Skip to content
Connect your first account
Cloud change governance

Catch the AWS change before it breaks prod.

You found out when it was already on fire.

CBX Guard catches the infrastructure change that exposes production — in the PR before it ships, and on the live cloud the moment it lands.

Connect your first account See how it works
One read-only IAM role No AWS Config, no billing impact Slack alert within minutes
The problem

Your mental model says "all change goes through a PR." Your CloudTrail says otherwise.

A 30-engineer company running AWS has dozens of ways a dangerous change can land outside Terraform — and outside any review. You own the blast radius of every single one of them.

Console edits during incidents
Someone opens a security group directly in the AWS console to unblock an incident. No PR. No review. No record in your change tracking. You find out when the next incident is already on fire.
CI jobs with cloud credentials
Your deployment pipeline opens a security group inline — it is in a shell script, not a Terraform plan, so your PR linter never sees it. The change is real. The review never happened.
The diff that hides its effect
A one-line module version bump. Looks harmless in the diff. Resolved against your live account and org topology, it opens SSH on 12 instances to the internet. The reviewer approved what they could see.
AI agents calling the API directly
Coding agents author and apply infra change faster than one person can review. The agent has your repo context. It does not have your account context. That gap is exactly where production breaks.
Production outages from unreviewed infra changes don't arrive gradually. You find out when the page arrives — and spend the next hour reconstructing what happened. Every platform owner has that scar. CBX Guard is built against it.
How it works

One danger engine. Two doorways. The narrowness is the strategy.

CBX Guard does one thing with high precision: it catches the security group change that just exposed production to the internet — before that change hurts you. On the live cloud the moment it lands. On the PR before it applies. Same engine, same verdict, two surfaces.

01
Observe
Every change, every path
02
Warn
Alert on what is dangerous
03
Recommend
Tell you what to do
04
Gate
Hold risky changes
05
Act
Remediate automatically

CBX Guard lands on Observe and Warn. The right side of the sequence is the expansion path — enabled per account, as the product earns it.

Live cloud · ships now
Catches the change the moment it lands on the live cloud
CBX Guard polls your existing CloudTrail and sweeps live AWS state on a short polling cycle. No new AWS resources, no billing impact. The moment a security group transitions from safe to exposed on prod — console click, CI script, CLI call — you get a Slack alert naming the resource, the actor, and the full resolved effect. Within minutes.
PR review · ships now
Surfaces the danger the diff is hiding — before apply
The same detection engine runs on every pull request touching infrastructure. It resolves the Terraform plan against your live account state — not just the diff text — so a change that looks harmless in the diff but opens SSH to the internet shows up as exactly that in the PR. Inline comment on the exact changed line. The required status check never hangs pending, never blocks merge on its own.
What counts as "dangerous"
A tier-one alert fires only when all conditions hold at once: a real transition from not-exposed to exposed, a broad internet CIDR (not your office VPN), a sensitive port, a reachable resource, a production account — and not something already baselined as intended. We hold tier-one alerts to a single danger class and a strict set of conditions, because the second time we waste your attention, you mute us. Precision is the product.
Why it's different

A PR linter is blind to most of your change surface.

Most dangerous infra change in a real company does not go through Terraform and a pull request. CBX Guard watches the full lifecycle with one engine.

CBX Guard PR linter (tfsec, Checkov) CSPM (Wiz, etc.)
Detects dangerous SG change on live cloud Yes — delta, not posture No Periodic scan, not real-time
Catches out-of-band SG changes (console, CLI, CI) Yes No Periodic scan
Reviews pull requests inline Yes Yes No
Resolves plan against live account Yes — context is the verdict No — diff in isolation No
Alerts on the change, not the snapshot Yes — delta, not posture No No — backlog of findings
Primary buyer Overloaded platform owner Developer / PR author Security team
Pricing model Per AWS account, not seats Free / per seat Enterprise contract
Pricing

Priced per AWS account, not per seat.

One platform owner. No seats. The free tier is real — not a trial, not a crippled version. Connect your prod account and see your first-run exposure scan in minutes.

