--- title: CloudAgent Documentation description: Consolidated documentation for CloudAgent, optimized for LLM consumption. generated_at: 2025-12-05T22:11:03.658Z --- # CloudAgent Documentation This is a consolidated version of the CloudAgent documentation. It includes the User Guide, Cookbooks, and other resources. --- # Home # CloudAgent Documentation Welcome to the official CloudAgent documentation. This site is designed to help you get the most out of the platform, whether you are a first-time user or an advanced operator.
### [User Guide](/guide) **Objective**: Explore the CloudAgent interface and learn how to manage your cloud workforce with our screenshot-driven guide.
### [Cookbooks](/cookbooks) **Objective**: Find step-by-step recipes and how-to guides for specific tasks and configurations.
### [LLM Docs](/llms.txt) **Objective**: A single-file documentation optimized for AI agents and LLMs.
> **Note:** Start with the **User Guide** for a comprehensive tour, or jump to **Cookbooks** if you have a specific task in mind. # User Guide # Introduction # CloudAgent User Guide Welcome to the User Guide. Here you'll find screenshot-driven tours of the CloudAgent interface. Select a topic from the sidebar to get started, or [return to the main documentation](/). > **Note:** Looking for specific recipes? Check out our [Cookbooks](/cookbooks). # Getting Started # Getting Started ## Objective Get up and running with CloudAgent to start managing and securing your cloud infrastructure. ## Overview CloudAgent is your AI-powered partner for cloud operations. By the end of this guide, you will be able to access the platform and understand the core prerequisites for connecting your cloud environments. ## Accessing the Platform 1. Navigate to [cloudagent.io/login](https://cloudagent.io/login). 2. Enter your **Username** and **Password**, or click **Sign in with Google** to use your Google credentials. 3. Click the **Log in** button (if using username/password). > **Note:** If you don't have an account, you can request an invitation by clicking "Sign up". ## Next Steps Now that you are logged in, the next step is to connect your cloud environment. **[Go to Account Onboarding](/guide/onboarding)** to connect your AWS account and unlock the dashboard features. # Account Onboarding # Account Onboarding ## Objective Connect your AWS accounts to CloudAgent to enable monitoring, management, and automated actions. > **Note:** **Important**: You must onboard at least one cloud account to see any data in the Dashboard, receive recommendations, or use the Blueprint Builder. CloudAgent makes it easy to connect your cloud environments and start managing your workloads. ## Adding a Cloud Environment 1. Navigate to **Cloud Setup & Workloads** in the sidebar. 2. Click on **Add Cloud Environment**. 3. **Step 1: Gather Details**: Enter your AWS Account ID and select the desired permission level (e.g., Read-Only, Limited Write, Full Admin). ![Onboarding Step 1](/images/onboarding_step1.png) 4. **Step 2: Deploy**: Choose your preferred deployment method. You can launch the CloudFormation stack directly or download the template to deploy manually. ![Onboarding Step 2](/images/onboarding_step2.png) 5. **Step 3: Validate**: Once deployed, validate the IAM role connection and give your environment a name. ![Onboarding Step 3](/images/onboarding_step3.png) # Dashboard Overview # Dashboard Overview ## Objective Gain a comprehensive view of your cloud resources, security posture, and agent activities. Once logged in, you will see the **Dashboard Overview**. This is your central hub for managing your cloud workforce. > **Note:** **Prerequisite**: The dashboard will appear empty until you connect a cloud account. Please complete the [Account Onboarding](/guide/onboarding) step first. ![Dashboard Overview](/images/dashboard_overview.png) ## Key Features ### 1. Stats Overview At the top of the dashboard, you'll find a quick summary of your environment: - **Activity**: Total count of active agents, workflows, and generated reports. - **Environments & Workloads**: Number of connected AWS accounts and managed workloads. - **Recommendations**: Active recommendations categorized by priority (Critical, High, Medium, Low). ### 2. Smart Recommendations The dashboard automatically categorizes findings into actionable groups: - **Critical Security**: High-priority security issues that need immediate attention. - **Cost Savings**: Opportunities to reduce your cloud spend. - **Resource Cleanup**: Identification of unused or idle resources. - **Compliance**: Audit items mapped to frameworks like SOC 2 and HIPAA. - **Platform Insights**: Suggestions to maximize the value of CloudAgent. ![Platform Insights Recommendation](/images/platform_insights.png) ### 3. Scheduled Workflows View and manage your automated tasks: - **Active**: Workflows currently running on a schedule (e.g., daily backups). - **Paused**: Scheduled tasks that have been temporarily disabled. - **All Activities**: A complete list of all scheduled operations. ### 4. Latest Activity A real-time feed of what your agents are doing: - **Agents**: Status updates from individual agents. - **Workflows**: Progress of complex, multi-step workflows. - **Waiting on User**: Tasks that require your approval to proceed. - **Done**: Completed