CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment

Inventory all in-scope security groups
Map security groups to all referencing resources
Identify security groups with no attachments or references
User: Approve unused security groups for deletion

2. Configuration

Delete user-approved unused security groups

3. Validation

Confirm deleted security groups are removed

1 Credits

Identify and Delete Unused AWS Security Groups

Overview

Clean up unused security groups to reduce attack surface, simplify network management, and keep your AWS environment tidy. The plan guides you through discovering all in-scope security groups, mapping where they are used, identifying those that are truly unused, and then safely deleting only the groups you explicitly approve. It finishes with a validation step to confirm that all intended security groups have been removed and to highlight any discrepancies that may need follow-up.

Execution Details

Assessment

In the Assessment phase, you build a complete, accurate picture of all security groups and how they are used:

Inventory all in-scope security groups
Enumerate security groups in all chosen regions and VPCs, capturing key metadata such as IDs, names, descriptions, VPC IDs, owning account, and (where available) creation times. All inbound and outbound rules are recorded, including protocols, ports, sources/destinations, and rule descriptions. Default VPC security groups are explicitly identified as non-deletable. Where available, tags (such as environment, application, and owner) are included to make later review easier, and the full inventory is stored in a structured format for reuse.
Map security groups to all referencing resources
For each security group, identify every place it is used. This includes ENIs and their attached resources (EC2 instances, managed services, etc.), load balancers, RDS and other database or managed services, VPC endpoints, and any other services that can associate security groups. The assessment also finds any security group rules that reference other groups as sources or destinations. The result is a consolidated mapping per group that shows all attachments and references, saved alongside the initial inventory.
Identify security groups with no attachments or references
Using the inventory and mapping, each security group is evaluated to determine whether it is in use. Groups that have any ENI or service attachments, or that are referenced by other security groups, are marked as in use. Default VPC security groups are excluded from cleanup even if unused. Any group with no attachments, no references, and not a default group is marked as a candidate for deletion, along with details such as ID, name, VPC, and tags. Groups that appear unused but look reserved (for example, by name or tag patterns like “template” or “do-not-delete”) are specially flagged. A final candidate list of unused groups is prepared for your review.
User: Approve unused security groups for deletion
You are presented with the candidate unused security groups, including their core details, tags, and any special flags. The plan guides you through reviewing them and assigning a status to each: approved for deletion, to be retained, or needing further investigation. Any group not approved for deletion is excluded from cleanup and may include a documented reason. The result is a final, user-approved list of security groups to delete, captured in a format suitable for the deletion step.

Configuration

In the Configuration phase, the plan carefully deletes only the security groups you have approved:

Delete user-approved unused security groups
The most recent approved deletion list is retrieved and treated as the authoritative source. Before each deletion, a final safety check confirms that the security group is still unused—no new ENI attachments, service associations, or references from other groups have appeared since the assessment. Any group that has become referenced or attached is skipped and recorded with an explanation. All other groups are deleted, and each attempt’s outcome (success or failure, with error details if needed) is logged. A summary is produced listing which groups were successfully deleted and which were not, to support validation and follow-up.

Validation

In the Validation phase, the plan confirms that cleanup completed as expected:

Confirm deleted security groups are removed
Using the list of security groups reported as successfully deleted, the plan re-queries the current security group state in each relevant region and VPC to ensure those IDs no longer exist. Any security group that still appears despite being marked as deleted is flagged for investigation, and the inconsistency is documented. A final validation report summarizes which groups have been fully removed and highlights any discrepancies that may require separate operational follow-up.