Skip to main content
AWS Cloud Health Check

Find out what's actually wrong with your AWS environment.

SCAI's free Cloud Health Check reads your AWS account configuration — not your data — and produces a report showing security gaps, reliability risks, and where your cloud spend is leaking. Takes under 60 minutes. Nothing is changed. You stay in control.

Start Your Free Health Check →How It Works ↓

Prefer a guided setup? Book a 20-minute walkthrough →

Former Amazon Principal Architect · 8 years · 56 countries. No sales pitch — just a straight read on your AWS setup.

What You Get

Three domains. One report. Plain English findings.

Security and Access Posture

We check whether your root account is protected, who has what access, whether threat detection is running, and whether your data is encrypted at rest.

Cloud Spend Analysis

We identify idle resources, right-sizing opportunities, pricing commitment gaps, and whether your tagging is good enough to allocate costs accurately.

Reliability and Backup

We check whether your databases have backups, whether your infrastructure has single points of failure, and whether you have monitoring in place before your customers know something's wrong.

How It Works

Three steps. Under 60 minutes.

01

Deploy a read-only role

We give you a CloudFormation template. One click in your AWS console creates a read-only IAM role. The template is public — review every line before deploying.

02

We run the audit

Our engine checks ~30 configuration signals across 8 domains. No data leaves your account — only configuration state is read. Typically completes in 30–60 minutes.

03

Read your report

You receive an interactive web report and a PDF by email. Findings are grouped by severity and domain, with plain English explanations of what each issue means for your business.

Start your free audit

Optional — helps us tailor your report. Skip any question.

Alternative Paths

Not ready to deploy a role yet? No problem.

The self-serve path works for most teams. If your environment or security policy requires a different approach, two alternatives are available.

1Free · 20 minutes

Guided Setup Call

“Our security team requires approval before creating IAM roles.”

That's a reasonable policy and a common one. Book a 20-minute call and we'll walk through the CloudFormation template line by line together — every permission explained before anything is deployed.

  • You review the template with us before deploying anything
  • You deploy the role yourself — we never touch your console
  • Audit runs immediately after you confirm the role is live
  • Not billable — this is a setup walkthrough, not a paid session
Book a setup walkthrough →

Prefer email? info@scaitechnologies.com

2Open source · No cross-account access

Run It Locally

“I can't give cross-account access to an external party.”

Run our open-source CLI tool in your own environment using your own AWS credentials. No external role assumption required — the tool never leaves your machine.

  • Runs locally with your own IAM credentials — no cross-account role needed
  • Checks 7 domains: IAM, networking, compute, storage, security, cost, monitoring
  • Outputs a self-contained HTML report you can open in any browser
  • Python + boto3 — inspect every line of source before running

# Install and run

pip install boto3

python aws_analyzer.py --profile <your-profile>

Upload your CLI output

View CLI source on GitHub →

Questions? info@scaitechnologies.com

Security and Data Handling

Your data stays where it is.

The audit role reads AWS configuration metadata — not your files, not your databases, not your application data. It cannot create, modify, or delete anything. Review the full template before deploying. Delete the role as soon as your report is ready.

What the audit role can see

Configuration checks only

  • Whether your S3 buckets are publicly accessible — not the contents of your S3 buckets
  • Whether your IAM users have MFA enabled — not your IAM users' passwords or credentials
  • Whether your RDS instances have encryption enabled — not the data inside your databases
  • Your AWS cost and usage totals from Cost Explorer — not itemized transaction data or business records
  • Whether GuardDuty, CloudTrail, and Config are enabled — not the contents of your log files
  • EC2 instance types, sizes, and states — not what your applications are doing or what data they process

What it cannot do

  • Create, modify, or delete any resource
  • Access the contents of any S3 object
  • Read any database, application data, or secrets
  • Make API calls that change your configuration
  • Assume any other role in your account

The CloudFormation template is publicly accessible — every permission is listed there. Review the template ↗. If a permission is not in the template, the role does not have it.

