, forecasts, usage optimization opportunities, risky configurations, and Well-Architected health in one mobile-first view.
Start with the next best action
Prioritized findings explain what matters, why it matters, and what to do next across cost, security, and reliability.
AWS onboarding from your phone
Watch the account connection flow: start in Cloud Savant, launch the AWS setup path, and return with your read-only role ready for forecasting, usage optimization, and prioritized findings.
App screenshots
A quick look at Health, Security, and FinOps views — designed for clarity, forecasting, and next-step prioritization in dark mode.
Health
Well-Architected trends and pillar scoring framed as next steps.
Security
Risky configurations and drift organized by severity and impact.
FinOps
Spend drivers, forecasts, savings coverage, and usage optimization signals.
FinOps on iPad
A wider layout for forecasting, spend drivers, and deeper FinOps drill-downs.
Security-first, read-only by default
Start with collection and analysis, not mutation. Keep control while getting high-signal findings on cost, security, and reliability.
Read-only onboarding
Use a CloudFormation stack to create a role that Cloud Savant can assume for analysis without write access.
View the IAM policy JSONLeast-privilege mindset
Permissions are scoped to what is required for AWS cost visibility, usage optimization, security, and reliability signals.
Operational clarity
Every finding is paired with what changed, why it matters, and a practical next step.
Read-only IAM policy
The AWS role created during onboarding grants read-only discovery, cost, security, and organization visibility. Review the exact permissions before connecting an account.
View IAM policy JSON Cloud Savant analysis permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:GetCallerIdentity",
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetCostCategories",
"ce:GetReservationCoverage",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansPurchaseRecommendation",
"budgets:ViewBudget",
"budgets:DescribeBudgetAction",
"budgets:DescribeBudgetActionHistories",
"budgets:DescribeBudgetActionsForAccount",
"budgets:DescribeBudgetActionsForBudget",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetECSServiceRecommendations",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeRegions",
"ec2:DescribeNatGateways",
"ssm:DescribeInstanceInformation",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:ListAttachedUserPolicies",
"iam:ListRoles",
"iam:ListAttachedRolePolicies",
"iam:GetRole",
"iam:ListRoleTags",
"s3:ListAllMyBuckets",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetEncryptionConfiguration",
"s3:GetBucketVersioning",
"s3:GetBucketLogging",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetLifecycleConfiguration",
"s3:GetAccountPublicAccessBlock",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"elasticfilesystem:DescribeFileSystems",
"backup:ListBackupPlans",
"guardduty:ListDetectors",
"guardduty:GetDetector",
"guardduty:ListFindings",
"guardduty:GetFindings",
"securityhub:DescribeHub",
"securityhub:GetFindings",
"pricing:GetProducts",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:ListDelegatedAdministrators",
"organizations:ListParents",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListAccountsForParent",
"organizations:DescribeAccount",
"organizations:DescribeOrganizationalUnit",
"cur:DescribeReportDefinitions",
"glue:GetDatabases"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Ready to see what is risky, wasteful, or drifting in your AWS accounts?
Connect a single account or AWS Organization with a read-only CloudFormation role, then review prioritized findings across security, cost, reliability, and Well-Architected health — with clear next steps showing what to fix first.
Connect One AWS Account for FreeStart with one AWS account free.
Upgrade when you want to monitor additional accounts or connect broader AWS Organizations coverage.
See Your Findings on Apple
See Your Findings on Android
FAQ
Common questions teams ask before onboarding.
Do I have to give Cloud Savant write access to my AWS accounts?
No. Cloud Savant uses a read-only role deployed through CloudFormation so it can analyze your environment without making changes.
Is this just another cost dashboard?
No. The focus is on prioritized next steps — what changed, why it matters, and what to do next across cost, security, and reliability.
Will this work if we manage multiple AWS accounts?
Yes. Cloud Savant supports both single accounts and AWS Organizations, so you get consistent visibility across the environments you actually run.
Can I use it on the go?
Yes. Cloud Savant is designed for phone visibility, with a readable, dark-mode-friendly experience that makes it easy to check findings anywhere.
How does onboarding work?
You deploy a read-only CloudFormation stack in your AWS account. This creates an IAM role Cloud Savant can assume to begin analysis. Single-account setup takes only a few minutes.
What platforms does Cloud Savant support?
Cloud Savant is currently available as an iOS app on iPhone and iPad, and as an app on Android with support for AWS environments of any size.
Is my AWS data stored by Cloud Savant?
Cloud Savant collects summarized signals and findings, not raw resource data. Analysis results are stored securely and used only to power your dashboard.
What AWS cost signals does Cloud Savant use?
Cloud Savant uses AWS-native signals such as Cost Explorer, forecasting data, savings plan and reserved capacity coverage/utilization, Compute Optimizer findings, and spend driver trends.