CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment

Collect current root user credential and usage information
Review recent root user activity from logs
User: Define acceptable root usage scenarios and exceptions
User: Define monitoring and alerting requirements for root user activity

2. Configuration

User: Disable and remove any existing root user access keys
User: Ensure root activity is logged and monitored according to requirements

3. Validation

Confirm root user has no active access keys
Validate logging and monitoring of root user activity

1 Credits

Secure and Monitor AWS Root User Usage

Overview

Ensure the AWS root user is not used for daily operations, that any root access keys are disabled and removed, and that all root activity is visibly monitored. The plan walks through assessing current root usage, defining acceptable exceptions and monitoring requirements, applying configuration changes to eliminate programmatic root access, and finally validating that controls are working as intended.

The approach covers:

Discovering where and how the root user is currently used.
Establishing clear rules for when root use is acceptable and how it must be monitored.
Disabling and deleting root access keys across accounts.
Ensuring all root activity is logged, detected, and alerted on.
Verifying that programmatic root access is removed and monitoring is effective.

Execution Details

Assessment

Collect current root user credential and usage information

Review all in-scope AWS accounts to understand current root user posture. This phase:

Identifies and documents which accounts are in scope for root usage review.
Determines whether root access keys exist in each account and whether they are enabled or disabled.
Retrieves the last root console sign-in time where available.
Generates and reviews an account-level credential summary (such as an IAM credential report) to confirm root credential details, including key existence, last-used timestamps (if present), and console/password status.
Records any evidence of recent or ongoing root activity (for example, recent logins or access key use with approximate dates and services).
Stores all root credential and usage details in a structured format for analysis and later validation.

Review recent root user activity from logs

Analyze logging data to understand how the root user has been used recently. This phase:

Identifies which log sources capture management activity in each account (for example, centralized audit logs).
Filters those logs for root user activity within a defined recent time window (such as the last 30–90 days, depending on retention).
Captures key information for each root event (time, region, service, action, and whether it came from console or programmatic access).
Distinguishes routine, operational use of root from rare, exceptional or account-setup-level actions.
Produces a concise usage narrative for each account (for example, no recent activity, only rare exceptional use, or frequent operational activity).
Stores these summaries alongside credential status information to support later decisions on key disabling and monitoring.

Define acceptable root usage scenarios and exceptions

Guide stakeholders through defining how root may be used in a controlled way. This phase:

Presents the compiled credential state and activity summaries for review.
Confirms the overarching policy that root is not to be used for daily operations and is reserved only for exceptional account-level tasks.
Helps the user enumerate specific, legitimate scenarios where root use is still required (for example, selected billing, support, or account configuration actions), documenting these as approved exception cases.
Captures who is permitted to perform these root actions and what approvals or change management steps are required before use.
Reinforces that typical administrative tasks must be handled via IAM roles or users instead of the root user.
Produces a structured document listing acceptable root usage scenarios, explicit exceptions, and process controls for later reference.

Define monitoring and alerting requirements for root user activity

Clarify how root actions must be detected and escalated. This phase:

Reviews current logging and monitoring capabilities for tracking root actions across all in-scope accounts.
Guides the user in specifying which kinds of root events must generate alerts (for example, any root console login, any root key use, or specific configuration changes).
Captures desired alerting channels (such as security operations mailboxes or incident systems), recognizing that some endpoints may be external to AWS.
Allows the user to define severity levels for different events (for example, critical alerts for any login, lower-severity notifications for specific changes).
Confirms coverage expectations across accounts and regions.
Records all monitoring and alerting requirements in a structured format to drive later configuration and validation.

Configuration

Disable and remove any existing root user access keys

Apply changes to eliminate programmatic use of the root user. This phase:

Retrieves the current inventory of root access keys per account and compares it to previously collected credential data.
Reviews last-used timestamps and identified dependencies for each enabled root key to confirm nothing critical relies on it.
Disables all enabled root access keys so they can no longer be used.
Permanently deletes disabled keys where organizational policy permits, fully removing programmatic root access.
Documents any root keys that must be temporarily retained (kept disabled where possible), including identifiers, justification, and target decommission date.
Regenerates credential summaries (or equivalent checks) to verify that no root keys remain active.
Produces a concise summary for each account describing the initial key state, changes made (disabled/deleted), any remaining disabled keys with justification, and confirmation that no active root keys are left.

Ensure root activity is logged and monitored according to requirements

Configure logging, detection, and alerting to match the previously defined requirements. This phase:

Confirms that root-related management events are being captured to durable logging destinations with appropriate retention in each account.
Identifies and closes any logging gaps, such as missing regions or services, so root actions across all relevant contexts are recorded.
Configures log-based detections or equivalent mechanisms to identify key root events (for example, root console sign-ins or API calls using root credentials).
Connects these detections to alerting constructs so that defined events generate timely notifications to the appropriate recipients.
Tunes detection rules to reflect defined severity levels, differentiating critical from informational events where required.
Performs basic checks to ensure that each detection rule is valid, correctly targeted to the intended log or metric sources, and enabled.
Records a configuration summary for each account describing how root activity is logged, which detection rules exist, and what notification paths are in place.

Validation

Confirm root user has no active access keys

Verify that programmatic root access has been effectively removed. This phase:

Obtains a current credential summary (or equivalent listing) for the root user in every in-scope account.
Confirms that no root access keys are in an enabled state.
Checks any intentionally retained root keys to ensure they remain disabled and align with the documented exception list.
Flags any unexpected findings, such as newly created or re-enabled root keys, for urgent remediation.
Produces a validation record for each account summarizing the final state of root access keys and confirming the elimination of active programmatic root access.

Validate logging and monitoring of root user activity

Ensure that root actions are captured and alerted on according to the agreed requirements. This phase:

Retrieves the defined monitoring and alerting requirements as a reference baseline.
Reviews logging configurations in each account to confirm that root-related management events are captured from all required regions and services.
Inspects root-specific detections (such as filters for root console logins or root API calls) to verify they are present, enabled, and pointed at the correct sources.
Reviews alerting configurations to ensure notifications are delivered to the intended targets with the correct severity.
Where safe and appropriate, triggers or simulates a benign root event in a controlled environment to confirm that it is logged and, if configured, generates an alert; documents test outcomes.
Records any gaps in logging, detection, or alerting, along with proposed remediation steps.
Produces a final validation summary indicating, for each account, whether root activity is logged and monitored in line with requirements and highlighting any remaining issues that need follow-up.