Monthly Annual Save $600/yr

Free

$0

1 AWS account, forever. Prove it catches something real on prod before you spend a cent.

  • Live change detection (1 account)
  • Slack alerts — Critical tier only
  • PR review on connected repos
  • First-run landscape map
  • 30-day history
  • Per-tier Slack routing
  • Invite teammates
  • Multi-account
Connect free

Team

$249 /mo

Save $600/yr — billed $2,988

Up to 5 accounts. The standard prod + staging + dev org, with room. True discretionary spend — no procurement conversation needed.

  • Everything in Free
  • Up to 5 accounts
  • Per-tier Slack routing (Critical → on-call, Watch → digest)
  • Invite teammates (shared access)
  • 12-month history
  • Email support (2-day SLA)
  • SSO
  • Org-wide account discovery
Start Team
Most teams

Org

$649 /mo

Save $1,800/yr — billed $7,788

Up to 15 accounts. The full multi-account org with SSO, org-wide discovery, and a coverage view that tells you what CBX Guard could and couldn't assess.

  • Everything in Team
  • Up to 15 accounts
  • Org-wide account discovery (AWS Organizations)
  • SSO
  • Coverage & health view
  • AWS Marketplace billing
  • Priority support (next-day SLA)
Start Org

Scale

Custom

Unlimited accounts, partner-assisted onboarding, and the security review package your procurement team will ask for.

  • Everything in Org
  • Unlimited accounts
  • TIDORA-assisted onboarding available
  • Custom data retention
  • Security review & trust package
  • Dedicated Slack channel
  • SLA with teeth
Talk to us

All plans include the same detection engine and the same precision floor. No plan gets a noisier alert feed.

Security model

Read-only. We create nothing in your account.

The first question every platform owner asks is "why would I let a vendor read my cloud?" Here is exactly what CBX Guard accesses, and exactly what it never touches.

One IAM role, read-only
A single CloudFormation stack creates one cross-account read role. No write permissions of any kind. CBX Guard is not billed to your account and creates no AWS resources.
Your existing CloudTrail
CBX Guard reads your existing CloudTrail trail. We do not create a new one and we do not use AWS Config. Nothing is added, modified, or charged in your account.
Control is earned, never assumed
CBX Guard is advisory by design. It sees, it warns, it tells you what to do — and it never touches your infrastructure without explicit permission. The trust sequence exists for a reason: Gate and Act come after the product has proven it is right in your specific account.
# CBX Guard read-only IAM policy — published at cloudbooster.io/iam-policy
"Effect": "Allow",
"Action": ["cloudtrail:LookupEvents", "cloudtrail:GetTrailStatus",
    "ec2:Describe*", "iam:Get*", "iam:List*",
    "organizations:Describe*", "organizations:List*"],
"Resource": "*",
"Condition": { "Bool": { "aws:SecureTransport": true } }
# No s3:Put*, no ec2:Authorize*, no write permissions of any kind.
Questions

The questions every platform owner asks first.

Does CBX Guard need write access to my AWS account?
No. CBX Guard uses a single read-only IAM role and creates no AWS resources. It reads your existing CloudTrail trail and live state via describe-* calls. It does not use AWS Config and has no write permissions of any kind.
How is this different from a PR linter like tfsec or Checkov?
A PR linter only reads the diff text in a pull request, and is blind to any change that does not go through Terraform — console edits, CLI calls, CI scripts. CBX Guard runs the same detection engine on both the pull request and the live cloud, and resolves the proposed change against your actual account state rather than reading the diff in isolation. Context is the verdict.
Will CBX Guard block my deployments?
No. CBX Guard is advisory by design. It observes and warns, and its pull-request status check never hangs pending or blocks a merge on its own. The ability to gate or revert changes is enabled per account only after the product has proven it is right in that account.
How long does setup take?
About five minutes. You launch a CloudFormation stack that creates one read-only cross-account role, and CBX Guard begins watching — no agents to install, no CLI, no code changes.
Is the free tier a trial?
No. The free tier covers one AWS account forever, with the same detection engine and precision as the paid plans. It is the funnel, not a time-limited trial.
Who builds CBX Guard

Built by people who've run production AWS for a decade.

CBX Guard is built by CloudBooster, founded by the team behind TIDORA, an AWS Advanced Tier Services Partner. We've spent a decade as the cloud-engineering function for teams running real, brownfield AWS — CBX Guard is that experience, productized.

Connect your first account in five minutes.

No credit card. No AWS Config. No agents. One read-only IAM role and you are watching.

Start free Talk to us about a design partnership