How the audit role works

When you deploy the CloudFormation template, it creates a read-only IAM role in your AWS account. That role includes a trust condition: it can only be assumed by SCAI's audit system, and only when the system presents a specific External ID — a unique code generated at the moment you started your audit.

Think of the External ID as a one-time combination lock. Your role says: "I will only open for SCAI's system, and only if it presents the exact code I was given." This prevents a confused deputy attack — a situation where a third party tricks a system into using your role without your knowledge. Because the code is unique to your session and never reused, no one else can present it. This is a standard AWS security pattern used by AWS partner tools and managed services worldwide.

What happens to your data

During the audit

SCAI's Lambda function assumes your role, runs read-only API calls, and processes the responses in memory. Raw API responses are not stored. Only processed findings — configuration state, not data contents — are written to a private S3 bucket in Sydney (ap-southeast-2).

After the audit

  • Your findings report is stored in SCAI's private S3 bucket for 90 days, then automatically deleted.
  • Your email address and company name are stored to allow us to send your report and follow-up communications.
  • No findings data or account configuration data is shared with third parties.
Your rights under the Privacy Act 1988 (Cth): You may request deletion of your data at any time by emailing privacy@scaitechnologies.com. SCAI will confirm deletion within 30 days.

How to delete the role

We recommend deleting the role immediately after you have reviewed your report. Deleting the role does not affect your access to your report — the findings are stored on our end.

Option 1 — CloudFormation (recommended)

  1. 1.Go to the AWS CloudFormation console in your account
  2. 2.Find the stack named SCAI-CloudHealthCheck
  3. 3.Select the stack and click Delete

Option 2 — IAM console: search for SCAI-CloudHealthCheck-ReadOnly and delete the role directly.

Quick reference

Common security questions answered plainly.

Can SCAI change anything in my account?

No. The role is read-only. It cannot create, modify, or delete resources.

Can SCAI see my data — databases, files, secrets?

No. The role reads configuration state, not data contents. Your application data, database contents, and S3 object contents are never accessed.

Can SCAI access my account after the audit is done?

No. The External ID is unique to your session and single-use. Once the audit completes, the code is no longer valid. Delete the role and the access is fully revoked.

Where is my data stored?

Sydney (ap-southeast-2), private S3, encrypted at rest. 90-day retention, then automatically deleted.

Who can see my findings?

Only SCAI's authorised staff and the automated audit system. Findings are not shared with any third party.

What if I don't want to give cross-account access?

Run our open-source CLI tool locally in your environment using your own credentials. No cross-account access is required. Upload the output on this page and we'll generate the same report.

Is this Privacy Act compliant?

Yes. Data is stored in Australia, retained for 90 days, and deletable on request under the Privacy Act 1988 (Cth). Email privacy@scaitechnologies.com to request deletion.

Common Questions

Questions?

Can you change anything in my AWS account?

No. The IAM role is strictly read-only. It cannot create, modify, or delete any resource. You can verify this in the CloudFormation template before you deploy anything.

What if I have a multi-account AWS Organization?

The self-serve tool currently supports single-account audits. For Organizations, we offer a guided setup — book a 30-minute call and we'll walk through the process together.

Do I have to pay anything?

The health check report is free. We offer paid follow-up services — a Cloud Clarity Deep Dive, a Remediation Sprint, and a Managed Optimization Retainer — but only if you want them.

How is this different from AWS Trusted Advisor?

Trusted Advisor covers some of the same ground but focuses on a narrower set of checks and doesn't combine security posture with cost analysis in a single readable report. We also give you business-impact context for each finding, not just a technical flag.

I don't want to give an external party IAM access.

That's a fair position. Run our open-source CLI tool locally in your environment using your own credentials. No cross-account access is required. Upload the output here and we'll generate the same report.