CloudAgencyOps
Start free trial

The operating system for cloud consultancies.

Per-client AWS cost attribution, retainer burn, white-label client reports — in one operator dashboard.

Start your 14-day trialSee the dashboard →

Read-only AWS access. We never store your customers' credentials.

dashboard · 3 clients

Total MTD

$15,100.00

Avg retainer used

64%

Clients on track

2 / 3

Last 8 weeks

avg $14.2k / wk

Acme Robotics

acct 000000001234

$4,200.00

+8.2% vs LM

Northwind Logistics

acct 000000005678

$7,800.00

+2.4% vs LM

Globex Industrial

acct 000000009012

$3,100.00

-12.1% vs LM

Sample data · last sync 2 min ago

Healthy

Running production at InfraForge — the founder's own AWS DevOps agency.

Read the story →

The problem

Stop spreadsheeting AWS across eight client accounts.

The first ninety minutes of every month: export Cost Explorer CSVs per client, reconcile tags that no client tagged consistently, build a per-client PDF in Google Docs, and still not know which retainer you've burned through by the 20th. Repeat at five to ten clients.

Vantage and CloudHealth monitor your own infra cost. HaloPSA and ConnectWise serve traditional MSPs. AWS Billing Transfer (GA November 2025) helps with centralized payment responsibility. CloudAgencyOps focuses on a different layer: agency-client reporting, retainer burn, and white-label operational workflows. The agency operating loop sits between these adjacent tools.

CloudAgencyOps is the productized version of the spreadsheet ritual every cloud / DevOps consultancy ends up trying to build themselves — per-client cost attribution, retainer burn, white-label client reports, access governance, runbooks, and a public changelog you can show your CFO.

Product

One operator dashboard for every client AWS account.

Dashboard figures, client names (Acme, Northwind, Globex), and account IDs shown on this page are illustrative sample data, not a real customer's data.

Cost attribution

Per-client AWS cost attribution

Cost Explorer aggregation across every linked account, attributed per client × per service. No manual CSV exports + spreadsheet reconciliation. The dashboard surfaces month-to-date spend, last-month delta, and projected end-of-month at-current-pace for each client.

Cost figures are estimates derived from AWS billing APIs and customer configuration. They may exclude or differently reflect credits, taxes, refunds, support charges, private pricing, timing adjustments, and untagged usage. Verify against AWS billing records before invoicing clients.

Cost by service · current month

  • Amazon EC2$8,420.50
  • Amazon RDS$3,180.00
  • Amazon S3$1,240.75
  • Other (12 services)$2,059.75
Total$14,901.00

Retainer tracking

Retainer burn, surfaced before you bill

Per-client retainer cap + month-to-date spend in a single bar. Amber when a client crosses 75%, destructive when the projected end-of-month exceeds the cap. Flag unbilled work before you ship the invoice.

Retainer-burn and projected end-of-month figures are informational estimates, not invoices or billing-authoritative statements. AWS invoices control; validate before billing clients.

Acme Robotics$4,200 / $5,000
Northwind$6,800 / $10,000
Globex$3,100 / $7,500

White-label PDF

Monthly client reports — your brand, not ours

One click renders a PDF with your logo + your brand color in the header. Exec summary, detailed, or audit-trail templates. CloudAgencyOps chrome never appears in the artifact your client receives.

The agency's brand carries the report, because that is the point.

Cost figures in reports are operational estimates, not invoices or billing-authoritative statements. The agency reviews and approves each report before sending it; every report carries an informational-only disclaimer near the totals. AWS billing records control.

YOUR AGENCY LOGO

May 2026

Acme Robotics

May 2026 cost report

$14,901.00

$8.4k

EC2

$3.2k

RDS

$3.3k

Other

Your brand. Not ours.

Access governance

Who can touch which client AWS account

IAM Identity Center, IAM users, federated SSO, and assumed-role principals collapsed into one governance view across every connected client account. Recent CloudTrail activity per principal. Stale-principal heuristic flags accounts that haven't been touched in 30 days.

Recent access · last 7 days

  • role/CAO-ReadOnly

    AssumeRole

    2h ago

  • user/alice@acme

    ConsoleLogin

    yesterday

  • role/AcmeOps

    ListBuckets

    3 days ago

  • user/legacy-cron

    GetObject

    31 days ago

1 stale principal > 30 days

Runbook library

The runbook that solved last quarter's incident

Markdown runbooks per client or agency-wide. Mermaid diagrams + syntax-highlighted code blocks. Version history per edit. Onboarding new engineers stops being a Notion-archaeology exercise.