actions and their results. ### 5. Reports CloudAgent creates detailed security reports for your cloud account, including **cost** and **compliance** reports (such as **SOC 2** and **HIPAA**). > Get the full list of available reports at [cloudagent.io/libraries/all-reports](https://cloudagent.io/libraries/all-reports). ![CloudAgent Report Example](/images/cloudagent-report.gif) ## Key Sections * **Overview**: A summary of your cloud resources and agent activity. * **Cloud Setup & Workloads**: Manage your cloud infrastructure connections. * **Recommendations**: AI-driven suggestions for optimizing your cloud environment. * **My Workflows**: View and manage your automated workflows. * **Blueprints & Agents**: Create and manage infrastructure blueprints. * **Reports**: Generate and view compliance reports. * **My Account**: Manage your profile and settings. # Managing Workloads # Managing Workloads ## Objective View, manage, and optimize your deployed applications and infrastructure stacks. The **Cloud Setup & Workloads** section allows you to view and manage your cloud infrastructure and applications. ## Viewing Workloads To view your workloads: 1. Navigate to **Cloud Setup & Workloads** in the sidebar. 2. You will see a list of all connected cloud environments and deployed workloads. ![Workload List](/images/workload_list.png) ## Workload Details Click on any workload in the list to view its details. The details view provides comprehensive information about the workload's status, resources, and configuration. ![Workload Details](/images/workload_details.png) ### Key Tabs * **Overview**: General information about the workload, including the Diagram Preview. * **Tracked Resources**: A list of all cloud resources (e.g., S3 buckets, IAM roles, CloudFormation stacks) associated with this workload. * **Deployment Settings**: Configuration options for how the workload is deployed. * **Governance**: Policies and rules applied to the workload. * **Architecture Preferences**: Settings related to the architectural design of the workload. * **Security Rules**: Security configurations and firewall rules. ### Diagram Preview The **Diagram Preview** panel provides a visual representation of your workload's architecture. It displays all the AWS resources and their relationships in an easy-to-understand diagram. - **Auto-Generated**: The diagram is automatically generated based on tracked resources. - **Expandable View**: Click the **Expand** button to open a full-screen view for detailed inspection. - **Resource Icons**: Each AWS service (Lambda, S3, DynamoDB, etc.) is represented with its official icon. - **Timestamps**: Shows when the diagram was last generated. > **Tip**: Use the expanded diagram view during architecture reviews or when onboarding new team members to quickly understand the infrastructure layout. ### Recommendations and Reports The workload details page also includes: * **Top 5 Environment Recommendations**: Priority-ranked suggestions specific to this workload's environment. * **Reports**: Compliance reports (PCI DSS, CIS Benchmarks) with status indicators and quick access to view details. # Recommendations # Recommendations ## Objective Review and act on AI-powered recommendations to improve security, reduce costs, and optimize your cloud infrastructure. The **Recommendations** page provides a centralized view of all findings and suggestions across your connected cloud environments. ## Accessing Recommendations 1. Navigate to **Recommendations** in the sidebar. 2. You will see a comprehensive list of all recommendations organized by category and priority. ![Recommendations Page](/images/recommendations.png) > **Note:** **Quick Access**: You can also access category-specific recommendations directly from the Dashboard's Smart Recommendations widget. ## Recommendation Categories CloudAgent organizes recommendations into actionable categories: ### Critical Security High-priority security issues that require immediate attention: - Public S3 buckets - Overly permissive IAM policies - Unencrypted data stores - Security group misconfigurations ### Cost Savings Opportunities to reduce your cloud spend: - Idle or underutilized resources - Reserved instance recommendations - Right-sizing suggestions - Orphaned resources (unattached EBS volumes, unused Elastic IPs) ### Resource Cleanup Identification of resources that can be removed: - Unused security groups - Stale snapshots - Abandoned load balancers - Empty S3 buckets ### Compliance Audit items mapped to industry frameworks: - SOC 2 requirements - HIPAA controls - CIS Benchmark findings - PCI DSS compliance gaps ### Platform Insights Suggestions to maximize your use of CloudAgent: - Incomplete workload configurations - Untracked resources - Missing environment labels ## Recommendation Details Each recommendation includes: | Field | Description | |-------|-------------| | **Priority** | Severity level (Critical, High, Medium, Low) | | **Resources** | Number of affected resources | | **Environment** | Which cloud environment contains the finding | | **Updated** | When the recommendation was last refreshed | ## Taking Action For each recommendation, you can: 1. **View Details**: Click to see the specific resources affected. 2. **Remediate**: Generate a blueprint to fix the issue automatically. 