Cloud Scal3 Tools

Stop leaving MAP credits on the table. Start seeing where your network spend is actually going.

Cloud Scal3 Tools extends FinOps Center into a cross-account action platform — giving Cloud Engineers the tools to protect MAP credits across every account, satisfy Bedrock AI workload eligibility, and trace network charges back to the workloads generating them. All without touching the AWS console.

Schedule a Demo Try Free with AWS

Available on AWS Marketplace · Deploys inside your AWS estate · Control Tower native

Your Cloud Engineers are executing tasks that don't require cloud engineering.

WHY DID WE BUILD?

Applying a MAP cost allocation tag. Purchasing a Savings Plan. Creating a Bedrock inference profile. These tasks aren't technically complex — they just require AWS console access. And since most FinOps and business teams don't have it, they end up on the Cloud Engineer's queue by default.

Cloud Scal3 Tools routes execution to the person who owns the decision. A FinOps Leader approves a Savings Plan purchase without filing a ticket. A Cloud Engineer applies MAP tags across every account from FinOps Center — not the console. The action happens at the right level, by the right person, without the handoff delay.

The result: lower total cost of AWS management. Cloud engineering time stays on work that actually requires it. CFM execution — the non-technical half of the job — gets done by the teams who own the outcome.

THE ARCHITECTURE

One cross-account role.
Three capabilities unlocked.

The IAM role Cloud Scal3 Tools deploys to member accounts via Control Tower-delegated StackSets is the infrastructure that makes all of this possible. Same governance model that manages your entire AWS organization.

The cross-account role

Deployed via Control Tower StackSets to every member account

MAP Tagging + Bedrock

Tag eligible resources. Create inference profiles. Across every account, on demand.

VPC Flow Logs

Enable Flow Log delivery from every member account to a central S3 bucket.

Savings Plans

Execute Savings Plan purchases from the payer account on approval.

Cloud Engineers act from FinOps Center. Cloud Scal3 Tools executes in the member account. Every action is logged, attributed, and auditable.

The architecture of a FinOps platform that doesn't just show you the problem — it gives your team the tools to fix it.

MAP TAGGING AUTOMATION

MAP compliance at scale is a manual problem. We automated it.

Migration Acceleration Program credits are only earned when the right resources carry the right tags. Across dozens of accounts, keeping up with new resources, tag drift, and Bedrock AI workloads is an operational burden — and every untagged resource is a credit at risk.

Nightly · How it works

Scan

Every member account in your AWS organization, every night.

Identify

Resources eligible for MAP credits but not yet tagged.

Queue

Tagging tasks created automatically in Cloud Engineer's queue.

Execute

Single-action tagging across member accounts via cross-account role.

No console access. No account switching. No spreadsheets.

What gets tracked

Pending tagging

Resources eligible for MAP credits but not yet tagged, by contract.

Tag drift

Resources that had the correct tag and lost it.

Days pending

So nothing ages out of eligibility unnoticed.

Completion history

Engineer, timestamp, and result per task — fully auditable.

Credits at risk · made visible

The number that matters to FinOps Leaders.

The Tag Management screen surfaces a live credits-at-risk figure — the MAP credit value tied to untagged or drifted resources at any given moment. Reviewing MAP contract performance starts here.

A SPECIAL CASE · BEDROCK AI WORKLOADS

Bedrock breaks MAP. Inference profiles fix it.

Amazon Bedrock introduces a complication that catches most MAP customers off guard: foundation models cannot be tagged directly. AWS owns the model ARNs.

The problem

You can't apply map-migrated to a Bedrock foundation model the way you would an EC2 instance or RDS database. AWS owns those ARNs.

Most teams skip the tagging step, lose the credits, and lose AI workload attribution.

The fix

An Application Inference Profile — a customer-owned resource that wraps the foundation model, can be tagged, and satisfies MAP eligibility for AI workloads.

Cloud Scal3 Tools handles the multi-step process end to end.

How inference profile management works

1
Nightly scan identifies a Bedrock AI workload that's MAP-eligible but untagged. A Bedrock task — distinct from standard MAP tagging — appears in the Cloud Engineer's queue.
2
Cloud Engineer initiates profile creation from the Tag Management screen.
3
bedrock:CreateInferenceProfile executed in the correct member account via the cross-account role.
4
The map-migrated tag is applied to the resulting profile ARN automatically.
5
Profile ARN is recorded against the workload for future drift monitoring.

Every Bedrock workload running through a properly tagged inference profile is simultaneously:

Eligible for MAP AI credits

Attributed to a specific workload in FinOps Center

Visible to Agent Bill as a named AI spend dimension

Teams that skip inference profile creation lose MAP credits and lose workload-level AI cost attribution. Cloud Scal3 Tools makes the correct path the easy path.

