Agent Configuration

Configure the FinOps agent

The ZephMatrix agent runs with a defined scope, guardrails, and approval policy. This page explains what each configuration surface controls and how the platform enforces it.

On this page

  • Investigation scope and cost signal categories
  • Guardrails and resource classification
  • Approval policy and execution permissions
  • Audit trail and governance

Investigation scope

By default, the agent investigates all nine cost signal categories across every connected AWS account. You can narrow the scope from Settings → Agent Scope:

  • • Enable or disable individual cost categories (e.g. disable rightsizing while a migration is in flight)
  • • Restrict investigation to specific AWS accounts or regions
  • • Set tag-based exclusions to skip resources owned by a specific team or environment

Resource classification and guardrails

Before proposing any action, the agent classifies every resource against a set of guardrail rules. Classifications:

  • Safe to act — resource shows no production traffic, no active ASG membership, no IaC state file reference.
  • Needs review — ambiguous signals; action is proposed but routes to the approval queue.
  • Protected — production tag, active traffic, or IaC-managed; agent will not propose action on this resource.

Guardrail rules are configurable from Settings → Guardrails. You can add tag-based protection patterns (e.g. env=prod), require two-person approval for specific action types, or block entire action categories outright.

Approval policy

Every proposed AWS action goes through the approval workflow before execution. The default policy requires explicit human approval for all actions. You can configure:

  • • Which action types require approval vs. can auto-execute under defined conditions
  • • Who receives approval requests (by team, tag owner, or Slack channel)
  • • Approval expiry windows (approval granted today does not carry over to tomorrow)

Approval decisions are logged with timestamp, approver identity, and the resource state at time of approval.

Execution permissions

Execution actions run against your AWS account only after explicit approval. Every action is recorded with the approver identity, resource state at time of approval, and verified outcome. Actions are grouped by category:

Compute

  • • EC2 instance stop and start (idle instances, dev/staging environments)
  • • EC2 instance type change — stop, resize to recommended type, restart (rightsizing)
  • • ECS and EKS task CPU/memory limit adjustment (container rightsizing)
  • • Lambda function memory configuration update (rightsizing to p50 utilization)

Storage & snapshots

  • • EBS volume deletion (unattached, confirmed no recent mount activity)
  • • EBS snapshot deletion (orphaned snapshots with no associated volume or AMI)
  • • EBS volume type upgrade — gp2 to gp3 (lower cost, higher baseline performance)
  • • AMI deregistration and backing snapshot cleanup
  • • S3 intelligent tiering enablement and lifecycle rule application
  • • S3 bucket deletion (empty, untagged, confirmed no recent access)

Networking

  • • Elastic Load Balancer deletion (zero active targets, no recent traffic)
  • • Elastic IP release (unassociated, no DNS record pointing to address)
  • • NAT Gateway deletion (no route table dependencies, confirmed idle)

Database & managed services

  • • RDS instance stop (dev/staging instances with no recent connections)
  • • RDS instance class change (rightsizing based on CPU and connection metrics)
  • • ElastiCache node type change (rightsizing based on memory utilization)
  • • OpenSearch domain configuration update (rightsizing data and master node types)

Observability & logging

  • • CloudWatch Logs retention policy enforcement (set retention on log groups with no policy)
  • • CloudWatch custom metrics cleanup (archive unused metric streams)

Commitment & reservation management

  • • Savings Plans purchase recommendation routing (agent drafts the purchase case; finance approves)
  • • Reserved Instance modification (scope changes, AZ to regional conversion)
  • • Unused Reserved Instance listing on the AWS Marketplace

Each action category can be enabled or disabled independently from Settings → Execution Permissions. All actions require the corresponding write permission in the cross-account IAM role — the setup wizard generates the minimum required policy for your selected action set.

For compliance audit exports and governance controls, see Security & Governance. For webhook and Jira integration, see Integration Guides.