3. **Dismiss**: Mark as acknowledged if the finding is a known exception. 4. **Create Workflow**: Set up automated remediation for recurring issues. > **Note:** **Tip**: Address Critical and High priority recommendations within 24-48 hours to maintain a strong security posture. ## Filtering and Search Use the filtering options to focus on specific findings: - **By Priority**: Show only Critical, High, Medium, or Low items - **By Category**: Filter by Security, Cost, Cleanup, or Compliance - **By Environment**: Focus on a specific AWS account - **By Workload**: View recommendations for a particular workload # My Workflows # My Workflows ## Objective Create, manage, and monitor automated workflows that execute recurring cloud operations. **My Workflows** allows you to automate repetitive tasks, schedule operations, and create multi-step processes that run without manual intervention. ## Accessing Workflows Navigate to **My Workflows** in the sidebar to view and manage your automated tasks. ![My Workflows Page](/images/workflows.png) ## Understanding Workflows A workflow is an automated sequence of actions that can: - Run on a schedule (daily, weekly, monthly) - Execute multiple steps in order - Pause for human approval when needed - Notify you of results ## Workflow Types ### Manual Workflows Triggered on-demand when you need them: - One-time cleanup operations - Ad-hoc security scans - On-demand backups ### Scheduled Workflows Run automatically at specified intervals: - Daily backup verification - Weekly compliance checks - Monthly cost reports ### Event-Driven Workflows Triggered by specific conditions: - New resource detection - Security finding alerts - Threshold breaches ## Creating a Workflow 1. Navigate to **My Workflows**. 2. Click **+ Create Workflow**. 3. Choose a template or start from scratch. 4. Configure the workflow steps: - **Action**: What the workflow should do - **Target**: Which resources or environments - **Schedule**: When it should run - **Notifications**: Who to alert 5. Click **Save** to create the workflow. > **Note:** **Templates**: CloudAgent provides pre-built workflow templates for common operations like backup verification, security scanning, and cost optimization. ## Workflow Status | Status | Description | |--------|-------------| | **Active** | Workflow is running on schedule | | **Paused** | Temporarily disabled | | **Waiting on User** | Requires your approval to continue | | **Completed** | Finished execution successfully | | **Failed** | Encountered an error | | **Running** | Currently executing | ## Managing Workflows ### Pause a Workflow Click the **Pause** button to temporarily stop a scheduled workflow without deleting it. ### Resume a Workflow Click **Resume** to reactivate a paused workflow. ### Edit a Workflow Click on the workflow name to modify its configuration, schedule, or steps. ### Delete a Workflow Remove workflows you no longer need from the workflow list. ## Workflow Actions Common actions available in workflows: ### Infrastructure Operations - **Configure AWS Backup**: Set up backup policies for DynamoDB tables - **Enable S3 Versioning**: Turn on versioning for S3 buckets - **Update Security Groups**: Modify firewall rules ### Compliance and Security - **Run CIS Benchmarks Report**: Generate compliance assessment - **Scan for Public Access**: Check for publicly exposed resources - **Audit IAM Permissions**: Review access policies ### Cost Management - **Run Unused Resources Report**: Find idle resources - **Check Reserved Instance Coverage**: Optimize RI utilization - **Generate Cost Report**: Create spending analysis ## Human-in-the-Loop For sensitive operations, workflows can pause and wait for approval: 1. Workflow reaches an approval step. 2. You receive a notification. 3. Review the proposed action in the dashboard. 4. Click **Continue** to proceed or **Cancel** to stop. > **Note:** **Tip**: Enable approval steps for any workflow that modifies production resources. ## Viewing Workflow History Click on any workflow to see: - **Execution History**: Past runs with timestamps - **Step Details**: What happened at each step - **Logs**: Detailed output from each action - **Errors**: Any issues encountered during execution ## Integration with Blueprints Workflows can execute blueprints as part of their steps: 1. Create a blueprint for the desired infrastructure change. 2. Add a "Run Blueprint" step to your workflow. 3. The blueprint deploys automatically when the workflow runs. # Blueprints & Agents # Blueprints and Agents ## Objective Design, visualize, and deploy standardized infrastructure templates across your environments. The **Blueprint Builder** allows you to design and deploy infrastructure templates. ## AI-Assisted Builder The Blueprint Builder uses an AI agent to help you design infrastructure templates. Instead of writing complex code from scratch, you describe what you want in plain English. ### How it Works 1. **Define Objective**: Start by describing your goal (e.g., "Create a highly available ECS cluster with an Application Load Balancer"). 2. **Generate Skeleton**: The AI analyzes your request and proposes a "Skeleton Plan" broken down into phases: * **Assessment**: Checks prerequisites and current state. * **Configuration**: Defines the resources and settings. * **Validation**: Ensures the design meets best practices. 