AWS - CloudThinker

Connect your AWS accounts to enable CloudThinker agents to analyze costs, optimize resources, audit security, and manage infrastructure.

Setup Methods

CloudThinker supports two authentication methods. Role-Based authentication is strongly recommended.

Role-Based (Recommended)
Access Keys (Alternative)

IAM Role with AssumeRole

This method creates an IAM role that CloudThinker assumes to access your resources. Benefits:

No long-term credentials shared or stored
Uses AWS STS for temporary, auto-rotated credentials
External ID protects against confused deputy attacks
Easy to audit and revoke access

Quick Setup via CloudShell

Open AWS CloudShell

Run Setup Script

In CloudThinker’s connection dialog, click Copy Script and paste into CloudShell. The script will:

Validate CloudThinkerAccessRole doesn’t exist
Create the IAM role with read-only permissions
Attach trust policy with your External ID

Copy Role ARN

Copy the Role ARN from output:

arn:aws:iam::123456789012:role/CloudThinkerAccessRole

Complete Connection

Paste Role ARN into CloudThinker and select your region

Expected Output

Starting CloudThinker IAM Role setup...
✅ Role does not exist, proceeding...
✅ Role created successfully
✅ Policy attached successfully
==========================================
✅ Setup Complete!
==========================================
Copy this Role ARN:
arn:aws:iam::123456789012:role/CloudThinkerAccessRole

Manual Role Creation

If you prefer manual setup:Trust Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::CLOUDTHINKER_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

Permission Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "s3:GetBucket*",
        "s3:List*",
        "cloudwatch:GetMetric*",
        "cloudwatch:List*",
        "ce:GetCost*",
        "ce:GetReservation*",
        "iam:GetRole",
        "iam:ListRoles"
      ],
      "Resource": "*"
    }
  ]
}

IAM User with Access Keys

Use this only when AssumeRole is not feasible.

AWS recommends IAM roles over long-term access keys. Rotate keys regularly if using this method.

Create IAM User

Go to IAM Console → Users → Create userName: cloudthinker-readonly

Attach Policies

Choose Attach policies directly and add:

ReadOnlyAccess (comprehensive), or
Specific policies like AmazonEC2ReadOnlyAccess, AmazonS3ReadOnlyAccess

Create Access Key

Select user → Security credentials → Create access keyChoose Third-party service as use case

Save Credentials

Copy and securely store:

Access Key ID
Secret Access Key

Required Permissions

Minimum (Read-Only Analysis)

ec2:Describe*
rds:Describe*
s3:GetBucket*, s3:List*
cloudwatch:GetMetric*, cloudwatch:List*
ce:GetCost*, ce:GetReservation*
iam:GetRole, iam:ListRoles

Recommended (Full Analysis)

# All minimum permissions, plus:
elasticloadbalancing:Describe*
autoscaling:Describe*
lambda:List*, lambda:GetFunction*
ecs:Describe*, ecs:List*
eks:Describe*, eks:List*
securityhub:Get*, securityhub:List*
guardduty:Get*, guardduty:List*
config:Describe*, config:Get*
cloudtrail:Describe*, cloudtrail:Get*

Agent Capabilities

Once connected, agents can:

Agent	AWS Capabilities
Alex	Cost analysis, EC2 right-sizing, Reserved Instance recommendations, resource optimization
Oliver	Security Hub findings, IAM audits, compliance checks, vulnerability assessment
Tony	RDS performance analysis, Aurora optimization, DynamoDB tuning
Kai	EKS cluster management, Fargate optimization, container analysis

Multi-Account Setup

For organizations with multiple AWS accounts:

Create Role in Each Account

Deploy the IAM role using CloudFormation StackSets

Use AWS Organizations

Connect management account for organization-wide visibility

Add Each Account

Add account connections individually in CloudThinker

Multi-Account Guide

Detailed guide for managing multiple AWS accounts

Troubleshooting

Access Denied errors

Verify IAM role has required permissions - Check trust policy includes CloudThinker’s account - Confirm External ID matches exactly - Ensure role ARN is correct

Missing cost data

Enable Cost Explorer in AWS Console (takes 24h to activate) - Verify ce:GetCost* permissions are granted - Check billing preferences allow programmatic access

Missing metrics

Verify CloudWatch metrics are being collected - Check region selection includes all relevant regions - Confirm services are running and generating data

Connection timeout

Check network connectivity to AWS APIs - Verify no VPC endpoints blocking access - Try connecting from a different region

Security Best Practices

Use Role-Based auth - Avoid long-term access keys
Minimal permissions - Grant only what’s needed
Enable CloudTrail - Audit all API calls
Regular review - Audit permissions quarterly
External ID - Always use for cross-account roles

Alex Agent

AWS-focused cloud optimization agent

Multi-Account Setup

Managing multiple AWS accounts

Bring Your Own Key (BYOK)

Use your own AWS Bedrock credentials for unlimited LLM usage

​Setup Methods

​IAM Role with AssumeRole

​Quick Setup via CloudShell

​Expected Output

​Manual Role Creation

​IAM User with Access Keys

​Required Permissions

​Minimum (Read-Only Analysis)

​Recommended (Full Analysis)

​Agent Capabilities

​Multi-Account Setup

Multi-Account Guide

​Troubleshooting

​Security Best Practices

​Related

Alex Agent

Multi-Account Setup

Bring Your Own Key (BYOK)

Setup Methods

IAM Role with AssumeRole

Quick Setup via CloudShell

Expected Output

Manual Role Creation

IAM User with Access Keys

Required Permissions

Minimum (Read-Only Analysis)

Recommended (Full Analysis)

Agent Capabilities

Multi-Account Setup

Troubleshooting

Security Best Practices

Related