AI-POWERED AWS COST INTELLIGENCE

Find what AWS is
silently charging you

CloudReview scans your AWS account across 21 services, identifies waste with AI precision, and tells you exactly what to fix — in under 60 seconds. No agents. No broad permissions.

START FREE SCAN → SEE HOW IT WORKS
Read-only IAM role
No agents to install
Scan completes in ~60s
Logged in CloudTrail
cloudreview — scan complete — account 123456789012 — us-east-1
$ cloudreview scan --account 123456789012 --region us-east-1
Assumed role CloudReviewReadOnly (external-id: cr-a7f3c91d)
Scanned 21 services across 2 regions in 58s
AI analysis complete (Claude Haiku + Sonnet) — 26 findings
SERVICE          FINDING                                 SAVING/MO
CRITICAL · EC2 · i-0abc123def456 — stopped 47d, 3×EBS still accruing
$340/mo
HIGH    · RDS · prod-replica — 2.1% avg CPU, zero connections in 30d
$218/mo
HIGH    · EBS · vol-09f8a7b3c2 — 420 GB unattached, 12 days
$50/mo
MEDIUM  · S3 · data-lake-prod — 847 incomplete multipart uploads
$34/mo
MEDIUM  · ElastiCache · redis-cache-01 — 0 connections, 18 days idle
$82/mo
26 findings · 22 AI-enriched · scan: 58s · cost: $0.13 $2,847/mo identified
21
AWS SERVICES SCANNED
~60s
AVERAGE SCAN TIME
$2,400
AVG SAVINGS / FIRST SCAN
0
WRITE PERMISSIONS NEEDED
// HOW IT WORKS

From zero to savings
in three steps

No installation. No agent deployment. No long-term credentials. Just a read-only IAM role deployed in 60 seconds.

01 / CONNECT

One-click IAM role

Click a pre-filled CloudFormation link. A read-only IAM role deploys in your AWS account in about 60 seconds. No credentials leave your account — CloudReview assumes the role on each scan.

⏱ ~60 seconds
02 / SCAN

21 services analysed

CloudReview calls AWS read-only APIs across EC2, EBS, RDS, S3, Lambda, ElastiCache, and 15 more. Each finding is enriched by Claude AI with a plain-English explanation and fix instructions.

⏱ ~60 seconds
03 / FIX

Fix with one click

Many findings are auto-fixable. CloudReview shows you a dry-run preview — the exact AWS API calls it will make — before executing. Rollback instructions included for every automated fix.

⏱ minutes per fix
// 21 SERVICES COVERED

Every major source of AWS waste

Built from real AWS cost audits. Each service has multiple detection rules targeting waste patterns that AWS doesn't surface in Cost Explorer.

EC2
Stopped instances, oversized, old generation
AUTO-FIX
EBS
Unattached volumes, gp2→gp3 upgrade
AUTO-FIX
Snapshots
Orphaned, duplicate, over-retained
AUTO-FIX
S3
Incomplete multipart, missing lifecycle
AUTO-FIX
RDS
Idle instances, oversized, idle replicas
AUTO-FIX
ElastiCache
Idle clusters, oversized nodes
AUTO-FIX
Lambda
Unused functions, over-provisioned memory
AUTO-FIX
SQS
Empty queues, DLQ accumulation
AUTO-FIX
CloudWatch
Redundant dashboards, old log groups
AUTO-FIX
NAT Gateway
Idle gateways, cross-AZ traffic
Elastic IPs
Unattached addresses
AUTO-FIX
DynamoDB
Provisioned vs on-demand mismatch
OpenSearch
Undersized storage, idle domains
Redshift
Paused clusters, storage waste
Kinesis
Over-provisioned shards
AUTO-FIX
CloudFront
Unused distributions
DocumentDB
Idle clusters, instance sizing
Data Transfer
Cross-AZ, internet egress anomalies
Savings Plans
Coverage gaps, purchase recommendations
Anomaly Detection
Unexpected spend spikes, AI investigation
// WHAT IT FINDS

Real findings. Real numbers.

Not vague recommendations. Specific resources, specific costs, specific fix instructions.

● CRITICAL · EC2
Stopped instance with 3 attached EBS volumes
i-0a1b2c3d4e — stopped 47 days ago. Three EBS volumes totalling 860 GB continue to accrue charges at full rate while the instance is unused.
MONTHLY SAVING
$340/mo
● HIGH · RDS
Read replica with 2.1% average CPU utilisation
prod-db-replica-2 has received zero connections in 30 days and maintains 2.1% average CPU. Running a db.r5.xlarge at $0.48/hr for no measurable benefit.
MONTHLY SAVING
$218/mo
● HIGH · EBS
420 GB volume unattached for 12 days
vol-09f8a7b3c2 was detached from a terminated instance and never cleaned up. General Purpose SSD (gp2) charges continue at $0.10/GB-month.
MONTHLY SAVING
$50/mo
● MEDIUM · Lambda
14 functions with zero invocations in 90 days
Leftover from a migration project. Combined storage, provisioned concurrency, and CloudWatch log retention add up to a quietly growing cost with no business value.
MONTHLY SAVING
$28/mo
● MEDIUM · Savings Plans
Compute coverage at 31% — 69% on-demand
Your workload is stable enough for a Compute Savings Plan. Purchasing a 1-year no-upfront plan at current run rate would reduce EC2 costs by approximately 26%.
MONTHLY SAVING
$480/mo
● MEDIUM · S3
847 incomplete multipart uploads accumulating
data-lake-prod has no lifecycle rule for incomplete multipart uploads. 847 incomplete uploads totalling 340 GB are billed at standard S3 rates indefinitely.
MONTHLY SAVING
$34/mo
// SECURITY MODEL

Read-only by design.
Not by policy.