3. **Refine and Customize**: Use the **Plan Builder Assistant** chat to refine tasks, add notes, or change deployment methods (CloudFormation or CLI). 4. **Finalize**: Once satisfied, the builder generates the executable blueprint. ### Key Capabilities - **Chat Interface**: Interact with the AI to iterate on your design. - **Phased Approach**: Structured plans ensure no steps are missed. - **Permission Calculation**: Automatically identifies the IAM permissions required to deploy the blueprint. - **Deployment Options**: Support for standard CloudFormation stacks or CLI-based deployments. To access it: 1. Click on **Blueprints & Agents** in the left sidebar. 2. Click **Create Blueprint** to start a new design. ![Blueprint Builder](/images/blueprint_builder.png) ## Running a Blueprint To execute an existing blueprint: 1. Navigate to **Blueprints & Agents** > **My Blueprints**. 2. Find the blueprint you want to run. 3. Click **Run Blueprint**. 4. Select the target environment. 5. Review the execution plan. 6. Click **Execute** to deploy. > **Note:** **Tip**: You can also run blueprints directly from recommendations by clicking the "Remediate" button. ## Agent History The **Agent History** tab shows the status and results of all blueprint executions and agent activities. ### Viewing Agent History 1. Navigate to **Blueprints & Agents**. 2. Click on the **Agent History** tab. 3. View all past and current agent executions. ### Agent Status Each agent execution displays: | Status | Description | |--------|-------------| | **Completed** | Successfully finished all steps | | **Running** | Currently executing | | **Waiting on user input** | Paused, awaiting your approval | | **Failed** | Encountered an error | ### Agent Details Click on any agent entry to view: - **Execution Timeline**: Step-by-step progress - **Logs**: Detailed output from each action - **Resources Modified**: What was created, updated, or deleted - **Errors**: Any issues encountered ### Managing Running Agents For agents that are running or waiting: - **Continue**: Resume execution after reviewing - **Mark As Complete**: Manually mark as finished - **View History**: See detailed execution logs > **Note:** **Human-in-the-Loop**: Agents will pause and request your approval before making state-changing operations in your AWS environment. ### Searching Agent History Use the search bar to find specific executions: - Search by blueprint name - Filter by status - Filter by date range # Reports # Reports ## Objective Generate and review compliance reports to assess your cloud security posture against industry frameworks. CloudAgent provides detailed security and compliance reports that help you understand your environment's adherence to best practices and regulatory requirements. ## Accessing Reports Reports can be accessed from multiple locations: 1. **Dashboard**: Quick access via the Reports widget 2. **Workload Details**: Reports specific to a workload in the Reports section 3. **Reports Page**: Navigate to **Reports** in the sidebar for the full report library ![Reports Page](/images/reports.png) ## Available Reports CloudAgent offers a comprehensive library of compliance and security reports: | Report | Category | Description | |--------|----------|-------------| | SOC2 Compliance Report | Security & Governance | Assesses environments against SOC2 categories like logical access, system operations, and confidentiality | | PCI DSS 3.2.1 Compliance Report | Security & Governance | Evaluates Payment Card Industry Data Security Standard requirements | | HIPAA Compliance Report | Security & Governance | Checks AWS configurations for HIPAA compliance across access, auditing, and encryption | | CIS AWS Foundations Benchmark v3.0 | Security & Governance | Evaluates AWS configuration against Center for Internet Security benchmarks | | NIST 800-53 v5 Compliance Report | Security & Governance | Assesses against NIST security and privacy controls | | NIST 800-171 Compliance Report | Security & Governance | Validates controlled unclassified information (CUI) protection | | NIST Cybersecurity Framework (CSF) Report | Security & Governance | Evaluates against the NIST CSF framework | | ISO 27001 Annex A Compliance Report | Security & Governance | Checks against ISO 27001 information security controls | | GDPR Compliance Report | Security & Governance | Reviews AWS practices against GDPR Articles 25, 30, and 32 | | FedRAMP Low Compliance Report | Security & Governance | Validates AWS services against FedRAMP Low controls | | FedRAMP Moderate Compliance Report | Security & Governance | Assesses environments for FedRAMP Moderate control coverage | | Canada GC Compliance Report | Security & Governance | Evaluates against Canadian Guardrail controls for access, monitoring, and encryption | | CMMC 2.0 Level 1 Compliance Report | Security & Governance | Checks basic safeguarding controls including access, authentication, and boundary protection | | CMMC 2.0 Level 2 Compliance Report | Security & Governance | Evaluates advanced CMMC Level 2 controls across identity, configuration, and secure communications | | RBI Cyber Security Framework Report | Security & Governance | Assesses against Reserve Bank of India cybersecurity guidelines | | AWS Resiliency and High Availability