CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment

Inventory Network Firewall rule groups and their policy/firewall references
Determine Network Firewall rule groups not referenced by any policy or firewall
User: Review unused Network Firewall rule groups and confirm deletions

2. Configuration

Delete user-approved unused Network Firewall rule groups

3. Validation

Validate only approved unused Network Firewall rule groups were removed

1 Credits

Identify and Delete Unused AWS Network Firewall Rule Groups

Overview

Delete unused AWS Network Firewall rule groups across your accounts while keeping full control and auditability. The plan first inventories all rule groups and how they are used, then identifies which are unused, guides you through review and deletion decisions, performs the deletions you approve, and finally validates that only the intended rule groups were removed and that no firewalls or policies are impacted.

Execution Details

Assessment Phase

Inventory Network Firewall rule groups and their references

Build a complete, structured inventory of Network Firewall rule groups and how they are connected across your environment. This phase:

Clarifies which AWS accounts and regions are in scope for cleanup.
Enumerates all Network Firewall rule groups per in-scope account and region.
Captures key attributes for each rule group, such as:
- Name, ARN, ID (if available)
- Type (stateless or stateful), capacity, description, region
- Current lifecycle state (for example, ACTIVE, DELETING)
Enumerates all firewall policies and records which stateless and stateful rule groups they reference.
Enumerates all firewalls and links each firewall to its policy and, indirectly, to the rule groups it depends on.
Compiles, for each rule group, a summary of:
- How many firewall policies reference it
- Which policies and firewalls depend on it
Records any available tags (for example, Environment, Application, Owner, CostCenter) to support later review and prioritization.
Stores the full inventory in a structured format for subsequent analysis.

Determine Network Firewall rule groups not referenced by any policy or firewall

Analyze the inventory to isolate rule groups that appear unused. This phase:

Retrieves the structured inventory of rule groups and their reference information.
Evaluates reference counts from firewall policies (and thus indirectly from firewalls).
Classifies rule groups with zero policy references as unused candidates.
Classifies rule groups with any references as in-use and excludes them from the unused list.
Compiles key metadata for each unused candidate to support review, including:
- Name, ARN, type, capacity, description, region, current state, and tags.
Highlights any rule groups in non-active or transient states (for example, CREATING, DELETING) for extra caution.
Produces a consolidated, structured list of unused rule groups ready to present for deletion decisions.

User: Review unused Network Firewall rule groups and confirm deletions

Guide you through reviewing the unused candidates and deciding what should actually be deleted. This phase:

Presents the consolidated list of unused rule groups with rich context:
- Name, ARN, account, region, type, capacity, state, description, reference counts, and tags.
Helps you examine each rule group’s apparent purpose (for example, by naming, tags, or documentation) to determine whether it is truly unused or intentionally kept (for example, templates or future use).
Enables you to assign a decision for each rule group:
- “Approved for deletion”
- “Retain”
- “Needs further investigation”
Encourages documenting reasons for retention or investigation (for example, reserved for upcoming projects or awaiting confirmation from security owners).
Prompts you to consider any external configuration sources (for example, infrastructure-as-code, configuration repositories, or runbooks) that might still depend on these rule groups.
Produces a structured, user-approved decision record, capturing:
- Account, region, name, ARN, decision (delete, retain, investigate), and any notes.
Stores this decision record for use in the configuration and validation phases.

Configuration Phase

Delete user-approved unused Network Firewall rule groups

Carry out deletion of only those rule groups you explicitly approved, with safeguards against changes that occurred after review. This phase:

Retrieves the user-approved decision record and filters for rule groups marked for deletion.
Immediately revalidates each rule group before deletion to ensure:
- It still exists.
- It is in a deletable state (for example, not already deleting or deleted).
- It remains unreferenced by any firewall policy or firewall.
Removes from the deletion set any rule groups that have acquired new references or entered non-deletable states, and documents these updated conditions for follow-up.
Executes delete operations for each remaining rule group in the deletion set, per account and region.
Logs any deletion failures, including identifiers and detailed error information, to support troubleshooting.
Re-enumerates Network Firewall rule groups in affected accounts and regions to verify that successfully deleted rule groups no longer appear.
Produces a configuration summary listing:
- Rule groups successfully deleted.
- Rule groups that could not be deleted, with reasons.
- Rule groups skipped due to changed references or states.
Confirms that only user-approved, unused rule groups were targeted.

Validation Phase

Validate only approved unused Network Firewall rule groups were removed

Confirm that deletions match your decisions and that your firewall posture remains consistent. This phase:

Retrieves both the final decision record (delete/retain/investigate) and the configuration summary from the deletion phase.
Re-enumerates the current set of Network Firewall rule groups across all in-scope accounts and regions.
Verifies, for each rule group approved for deletion, that it no longer appears in the inventory.
Confirms, for each rule group marked “retain” or “investigate,” that it still exists with expected attributes.
Re-enumerates firewall policies and firewalls and checks their rule group references to ensure:
- No policy or firewall references a rule group that was deleted.
Documents any discrepancies, such as:
- Rule groups approved for deletion that still exist.
- Rule groups deleted despite a “retain” decision.
- Policies or firewalls referencing non-existent rule groups.
Produces a structured validation report summarizing, per account and region:
- How many rule groups were deleted as intended.
- How many were retained as planned.
- Any issues requiring remediation or further investigation.
Provides an auditable record of the cleanup and its outcome.