Overview

Product video
Get control of your cloud access by removing excessive permissions and unused services. The Cloud Permissions Firewall transforms your cloud into a platform-wide state of least privilege and maintains that state as cloud usage expands across teams and cloud providers. The solution drives DevOps velocity with easy access to required permissions and sensitive services without introducing unnecessary risk. With the Cloud Permissions Firewall, you will significantly reduce the opportunity for attackers to steal sensitive data, disrupt business or hijack your cloud once they get in.
How does it work?
The Cloud Permissions Firewall is built on detailed permission usage intelligence that understands how your users and machines work and what they need access to.
Everything that is unused is removed with a sweeping global default deny policy. Excessive permissions are restricted, unused services are locked down, and dormant zombie identities are quarantined off.
When new access needs arise, a frictionless permissions on-demand workflow sends a request directly to a relevant approver so any role or employee gets what they need, quickly. Your global deny policy is automatically updated allowing this new exemption.
The Cloud Permissions Firewall allows you to secure with confidence, accelerate productivity, and save time not manually managing policies.
After achieving multi-cloud least privilege, it is time to shut down remaining attack paths. The Sonrai Cloud Infrastructure and Entitlements Management (CIEM+) solution reveals how permissions and policies compound together to create unintended access. Use manual or automated remediation options to eliminate risk.
Note: If you are an AWS customer and looking at Cloud Permissions Firewall, you must use AWS Organizations in your cloud.
Highlights
- Instant Risk Reduction: After your teams deploy the global policies in one-click, your attack surface is immediately reduced with quarantined zombie identities, restricted excessive permissions, and disabled unused services and regions.
- Global Default Deny Without Disruption: Receive large-scale protection without restricting anything your identities actually need. As new identities appear in your cloud, the deny policy applies by default making least privilege continuous and sustainable.
- ChatOps and ITSM Integration: No need to learn new tools or change your pre-existing workflows. The Cloud Permissions Firewall integrates with Slack, Google Teams, Email, Jira, ServiceNow, and more.
Details
Unlock automation with AI agent solutions

Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
Dimension | Description | Cost/12 months | Overage cost |
---|---|---|---|
Sonrai Cloud Permissions Firewall - Enterprise Annual [Standard Support] | Enterprise Edition Standard Support - 25 Account Bundle | $37,500.00 | |
Sonrai Cloud Permissions Firewall - Enterprise Annual [Premium Support] | Enterprise Edition Premium Support - 25 Account Bundle | $45,000.00 | |
Sonrai Cloud Permissions Firewall - Starter Annual [Basic Support] | Starter Edition - 10 Account Bundle | $10,690.00 |
The following dimensions are not included in the contract terms, which will be charged based on your usage.
Dimension | Description | Cost/unit |
---|---|---|
Sonrai Cloud Permissions Firewall | Sonrai Cloud Permissions Firewall - Enterprise Monthly Overage | $200.00 |
Vendor refund policy
All fees are non-cancellable and non-refundable except as required by law.
Custom pricing options
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Support
Vendor support
The Sonrai Cloud Permissions Firewall - Starter Edition Support
Sonrai shall provide customer support to Company by email and the Sonrai support portal. Email: support@sonraisecurity.com Sonrai support is available during the hours of 9am-5pm ET, Monday through Friday and excluding public holidays. Customer response time is up to one (1) business day.
The Sonrai Cloud Permissions Firewall - Enterprise Edition Support
Standard Support for Enterprise (included) Sonrai shall provide customer support to Company by email, phone, chat, and the Sonrai support portal. Email: support@sonraisecurity.com Sonrai support is available during the hours of 9am-5pm ET, Monday through Friday and excluding public holidays. Customer response time varies from (1) hour to (1) business day depending on severity of ticket.
Premium Support for Enterprise (additional fee) Sonrai shall provide 24x7 customer support to Company by email, phone, chat, and the Sonrai support portal. Email: support@sonraisecurity.com . Sonrai support is available 24/7, 365 days per year through Jira Service Desk and Slack(when enabled). Normal response time to tickets is within four (4) hours during business hours (9am-5pm ET), 12 hours on evenings, 24 hours on weekends. Severity 1 issues are prioritized 24/7 and are escalated immediately when reported.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Standard contract
Customer reviews
A fix for untamed privileges in AWS
It’s real cloud PAM—not a bolt-on or a siloed tool. It helps our team address identity risks in AWS at scale without slowing down developers. It’s fast, clean, and flexible.
AWS IAM Controls made Easy
The Setup was clear and well thought out, can deploy a top to bottom protection in a few hours.
The Customer Service was always top notch and would quickly evaluate the issue with a zoom call within a quick SLA.
Deploying changes took a long time, would have to iterate the whole stack versus the one item you were updating, but I believe that was already on a release branch.
Cloud PAM That Actually Works
We also appreciate the flexibility Sonrai offers—it can be deployed broadly or targeted precisely where needed, thanks to its granular controls and customizable enforcement levels. Integration with Teams makes it easy for users and approvers to manage access in real time, while detailed session summaries give us visibility into activities we previously missed.
IAM simplified
Here’s what sticks out:
Effortless Least Privilege via Cloud Permissions Firewall: One click and it quarantines zombie roles, disables unused services and regions, and tightens permissions across the entire cloud estate—without breaking anything.
Third-party Tracking and Management: In a single screen, I can track every ISV with access to my cloud, understand if their roles use best practice protections, and disable them with a single click for later cleanup. Better is that I can prevent unapproved new access by setting the default action to block.
Super-simple Permissions-on-Demand — When someone needs access, it’s a seamless ChatOps workflow that grants just what is required, only when it’s needed. No more standing permissions, no Jira tickets for role increase, and a simple audit trail of yes/no approvals with time constraints sent easily directly to the people who need to approve.
Just-in-Time (JIT) Access with AI-powered summaries: This is the next level. Pulling temporary elevated access only when needed, policy-enforced, and fully auditable. With integration into Amazon Bedrock, each privileged session generates a concise, human-readable summary. For businesses in regulated industries, it's the perfect auditing solution for user access.
Genuine usability and visibility: G2 users say it best: “Sonrai gave us unparalleled visibility and control over identity governance and cloud permissions,” and “the solution is very easy to use and implementation was also quick.”
In short, what I appreciate most is how Sonrai simplifies complex security challenges (and how I never have to write another SCP!). It’s powerful and intelligent, but never heavy. It just works.
To accomplish the same thing of just the cleanup would have been somewhere between monumental and insurmountable, but not only have i solved the cleanup issue, its ongoing protection without my team having to worry about writing AWS SCPs and potentially breaking production.