Security-conscious teams should scrutinise any tool that touches AWS. Here's exactly what CloudReview can and cannot do.

ReadOnlyAccess + Cost APIs only

The IAM role uses AWS managed ReadOnlyAccess plus Cost Explorer and CloudWatch metrics. No iam:*, no ec2:Modify*, no write actions of any kind.

Cross-account assume-role with ExternalId

CloudReview assumes your role using a unique ExternalId per organisation — preventing confused deputy attacks where a third party tricks CloudReview into accessing your account.

No stored credentials

STS temporary credentials are used per scan and never persisted. Your long-term IAM keys never leave your account.

Every call in your CloudTrail

Because CloudReview uses assume-role, every API call appears in your CloudTrail logs attributed to the CloudReview role. Full audit trail, your account.

IAM ROLE TRUST POLICY (deployed in your account)
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::CLOUDREVIEW:root"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "sts:ExternalId": "cr-a7f3c91d..."
      }
    }
  }]
}

// Permissions policy: ReadOnlyAccess (AWS managed)
// + ce:Get* (Cost Explorer)
// + cloudwatch:GetMetricData
// No write permissions of any kind.
// PRICING

Pay for value found,
not seats or usage

Fixed monthly fee. Unlimited value. Cancel anytime.

Starter
For solo engineers and small teams exploring cloud cost.
$60/mo
  • 10 scans per month
  • 1 AWS accounts
  • 21 service collectors
  • AI plain-English explanations
  • Manual fix guidance
  • Email support
GET STARTED FREE →
MOST POPULAR
Growth
For growing engineering teams managing multiple accounts.
$120/mo
  • 50 scans per month
  • upto 3 AWS accounts
  • Everything in Starter
  • Automated one-click fixes
  • Scheduled scans
  • Executive PDF reports
  • Team member access
  • Slack notifications
START FREE SCAN →
Pro
For FinOps teams and companies with significant AWS spend.
Custom Pricing
  • Unlimited scans
  • Unlimited AWS accounts
  • Everything in Growth
  • Batch automated fixing
  • Multi-account org scanning
  • Custom detection rules
  • API access
  • Priority support + SLA
GET STARTED →
All plans include a free first scan. No credit card required to start.
// FREQUENTLY ASKED

Questions engineers ask

What permissions does CloudReview need?
AWS managed ReadOnlyAccess policy plus Cost Explorer read APIs (ce:Get*) and CloudWatch metrics (cloudwatch:GetMetricData). No write, modify, delete, or IAM management permissions of any kind. The full policy is open-source and visible before you deploy.
Is my AWS data stored on CloudReview's servers?
Scan results (resource IDs, cost estimates, findings) are stored per organisation in CloudReview's database to power the dashboard and history. Resource contents — your S3 objects, EC2 user data, RDS data — are never accessed or stored. We only read AWS metadata and metrics.
How is this different from AWS Cost Explorer?
Cost Explorer shows you historical spend aggregated by service. CloudReview identifies the specific resources driving that spend and tells you exactly what to do. Where Cost Explorer says "EC2 costs increased 23%", CloudReview says "these 4 stopped instances are costing you $680/month — here's how to fix them in 5 minutes."
What happens to my data if I cancel?
Your data is retained for 30 days after cancellation so you can export it, then permanently deleted. You can also request immediate deletion at any time. The IAM role in your AWS account is not automatically removed — you delete it yourself via CloudFormation when you're ready.
Does CloudReview work with AWS Organizations?
Yes. The Pro plan supports multi-account org scanning. You deploy the IAM role to each member account (or use an org-wide StackSet), and CloudReview aggregates findings across all accounts into a single consolidated view with org-level reporting.
How accurate are the savings estimates?
Estimates are calculated from actual AWS pricing APIs for your region and instance type. They're conservative — we flag resources with consistent idle signals over multiple days, not temporary dips. For anomaly detection findings, estimates are ranges based on historical spend patterns.
Can CloudReview break anything in my account?
No. Scans are read-only by design — the IAM role has no write permissions. Automated fixes require explicit confirmation through the dashboard, show a dry-run preview of every API call before execution, and include a rollback plan. You are always in control of what changes are made.
FREE FIRST SCAN · NO CREDIT CARD

Your AWS bill is higher
than it needs to be

Connect your account in 60 seconds. Most customers find their first savings before the coffee is done.

START FREE SCAN → TALK TO US