Cloud Operations
Cloud Operations is Calabi's unified layer for cloud visibility, compliance, cost management, and security posture. It is cloud-agnostic by design — the same query engine, compliance benchmarks, and cost analytics work across AWS, Azure, and Google Cloud. Examples in this documentation use AWS (the currently supported provider), with Azure and GCP support on the roadmap.
From a single module you can query live cloud resource inventory with SQL, run CIS and NIST benchmark checks, analyse month-over-month spend, and monitor every Calabi service in real time — all without leaving the platform.
Currently supported: AWS (full coverage across 15+ services). Coming soon: Azure and Google Cloud. The architecture is provider-agnostic — adding a new cloud provider requires only a new connector configuration, not a change to any queries, benchmarks, or dashboards.
Architecture
Module Summary
| Module | What it does | Key use case |
|---|---|---|
| Query Resources | Run SQL against live AWS resource inventory | Find all unencrypted S3 buckets in us-east-1 |
| Age Reports | Surface stale snapshots, objects, and volumes | Identify EC2 snapshots older than 90 days |
| Compliance | CIS, NIST, and AWS security benchmark dashboards | Prove CIS Level 2 compliance to auditors |
| Cost Analytics | Spend breakdowns, rightsizing, and anomaly detection | Reduce monthly EC2 spend by 30% |
| Security Posture | IAM, S3, encryption, and network exposure checks | Find open security groups and overpermissive IAM |
| Monitoring | Real-time metrics, logs, and alerts for Calabi services | Alert on-call when error rate exceeds 5% |
| Configure | Connect cloud accounts and manage notification channels | Onboard a cloud Organization with a single IAM role |
Sub-Module Descriptions
Query Resources
Query Resources gives you a SQL editor backed by a live inventory of your cloud resources. Every table reflects the real-time state of your account — no ETL, no stale cache. Use it to explore EC2 instances, S3 bucket policies, IAM users, Lambda functions, and dozens of other resource types using familiar SQL. Results can be exported to CSV or scheduled as recurring reports.
Age Reports
Age Reports surfaces resources that are past their useful life: EBS snapshots that were never cleaned up, S3 objects that have aged beyond your retention policy, or RDS automated backups accumulating silently. Pre-built report types cover the most common aging categories, and configurable thresholds (30 / 60 / 90 / 180 days) let you tune the sensitivity to match your organization's data lifecycle policy.
Compliance
The Compliance module runs your cloud account against three industry-standard benchmarks: the CIS AWS Foundations Benchmark, NIST 800-53, and Cloud Foundational Security Best Practices. Each benchmark is broken into individual controls with a clear pass or fail status, a severity rating, and remediation guidance linked directly to AWS documentation. Results can be scheduled and exported as PDF or CSV for auditors.
Cost Analytics
Cost Analytics connects to Cloud Cost Explorer to give you a multi-dimensional breakdown of your cloud spend: by service, region, account, resource tag, and time period. Rightsizing recommendations flag underutilised EC2 instances, idle RDS clusters, and oversized EBS volumes. Anomaly detection highlights unexpected spend spikes within hours of their occurrence. Savings Plans and Reserved Instance coverage analysis helps you identify where on-demand pricing can be replaced with commitment-based discounts.
Security Posture
Security Posture runs a continuous set of checks across the highest-risk areas of your cloud environment: IAM misconfigurations (root account MFA, unused credentials, overly permissive policies), publicly exposed S3 buckets, missing encryption at rest and in transit, and security groups with unrestricted inbound rules. Every finding is ranked by severity and links to a remediation playbook.
Monitoring
The Monitoring sub-module surfaces real-time metrics, logs, and alerts for all Calabi platform services via Calabi Monitoring. Platform health, per-service CPU and memory usage, HTTP error rates, pipeline failure counts, and pod restart events are all available in pre-built dashboards. Alert rules can be routed to Slack, PagerDuty, or email with configurable thresholds.
Configure
Configure is the central control panel for Cloud Operations. Here you connect cloud accounts (single-account or Cloud Organizations), supply the IAM role ARN Calabi should assume, set query timeouts and cache TTLs, and manage notification channels for alerts generated by other sub-modules.
Prerequisites
Before using any Cloud Operations feature, ensure the following are in place:
| Prerequisite | Where to set it up |
|---|---|
| At least one cloud account connected | Configure |
| Calabi Cloud Operations IAM role deployed | Configure — IAM Role |
| IAM role has the required read-only permissions | Configure — IAM Policy |
| For Monitoring: Calabi pods emitting metrics | Enabled by default on Starter and above |
If you manage multiple cloud accounts through Cloud Organizations, a single IAM role in the management account is sufficient. See Configure for the delegated-access setup.
What's Next
- Query Resources — SQL queries against live AWS inventory
- Age Reports — Identify stale snapshots, objects, and volumes
- Compliance — CIS, NIST, and AWS security benchmark dashboards
- Cost Analytics — Cloud spend breakdown and rightsizing recommendations
- Security Posture — IAM, S3, encryption, and network risk checks
- Monitoring — Real-time metrics, logs, and alerts
- Configure — Connect accounts and manage notification settings