Getting Started

Connect AWS and run your first investigation

This guide walks you from a new account to a live FinOps investigation. The agent reads your AWS cost and inventory data, surfaces findings, and starts building a daily investigation loop — all in under ten minutes.

On this page

  • What you need before you start
  • Creating the AWS cross-account IAM role
  • Running the Hidden Cost Report
  • Enabling the daily agent loop

Before you start

You will need:

  • • A ZephMatrix account — sign up free at zephmatrix.ai.
  • • AWS console access with permission to create IAM roles and policies.
  • • AWS Cost Explorer enabled on the account you want to connect (it takes 24 hours to activate if not already on).

1. Create the cross-account IAM role

ZephMatrix connects to your AWS account through a scoped cross-account IAM role. The role grants read access to cost, inventory, tags, metrics, and optimization signals — nothing broader.

From the ZephMatrix dashboard, open Cloud Connections → Connect AWS account. The setup wizard generates a CloudFormation template that creates the role in your account automatically. Paste the generated ARN back into ZephMatrix to complete the connection.

Alternatively, you can create the IAM role manually using the policy document shown in the wizard. The role requires no write permissions at this stage.

2. Run the Hidden Cost Report

Once the connection is verified, ZephMatrix immediately runs a Hidden Cost Report across nine AWS cost signal categories: idle waste, rightsizing gaps, Savings Plans coverage, billing anomalies, data transfer hotspots, CloudWatch observability cost, managed service spend, container platform cost, and commitment utilization.

The report takes 2–5 minutes for a typical account. Findings are ranked by estimated monthly savings and grouped by category and service. Each finding includes the resource ID, region, utilization evidence, and a recommended action.

3. Review findings and approve actions

Open a finding to start an investigation. The agent adds owner context (from tags and usage patterns), classifies the resource as safe-to-act, needs-review, or production-protected, and proposes a specific remediation action.

Approved actions — deleting orphaned EBS volumes, releasing unused Elastic IPs, stopping idle EC2 instances — execute immediately against your AWS account and report the verified outcome.

4. Enable the daily agent loop

Turn on the daily investigation loop from Settings → Agent Schedule. The agent runs every morning, refreshes cost signals, compares against prior state, and surfaces new findings in your dashboard. Cost anomaly alerts trigger outside the schedule when spend spikes are detected.

For a full list of supported AWS services and execution actions, see Platform Capabilities. For integration with Slack, Jira, or custom webhooks, see Integration Guides.