# Acme Robotics · DB failover

## Symptoms

- RDS replica lag > 30s

- Cloudwatch alarm: DBReplicationLag

## Resolution

1. aws rds reboot-db-instance

2. Verify lag < 1s

3. Page on-call: @alice

Mermaid + syntax highlighting · per-client or agency-wide

Founder is customer

Built to run my own agency.

CloudAgencyOps is the productized version of the operating system running inside InfraForge — a small AWS DevOps agency. It was built because the alternative was another Notion page and another tab of Cost Explorer at 11pm on the 1st of the month.

“The ritual was: open Cost Explorer, pick a client's linked account, export the CSV, reshape it in Excel, paste a screenshot into Google Docs, write a paragraph of context, send it. Eight times. Every month. It was the part of running the agency I dreaded most. Now it's one tab.”

Every feature ships here first because InfraForge needs it first. That's the strongest design partnership available at this stage — and the one we don't plan to outgrow.

Read the InfraForge story →

How it connects

Read-only cross-account access.

CloudAgencyOpsSaaS accountAssumeRole · 1hClient AWS accountread-only roleCost ExplorerCloudTrailOrganizations

We never store your customers' AWS credentials at rest. Each sync calls sts:AssumeRole and gets short-lived (1h default) credentials scoped to a single client.

Pricing

One price. Every client.

$299

/ month

Flat per agency. Cancel anytime.

  • Unlimited clients
  • Unlimited connected AWS accounts
  • Unlimited runbooks
  • White-label PDF client reports
  • Per-client retainer burn tracking
  • Multi-account access governance
  • Slack alerts (per-client overrides)
  • Public changelog + RSS
Start your 14-day trial

No credit card required for the 14-day trial. The trial does not convert into a paid subscription unless you separately start a paid plan through Polar checkout.

Flat per agency, not per seat. We'll never charge you per client.

FAQ

The questions every cloud-agency owner asks first.

Do you store our AWS credentials?
No. CloudAgencyOps reads each client account via an IAM cross-account read-only role with an agency-scoped ExternalId. When we sync, our IAM principal calls sts:AssumeRole and gets short-lived (1h default) credentials. Nothing is stored at rest. The full architecture lives at /security with the exact policy JSON you can paste into your security review.
What permissions does the IAM role need?
ce:GetCostAndUsage (Cost Explorer), cloudtrail:LookupEvents (CloudTrail), and organizations:ListAccounts (Organizations). The full policy is published at /security as a copy-pasteable JSON block. We do not need write permissions to any service.
What happens when a client offboards?
You revoke the IAM role on your end (delete the CloudFormation stack or remove the trust relationship); CloudAgencyOps detects the failed AssumeRole and flips the account to a 'disconnected' state. Historical cost snapshots remain in your dashboard by default so you can still generate retroactive reports, and you can delete a client's accounts, cost snapshots, access-event metadata, and generated reports from the dashboard whenever you choose (subject to documented backup retention). The client side has nothing to delete because nothing was ever installed there.
Can PDF reports be fully white-labeled?
Yes — that's the v1.0 deliverable. Each agency uploads their logo and picks their primary brand color in the Branding settings page; PDF reports render with the agency's brand and never carry CloudAgencyOps chrome. Your client receives a PDF that looks like you made it, because you did. Cost figures in the report are operational estimates, not invoices or billing-authoritative statements; you are responsible for reviewing and approving each report before sending it to a client. Every report carries an informational-only disclaimer near the totals.
What does v1.5 add?
A native Slack app (deep links to specific clients + interactive cost-alert cards), AWS IAM Identity Center SSO for the dashboard, and Mermaid diagram support inside the runbook editor. AWS Marketplace listing is on the roadmap once 3+ paying agencies have referenceable case studies. Public changelog at /changelog tracks every release.
When will you be on AWS Marketplace?
Deferred until 3+ paying agencies are on CloudAgencyOps with consent to be referenced. The marketplace gate requires an internal security-control evidence pack (policies, access controls, sub-processor register) plus reference customers. We are building that evidence pack incrementally and have not yet completed a SOC 2 examination. We'd rather launch with real customers than chase the badge.
Who built this?
Muhammad Hassaan Javed — running InfraForge, a small AWS DevOps consultancy. CloudAgencyOps is the productized version of the operating system InfraForge runs internally. Design partner #1 is the agency that built it. Read more at /about.

Stop spreadsheeting AWS.

Connect your first client account in under five minutes. Read-only, cross-account, credentials never stored.

Start your 14-day trialOr read the security model first →