CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment

Inventory WAF Classic Web ACLs and resource associations
User: Identify required Web ACLs and intended targets
Identify unused or redundant WAF Classic Web ACLs

2. Configuration

Disassociate and delete unused WAF Classic Web ACLs

3. Validation

Validate Web ACL associations for required resources
Confirm unused WAF Classic Web ACLs have been removed

1 Credits

Audit and Clean Up Unused AWS WAF Classic Web ACLs

Overview

Clean up AWS WAF Classic Web ACLs so that only the ACLs you actually need remain, and any unused or redundant ones are safely removed. The plan helps you:

Inventory all in-scope WAF Classic Web ACLs and their resource associations.
Guide you through deciding which Web ACLs are required and which can be removed.
Identify unused, redundant, or misassociated Web ACLs.
Disassociate and delete Web ACLs that are no longer needed.
Validate that required resources remain protected and that unused Web ACLs have been removed.

This approach reduces configuration sprawl, clarifies which ACLs protect which resources, and ensures you don’t accidentally leave critical endpoints without WAF protection.

Execution Details

Assessment

Inventory WAF Classic Web ACLs and associations

First, all relevant WAF Classic Web ACLs are discovered and documented across the in-scope scopes and Regions (for example, global/CloudFront and any Regional endpoints). The plan:

Defines which scopes and Regions are included.
Lists all WAF Classic Web ACLs in those scopes/Regions.
Records for each Web ACL its ID, name/description, scope, Region, metric or logging identifiers, and any helpful tags (such as environment or owner).
Captures all current resource associations (such as CloudFront distributions or Application Load Balancers), including the specific resource identifiers.
Summarizes how many resources (zero, one, or many) are associated with each Web ACL.
Stores this full inventory in a structured format (such as a table or JSON) for later steps.

User: Identify required Web ACLs and intended targets

Next, you are guided through deciding which Web ACLs you truly need and which can be removed. The plan:

Presents you with the full inventory of Web ACLs, including metadata and current associations.
For each Web ACL, asks you to indicate whether it is required (retain) or is a candidate for removal, independent of its current usage.
For Web ACLs you mark as required, prompts you to define which resources they are intended to protect, even if they are not yet associated.
For Web ACLs you mark as removable, confirms there is no future planned use or dependency.
Captures any notes about consolidation (for example, multiple resources planned to share a single Web ACL).
Produces and stores:
- A list of required Web ACLs with their intended target resources.
- A list of Web ACLs marked as removable.

Identify unused or redundant WAF Classic Web ACLs

Using the inventory and your decisions, the plan identifies what can be cleaned up. It:

Flags Web ACLs that currently have no associated resources.
Applies your “retain/remove” decisions to classify:
- Unused Web ACLs: no associations and marked removable.
- Misassociated Web ACLs: marked removable but still associated with one or more resources.
- Orphan‑intended Web ACLs: marked required but with no associations and no defined targets (flagged for follow-up, not deletion).
Produces a candidate list of unused or redundant Web ACLs that should be disassociated and deleted, keeping their IDs, names, scopes, Regions, tags, and current associations.
Stores this candidate list for the configuration phase.

Configuration

Disassociate and delete unused WAF Classic Web ACLs

The plan then performs the cleanup for Web ACLs identified as unused or redundant. It:

Retrieves the candidate list of Web ACLs to be removed.
Reconfirms that each candidate is still marked as removable, in case your decisions changed.
Refreshes the list of current associations just before making changes to ensure they are up to date.
Disassociates each candidate Web ACL from any still-associated resources, while checking that this won’t contradict your intended protection mappings (assuming any necessary re-association to other Web ACLs has been or will be handled separately).
Verifies that each candidate Web ACL has no remaining associations.
Attempts to delete each disassociated, removable Web ACL in its respective scope and Region.
Records the outcome of each deletion, including any errors and reasons for failure (such as lingering associations).
Confirms that successfully deleted Web ACLs no longer appear in the WAF Classic configuration.
Produces a summary of all Web ACLs that were successfully disassociated and deleted, and lists any that could not be removed along with the required follow-up actions.

Validation

Validate Web ACL associations for required resources

After cleanup, the plan verifies that resources you identified as requiring protection are still appropriately covered. It:

Retrieves the current list of WAF Classic Web ACLs and their associations in all relevant scopes and Regions.
Uses your mapping of required Web ACLs to intended resources to check that those resources are still protected by some Web ACL (not necessarily enforcing a specific ACL unless you requested it).
Confirms, where you specified a particular Web ACL for a resource, whether the current association matches your intent.
Identifies resources you flagged as requiring protection that now have no WAF association.
Identifies resources still associated with Web ACLs you marked as removable, indicating incomplete cleanup.
Documents any mismatches between intended and actual associations and suggests remediation steps (for example, re-associating to the correct Web ACL).
Produces a validation summary showing, for each required Web ACL and protected resource, whether the current state matches your expectations.

Confirm unused WAF Classic Web ACLs have been removed

Finally, the plan confirms that the cleanup of unused or redundant Web ACLs is complete. It:

Retrieves the current list of WAF Classic Web ACLs for all scopes and Regions covered by the cleanup.
For each Web ACL that was classified as unused or redundant and targeted for deletion, checks that it no longer exists.
For any Web ACL that remains, determines whether it was intentionally exempted or whether a deletion error occurred.
Cross-references the recorded outcomes from the configuration phase with the current state to clarify exactly what happened.
Documents any Web ACLs that were intended to be removed but are still present, including reasons (such as remaining associations or service issues) and next steps.
Produces a final report summarizing which unused Web ACLs were successfully removed and which require additional remediation.