VPC FLOW LOGS · NETWORK COST VISIBILITY

See where your network charges actually come from.

Network costs are one of the most opaque line items in any AWS bill. CUR tells you how much. It doesn't tell you which workload. Flow Logs close that gap.

CUR alone tells you

·Total data transfer spend by account and usage type
·NAT Gateway charges by account
·Cross-AZ and cross-region transfer costs
·Directional breakdown — inbound vs outbound

Flow Logs add

+Which specific EC2 instance or container is generating the traffic
+Source and destination IP pairs — Datadog, Snowflake, S3, anywhere
+Whether Bedrock workloads route via VPC endpoint or expensive NAT Gateway
+Cross-AZ charges traced back to the specific workload causing them

The cost difference invisible in CUR

PrivateLink vs NAT Gateway for Bedrock.

Bedrock can be called two ways from within a VPC. CUR shows you the NAT Gateway charge. It doesn't show you that it's coming from Bedrock — or which workload is responsible.

VPC Endpoint

· Low latency
· No NAT Gateway cost
· Traffic stays on AWS backbone

NAT Gateway

· NAT Gateway data processing charge
· Adds to every Bedrock invocation
· Hidden in CUR

Flow Log enrichment makes the connection — attributing NAT Gateway overhead back to the specific Application Inference Profile and the Product Owner's budget.

How it works in FinOps Center

Enable
Cloud Scal3 Tools enables VPC Flow Log delivery from every member account to a central S3 bucket in the delegated admin account.
Catalog
Nightly Glue crawler updates the Athena table.
Join
Join view correlates Flow Log records with CUR 2.0 line items on resource ID.
Surface
Cost Management QuickSight topic gains new dimensions: network destination endpoint, estimated traffic cost by workload, PrivateLink vs public routing split.
Ask
Agent Bill answers questions like "Which product is generating the most NAT Gateway spend?" or "Is the DataPlatform team using PrivateLink for Bedrock?"

A VPC coverage view in the Admin screen shows which VPCs across which accounts have Flow Logs enabled — so you always know the scope of your visibility.

SAVINGS PLANS · BUY WITHOUT THE CONSOLE

The recommendation is straightforward. The execution is where most organizations stall.

A one or three-year Compute Savings Plan can reduce eligible spend by up to 66%. But purchasing requires payer account access — which means a ticket, a review cycle, and days of delay. The business user who owns the budget has no path to act. Cloud Scal3 Tools removes that dependency entirely.

Recommendation → Approval → Execution · One workflow

01
Recommendation surfaces
From AWS Cost Optimization Hub — AWS's native engine analyzing your actual usage patterns and commitment coverage.
02
Review in Savings Management screen
Projected savings, break-even timeline, term, payment option — all visible to the FinOps Center user. No console access. No AWS credentials.
03
Approve directly
The user responsible for the budget approves the purchase from the same screen they reviewed it on.
04
Workflow executes
Purchase request flows through configured approval thresholds, then executes from the payer account using the Cloud Scal3 Tools relay role.
05
Confirmation recorded
AWS commitment confirmation is returned and recorded against the recommendation in FinOps Center — closing the loop.

Conversational variant

Or buy through Agent Bill, in a single conversation.

A Portfolio Manager can ask Agent Bill to review pending Cost Optimization Hub recommendations, understand the projected savings and break-even timeline, and initiate the purchase — all without leaving the chat interface.

“Review the pending SP recommendations for the Operations portfolio.”

Three recommendations totaling $4,200/mo in projected savings. Best ROI: Compute SP, 1-year, no upfront — $1,840/mo savings, breakeven in 2.3 months. Want me to queue the purchase for your approval?

This is the difference between a FinOps platform that surfaces recommendations and one that closes the loop — recommendation, approval, execution, all in one place, by the person responsible for the budget.

Every purchase, fully recorded

A complete audit record on every Savings Plans purchase initiated through Cloud Scal3 Tools — available in FinOps Center, queryable by Agent Bill, reportable to finance.

·Who initiated, and when
·Who provided secondary approval (if required)
·The Cost Optimization Hub recommendation it was purchased against
·The offering selected — term, payment option, hourly commitment
·The AWS confirmation ID returned on execution

Guardrails to match your governance

The approval threshold is configurable at install and adjustable by a FinOps Leader at any point.

Higher risk tolerance

Single approval flows most purchases through.

Stricter financial controls

Dual approval required on any commitment, regardless of size.

Guardrails live in FinOps Center — not in a spreadsheet, not in an email chain.

THE SUITE

See. Ask. Act.

Cloud Scal3 Tools is the Act layer of the suite. See in FinOps Center. Ask Agent Bill. Act through Cloud Scal3 Tools — across every account, without leaving FinOps Center.

See