Delivering Safe and Secure Savings Assessments on AWS with CloudFix

By Sindhu Jambunathan and Jayaprakash Boreddy, Solutions Architects – AWS
By Badri Varadarajan, Executive VP, Technical Product Management – Aurea
By Ravi Duddukuru, Chief Product Officer – Aurea
By Miguel Bracchini, SVP of Solution Architecture – Aurea

For years, the Aurea team managed and maintained 120+ AWS-hosted software-as-a-service (SaaS) products across hundreds of AWS accounts. With escalating costs, they needed a way to identify cost savings across their accounts and applications in a safe and scalable way.

The team responded to this challenge by developing CloudFix, a scalable solution for finding and fixing cost-saving opportunities in your Amazon Web Services (AWS) environment. After launching commercially in 2021, including in AWS Marketplace, CloudFix has helped cut costs by approximately 15% for most customers, thus allowing organizations to re-invest the savings in modernization.

But how does CloudFix get permission to “go into” customers’ AWS accounts? The team worked closely with AWS and implemented best practices to focus on a minimal set of resources and usage data, maintaining the utmost security of customers’ data and environments.

CloudFix implemented the AWS-recommend approaches of:

• Least privilege model.
• AWS-native tooling with no third-party agents to install.
• Tightly bound permissions with AWS Identity and Access Management (IAM) roles.

Following the AWS-recommended approach, CloudFix ensured customers were always in control of their AWS environment with the security and policies already established.

Finally, “fixes” had to remain in developers’ control with a logged change management system with administrator controls. The CloudFix team turned to AWS Change Manager, a capability of AWS Systems Manager and enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure.

In this post, we will discuss how CloudFix built a tool to connect to any AWS account to deliver a savings assessment using safe and secure AWS services. CloudFix is developed by Aurea, a sister company of DevFactory, an AWS Partner. It’s an AWS cost optimization tool that helps customers adopt and use AWS services efficiently, with AWS recommended best practices and enterprise-grade deployment standards.

Safely Connecting to Your AWS Account

The CloudFix team knew that commercializing their tool for outside organizations meant ensuring data stored within AWS environments could never be accessed by CloudFix itself. The team elected to use an IAM role, combined with AWS CloudFormation, to provision the CloudFix stack securely and transparently.

CloudFix’s connection to AWS accounts uses the following process:

• CloudFix creates an IAM role to launch a CloudFormation stack in the account where your browser is logged in.
• The CloudFormation stack sets up basic data resources needed for the savings assessment.
• CloudFix accesses and analyzes the following services to deliver savings recommendations:
  • AWS Cost and Usage Report
  • AWS CloudWatch Metrics

Connecting your account to CloudFix creates a stack in your environment based on the CloudFix CloudFormation template, which defines permissions that CloudFix–or any other application–will gain after provisioning the stack. With the CloudFormation template, a read-only IAM role is created to enable CloudFix to access your AWS account using the principle of least privilege.

Figure 1 – Sequence diagram for connecting accounts to CloudFix.

Using CloudFormation also allows users to review the exact permissions that CloudFix is requesting. Developers like this because they can incorporate code reviews and revision controls to manage every stack.

After provisioning a stack, users can organize and manage stacks within the CloudFormation console. The CloudFix stack can easily be deleted within the CloudFormation console for simple deprovisioning and cleanup.

Finally, the CloudFix team needed a scalable solution to onboard more accounts. One account at a time would take too long for most organizations with dozens of AWS accounts. Luckily, with AWS Organizations, many AWS customers have already consolidated these accounts under one master account to administer those accounts as a single unit.

Using AWS Organizations, CloudFix is able to query a list of all the accounts under one master account. That list is returned to the user to install the CloudFix stacksets where users can decide to target one or many organizations for analysis.

Figure 2 – Example onboarding of multiple accounts under one master account.

Delivering Savings Assessments Without Reading Tenant Data

The CloudFix team knew that customers would prefer they did not have access to internal data. Using the least-privilege model, CloudFix is designed to utilize the fewest parameters possible to analyze usage and make recommendations. This data is available via the AWS Cost and Usage Report.

In order to make recommendations, the CloudFix team needed a way to easily query Cost and Usage Report data without building out the infrastructure required for a rapid querying service. They found that Amazon Athena provided a great solution to power the querying behind their recommendation engine. The CloudFix team further streamlined their application by pairing Athena with AWS Glue to power serverless data integration.

Amazon CloudWatch metrics are another important data source for the CloudFix application. With CloudWatch, CloudFix is able to verify each savings opportunity by monitoring your resources. Once verified, the CloudFix system creates the recommendation and places them in the CloudFix dashboard for review.

Conclusion

CloudFix architected its “finders” using the AWS-recommended approach and best practices of a least-privilege model in addition to AWS-native tooling with no third-party agents to install and tightly-bound permissions with IAM roles. This ensures cloud practitioners remain in control of their environment with the security and policies already in place.

CloudFix is available in AWS Marketplace. With one click, you can provision CloudFix’s CloudFormation template in your environment to start receiving cost-saving recommendations.

For further information on the “fixer” side of the tool, read this AWS blog post on how CloudFix uses AWS Change Manager to deliver cost savings.