Report | Resilience & Backup | Checks multi-AZ deployments, delete protection, and backup configurations | | AWS Resource Backup Coverage Report | Resilience & Backup | Validates backup policies and coverage across resources | | Unused AWS Resources Report | Cost & Billing | Identifies idle or unused resources for cost optimization | | AWS Logging Status Report | Logging & Monitoring | Verifies CloudTrail, VPC Flow Logs, and other logging configurations | | AWS Public Resource Exposure Report | Security & Governance | Scans for publicly accessible resources | | AWS Encryption In-Transit Coverage Report | Security & Governance | Validates TLS/SSL configurations and encryption in transit | For the complete and up-to-date list, visit [cloudagent.io/libraries/all-reports](https://cloudagent.io/libraries/all-reports). ## Report Status Each report displays a status indicator: | Status | Meaning | |--------|---------| | **Passed** | All checks passed successfully | | **Warning** | Some non-critical findings require attention | | **Failed** | Findings that need remediation | | **Running** | Report generation in progress | ## Running a New Report 1. Navigate to the **Reports** page or workload details. 2. Click **+ Run New Report**. 3. Select the report type from the available options. 4. Choose the target environment(s). 5. Click **Generate** to start the report. > **Note:** **Processing Time**: Reports typically complete within 5-15 minutes depending on the size of your environment. ## Viewing Report Details Click **View Report** on any completed report to see: - **Executive Summary**: High-level overview of findings - **Detailed Findings**: Individual check results with pass/fail status - **Affected Resources**: Specific resources that need attention - **Remediation Steps**: Recommended actions to resolve issues - **Export Options**: Download as PDF for sharing with auditors ![Report Detail View](/images/report_detail.png) ## Scheduling Reports To run reports on a recurring schedule, create a workflow: 1. Navigate to **My Workflows**. 2. Click **+ Create Workflow**. 3. Select the report you want to schedule (e.g., "Canada GC Compliance Report"). 4. Configure the schedule (Daily, Weekly, Monthly). 5. Save the workflow. The report will run automatically at the scheduled time. > **Note:** **Notifications**: Configure email alerts in the workflow to receive reports automatically when they complete. ## Report History All generated reports are stored in your report history: - View past reports to track compliance trends - Compare results over time - Export historical data for audits # AI Assistant # CloudAgent Assistant The **CloudAgent Assistant** is an AI-powered companion designed to help you manage your cloud infrastructure using natural language. It lives in the bottom-right corner of the application and is always ready to assist. ## Overview The Assistant is capable of performing complex operations by connecting directly to your cloud environment and the CloudAgent backend. It translates your English requests into specific actions, such as running AWS CLI commands, deploying CloudFormation stacks, or managing your workloads. > **Note:** **Tip**: You can ask the Assistant to "explain" resources or errors to get context-aware answers. ## Capabilities The Assistant is equipped with a powerful set of tools that allow it to: ### 1. AWS Discovery and Inspection You can ask the Assistant to inspect your live AWS environment. It uses read-only AWS CLI commands to fetch real-time data. * **"List all EC2 instances in us-east-1."** * **"Describe the security group 'sg-12345'."** * **"Check if I have any S3 buckets with public access."** ### 2. Workload Management The Assistant can view and update your CloudAgent workloads directly. * **"List my workloads."** * **"Update the 'payments' workload to use the 'prod' environment."** * **"Add a rule to the 'portal' workload to prevent public S3 buckets."** ### 3. Infrastructure Deployment You can deploy or update infrastructure using CloudFormation. The Assistant will always ask for your approval before making changes. * **"Deploy a new S3 bucket named 'my-app-logs'."** * **"Update the 'payments-stack' to enable versioning."** * **"Create a standard VPC with 2 AZs."** (Uses built-in architecture templates) ### 4. Research and Validation The Assistant has access to the web to research best practices, validate syntax, and find solutions to errors. * **"How do I configure an ALB for gRPC?"** * **"Find the CloudFormation syntax for an ECS Fargate service."** * **"What does this error message mean?"** ## How to Use 1. Click the **CloudAgent** button in the bottom-right corner. 2. Type your request in plain English. 3. The Assistant will analyze your request and may: * Ask clarifying questions. * Run a read-only command to gather context. * Propose a plan of action (e.g., a CloudFormation template). 4. **Review and Approve**: For any action that modifies your infrastructure, the Assistant will present a plan. You must approve it before execution proceeds. ## Safety and Security * **Read-Only by Default**: The Assistant defaults to read-only actions for discovery. * **Human-in-the-Loop**: All state-changing operations (Create, Update, Delete) require explicit user confirmation. * **Guardrails**: Deployments are checked against your organization's security rules and policies. # MCP Integration # MCP Integration ## Objective Connect your IDE to CloudAgent using the Model Context Protocol (MCP) to build and deploy cloud infrastructure directly from your development environment. > **Note:** **What is MCP?** The Model Context Protocol is an open standard that allows AI-powered IDEs like Cursor to connect to external tools and services. CloudAgent's MCP server lets your AI coding assistant deploy infrastructure on your behalf, with built-in guardrails. ## Prerequisites Before setting up MCP, ensure you have: - A CloudAgent account with at least one [connected AWS environment](/guide/onboarding) - [Cursor IDE](https://cursor.com) installed (version 0.43 or later) - A workload configured with your team's security baselines and governance rules ## Step 1: Generate Your MCP Configuration 1. Log in to [CloudAgent](https://cloudagent.io). 2. Navigate to **My Account** → **Integrations**. 3. Click **Generate MCP Config**. 4. Select the **Workload** you want the IDE to deploy against. 5. Copy the generated configuration JSON. > **Note:** **Security Note**: The MCP configuration contains a secure token scoped to your selected workload. Do not share this token or commit it to version control. ## Step 2: Configure Cursor 1. Open Cursor IDE. 2. Open the Command Palette (`Cmd+Shift+P` on macOS, `Ctrl+Shift+P` on Windows/Linux). 3. Search for **"Cursor Settings: Open MCP Config"** and select it. 4. Paste your CloudAgent MCP configuration: ```json { "mcpServers": { "cloudagent": { "command": "npx", "args": ["-y", "@anthropic/cloudagent-mcp-server"], "env": { "CLOUDAGENT_API_KEY": "your-api-key-here", "CLOUDAGENT_WORKLOAD_ID": "your-workload-id" } } } } ``` 5. Save the file and restart Cursor. ## Step 3: Verify the Connection 1. Open a new chat in Cursor (Composer or Chat panel). 2. Type: **"List my CloudAgent workloads"** 3. If configured correctly, the AI will respond with your available workloads. You should see output similar to: ``` Connected to CloudAgent. Available workloads: - payments-api (prod) - user-portal (staging) - data-pipeline (dev) ``` ## Available MCP Capabilities Once connected, your IDE can perform the following operations through CloudAgent: ### Read Operations (No Approval Required) - List workloads and their configurations - View security baselines and governance rules - Check deployment status and history - Query AWS resources within workload scope ### Write Operations (Requires Approval) - Deploy infrastructure blueprints - Update workload configurations - Create or modify AWS resources > **Note:** **Guardrails Active**: All deployments are validated against your workload's security baselines before execution. If a request violates a security rule, it will be blocked with an explanation. ## Troubleshooting ### "Connection refused" or "Server not found" - Ensure your API key is valid and hasn't expired - Check that the workload ID matches an existing workload - Verify your network allows outbound HTTPS connections ### "Permission denied" on deployment - Your workload may have restrictive security baselines - Contact your security team to review the blocked rule - Check the CloudAgent dashboard for detailed error logs ### MCP server not appearing in Cursor - Restart Cursor after saving the MCP configuration - Ensure the JSON syntax is valid (no trailing commas) - Check Cursor's developer console for error messages ## Next Steps - **[Cookbook: Developing in the Corporate Cloud with Guardrails](/cookbooks/cursor-mcp)**: Learn the full workflow for teams using IDE-based cloud development. - **[Blueprints and Agents](/guide/blueprints)**: Create reusable infrastructure templates for your team. - **[Managing Workloads](/guide/workloads)**: Configure security baselines and governance rules. # FAQ # FAQ ## Objective Find answers to common questions about account management and platform usage. **Q: How do I reset my password?** A: On the login page, click the "Forgot password" link to initiate the password reset process. **Q: Where can I see my available credits?** A: Your available credits are displayed in the top navigation bar. **Q: How do I access the LLM-friendly documentation?** A: The consolidated documentation for AI agents is available at `/public/llms.txt` in the repository. # Cookbooks # Overview # Cookbooks Welcome to the CloudAgent Cookbooks! Here you will find step-by-step guides and recipes for common tasks and advanced configurations. ## Available Cookbooks * [**Developing in the Corporate Cloud with Guardrails**](/cookbooks/cursor-mcp) * Enable developers to build AWS infrastructure from Cursor IDE while security and platform teams maintain governance through CloudAgent's MCP integration. * [**Automating Remediation**](/cookbooks/remediation) * Learn how to identify security issues, remediate them with blueprints, and verify the fix in a full-circle workflow. # Automating Remediation # Automating Security Remediation from Discovery to Fix This cookbook guides you through a complete workflow: identifying a security issue, fixing it with a blueprint, and verifying the resolution. ## Objective Protect sensitive data by preventing accidental public exposure of S3 buckets. In this guide, we will use CloudAgent's recommendation engine to identify the risk and the blueprint builder to remediate it automatically. ## Step 1: Assessment Start by reviewing the **Recommendations** page to identify security findings. 1. Navigate to **Recommendations** in the sidebar. 2. Review the recommendation categories at the top (Critical Security, Cost Savings, Resource Cleanup, etc.). 3. Look for recommendations in the **Critical Security** category. 4. Locate the recommendation: **"Enable S3 Block Public Access at Account Level"**. > **Tip**: Click on a category card to filter the list by that category. ![Recommendations Page](/images/recommendation_click_guide.png) > **Note:** Public S3 buckets can expose sensitive data. Remediate this promptly unless public access is intentionally required. ## Step 2: Remediation CloudAgent allows you to generate a remediation blueprint directly from the recommendation. 1. Find the recommendation in the list. 2. Click **Run Blueprint** or **Generate Blueprint** in the Automatic Remediation column. 3. This opens the **Blueprint Builder** with a pre-configured template. 4. Review the generated CloudFormation template. 5. Click **Execute** to apply the fix. ### Example Snippet The blueprint will configure S3 Block Public Access at the account level: ```yaml Type: AWS::S3::AccountPublicAccessBlock Properties: AccountId: !Ref AWS::AccountId PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true ``` ## Step 3: Validation Once the deployment is complete, verify that the issue is resolved. 1. Go back to the **Recommendations** page. 2. Check that the recommendation status has changed or the item is no longer listed. 3. Optionally, run a compliance report to confirm the fix. > **Note:** You have successfully identified, remediated, and verified a security finding using CloudAgent. ## Next Steps - **[Recommendations](/guide/recommendations)**: Learn how to filter, prioritize, and act on all recommendation types - **[Blueprints and Agents](/guide/blueprints)**: Create custom blueprints for your organization's common remediation patterns - **[My Workflows](/guide/workflows)**: Automate recurring remediation tasks with scheduled workflows - **[Reports](/guide/reports)**: Run compliance reports to track your security posture over time # Cursor + MCP Integration # Developing in the Corporate Cloud with Guardrails ## Objective Enable developers to ship faster while maintaining security and compliance standards. This guide shows how to connect Cursor IDE to CloudAgent via MCP, allowing developers to provision AWS infrastructure using natural language while security and platform teams enforce governance automatically. ## The Challenge Modern development teams want speed. They want to provision infrastructure as fast as they can write code. But in enterprise environments, this creates tension: - **Developers** want self-service access to spin up resources quickly - **Security teams** need to enforce baselines (encryption, no public access, approved instance types) - **Platform teams** must ensure tagging, cost controls, and architectural standards The traditional approach (tickets, approval queues, and handoffs) slows everyone down. ## The Solution: IDE + CloudAgent MCP By connecting Cursor to CloudAgent via MCP (Model Context Protocol), you create a **governed self-service** model: ``` ┌─────────────────────────────────────────────────────────────────┐ │ CURSOR IDE │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ Developer: "Create an S3 bucket for user uploads" │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ MCP Connection │ └────────────────────────────┬────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ CLOUDAGENT │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ Security │ │ Platform │ │ Workload │ │ │ │ Baselines │ │ Governance │ │ Context │ │ │ │ │ │ │ │ │ │ │ │ • Encryption │ │ • Required │ │ • VPC scope │ │ │ │ • No public │ │ tags │ │ • IAM role │ │ │ │ • Approved │ │ • Naming │ │ • Region │ │ │ │ services │ │ standards │ │ │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ │ │ ▼ │ │ Validated and Deployed to AWS │ └─────────────────────────────────────────────────────────────────┘ ``` **Result**: Developers move fast. Security and platform teams sleep well. ## Who Does What? ### Developer Workflow Developers interact with cloud infrastructure using natural language in their IDE: ``` Developer: "Create a DynamoDB table for session storage" ``` CloudAgent's MCP server: 1. Parses the request 2. Identifies the workload context 3. Generates a compliant blueprint 4. Applies security baselines and governance rules automatically 5. Returns a preview for approval 6. Deploys to AWS The developer never needs to know the specific tagging requirements, encryption settings, or VPC configurations; CloudAgent handles it. ### Security Team Workflow Security teams define **workload security baselines** in CloudAgent: | Baseline Rule | Effect | |--------------|--------| | `require-encryption-at-rest` | All S3, EBS, RDS resources must have encryption enabled | | `block-public-access` | Prevents creation of public S3 buckets or security groups with 0.0.0.0/0 | | `approved-instance-types` | Limits EC2 to approved instance families (e.g., t3, m5) | | `require-vpc` | All resources must be deployed within the designated VPC | When a developer request violates a baseline, CloudAgent blocks it and explains why: ``` Request blocked: Security baseline violation Rule: block-public-access Reason: S3 bucket 'user-uploads' cannot have public read access. Suggestion: Remove PublicReadAccess or request an exception from your security team. ``` ### Platform Team Workflow Platform teams configure **governance rules** on workloads: | Governance Rule | Example | |----------------|---------| | Required tags | `Environment`, `CostCenter`, `Owner` | | Naming conventions | `{env}-{app}-{resource}` pattern | | Region restrictions | Deploy only to `us-east-1` and `us-west-2` | | Cost controls | Maximum instance size, budget alerts | These rules are automatically applied to every deployment. If a developer forgets to specify tags, CloudAgent adds them based on the workload context. ## Step-by-Step Setup ### For Security Teams: Define Baselines 1. Navigate to **Cloud Setup & Workloads** → select your workload. 2. Go to the **Security Rules** tab. 3. Enable the baseline rules that match your organization's requirements: - Require encryption at rest - Block public access - Enforce TLS 1.2+ - Require VPC deployment 4. Click **Save**. > **Note:** **Tip**: Start with a restrictive baseline and add exceptions as needed. It's easier to relax rules than to tighten them after resources are deployed. ### For Platform Teams: Configure Governance 1. Navigate to **Cloud Setup & Workloads** → select your workload. 2. Go to the **Governance** tab. 3. Configure required tags: ```yaml required_tags: - key: Environment allowed_values: [dev, staging, prod] - key: CostCenter required: true - key: Owner default_from: workload.owner ``` 4. Set naming conventions: ```yaml naming_pattern: "{environment}-{workload_name}-{resource_type}" # Example output: prod-payments-api-bucket ``` 5. Click **Save**. ### For Developers: Connect Your IDE 1. Get your MCP configuration from CloudAgent (**My Account** → **Integrations**). 2. Open Cursor IDE → **Settings** → **MCP Config**. 3. Paste the configuration and restart Cursor. 4. Start building! > See the full setup guide: **[MCP Integration](/guide/mcp)** ## Example: Building a Feature End-to-End Let's walk through a real scenario: A developer needs to add file upload functionality to an application. ### Developer Request (in Cursor) ``` Create the infrastructure for user file uploads: - S3 bucket for storing files - Lambda function to process uploads - API Gateway endpoint for the upload API ``` ### CloudAgent Processing 1. **Context Injection**: CloudAgent identifies this is for the `user-portal` workload in `staging` 2. **Blueprint Generation**: Creates CloudFormation/Terraform with: - S3 bucket with encryption, versioning, and private access - Lambda with VPC configuration and IAM role - API Gateway with throttling 3. **Governance Applied**: Adds required tags and naming conventions 4. **Security Validation**: Checks all resources against baselines ### Preview Returned to Developer ```yaml # CloudAgent will deploy the following resources: Resources: staging-user-portal-uploads-bucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true Tags: - Key: Environment Value: staging - Key: CostCenter Value: CC-1234 - Key: Owner Value: jane.developer@company.com # ... Lambda and API Gateway configs ... Security checks: All passed Governance checks: All passed Approve deployment? [Yes/No] ``` ### Developer Approves ``` Yes, deploy it. ``` ### Deployment Complete ``` Deployment successful! Created resources: - S3: staging-user-portal-uploads-bucket - Lambda: staging-user-portal-upload-processor - API Gateway: staging-user-portal-upload-api Endpoint: https://abc123.execute-api.us-east-1.amazonaws.com/uploads ``` **Total time: ~3 minutes**. No tickets. No handoffs. Full compliance. ## Handling Violations What happens when a developer tries something that violates the rules? ### Example: Attempting a Public Bucket ``` Developer: "Create a public S3 bucket for marketing assets" ``` ``` Deployment blocked Security baseline violation detected: • Rule: block-public-access • Resource: S3 bucket • Issue: Public access is not allowed for this workload Options: 1. Deploy as private bucket with CloudFront distribution (recommended) 2. Request a security exception through CloudAgent Would you like me to create a private bucket with CloudFront instead? ``` The developer can either accept the compliant alternative or escalate through proper channels, but they can't accidentally deploy a public bucket. ## Benefits Summary | Stakeholder | Before | After | |-------------|--------|-------| | **Developers** | Days waiting for infra tickets | Minutes via IDE chat | | **Security** | Manual reviews, missed violations | Automated enforcement, full coverage | | **Platform** | Chasing teams for tagging compliance | Auto-applied governance | | **Leadership** | Shadow IT and compliance risk | Full visibility and control | ## Next Steps - **[Set up MCP Integration](/guide/mcp)**: Technical guide to connect Cursor to CloudAgent - **[Managing Workloads](/guide/workloads)**: Configure security baselines and governance - **[CloudAgent Assistant](/guide/assistant)**: Use AI for cloud operations in the web UI > **Note:** **Ready to enable governed self-service for your team?** [Contact us](https://cloudagent.io/contact) for a demo of the MCP integration.