RightSpend

Commitment-free EC2 cost optimization. How RightSpend works, what permissions it needs, and how accounts are managed.

How RightSpend Works

RightSpend maximizes the Effective Savings Rate (ESR) of AWS EC2 Compute costs by dynamically optimizing Convertible Reserved Instances (cRIs). It achieves discounts equivalent to 3-year all-upfront Compute Savings Plans — without the commitment or upfront cash outlay.

Read-Only Monitoring

Continuously monitors EC2 usage, Savings Plans, and Reserved Instances across every account in your AWS Organization.

Dynamic cRI Optimization

Purchases, modifies, and exchanges Convertible Reserved Instances hourly to match actual compute usage. No forecasting required.

Zero Commitment

If your usage decreases, commitments scale down accordingly. No overcommitment risk, no unused reservations, no upfront payment.

What RightSpend does NOT do: We never have write access to EC2 instances or any AWS resources other than Reserved Instances and Convertible Reserved Instances in designated cRI accounts. We do not move accounts between organizations, buy or sell RIs on the marketplace, or require changes to your existing Savings Plans.

IAM Permissions

RightSpend uses three distinct IAM roles, each following the principle of least privilege. Each role is deployed only where it's needed.

1. ReadOnly Role — All Member Accounts

CloudFix-RightSpend-ReadOnly-Role — deployed to every account in your Organization.

Permissions:

  • ec2:DescribeInstances — point-in-time running instance count
  • ec2:DescribeCapacityReservations / ec2:GetCapacityReservationUsage
  • ec2:DescribeHosts — dedicated host monitoring
  • ec2:DescribeReservedInstances — existing RI inventory
  • ec2:DescribeRegions
  • savingsplans:DescribeSavingsPlans

Only Describe and List actions. No write access to any resources.

2. ReadOnly Master Role — Management Account Only

CloudFix-RightSpend-ReadOnly-Master-Role — deployed only to your AWS management (payer) account.

Permissions:

  • organizations:ListAccounts / organizations:ListRoots — enumerate all Org accounts
  • ce:GetCostAndUsage — aggregate billing data
  • ce:GetReservationCoverage / ce:GetReservationUtilization
  • ce:GetSavingsPlansCoverage / ce:GetSavingsPlansUtilization
  • ce:GetSavingsPlansPurchaseRecommendation
  • cloudformation:CreateStackInstances / cloudformation:ListStackSetOperations — auto-deploy ReadOnly role to member accounts (limited to CloudFix-RightSpend stacks only)

3. Write Role — cRI Accounts Only

CloudFix-RightSpend-Write-Role — deployed only to the designated account(s) used for managing Convertible Reserved Instances.

Permissions:

  • ec2:DescribeReservedInstances
  • ec2:AcceptReservedInstancesExchangeQuote
  • ec2:GetReservedInstancesExchangeQuote
  • ec2:PurchaseReservedInstancesOffering
  • ec2:ModifyReservedInstances
  • ec2:DescribeReservedInstancesOfferings
  • ec2:DescribeReservedInstancesModifications
  • ec2:DescribeReservedInstancesListings
  • organizations:DescribeOrganization
Limited to cRI operations only. This role cannot touch EC2 instances, S3 buckets, VPCs, databases, or any other AWS resource. It can only purchase, modify, and exchange Convertible Reserved Instances.

CloudFormation Templates

All roles are deployed via CloudFormation. You can review the templates before deployment:

Template Deploys To Link
ReadOnly Master Management account s3.amazonaws.com/.../ReadOnly-Master.yaml
ReadOnly Member All member accounts s3.amazonaws.com/.../ReadOnly.yaml
Write Role cRI accounts only s3.amazonaws.com/.../Write.yaml
Master (No Auto-Deploy) Management account s3.amazonaws.com/.../ReadOnly-Master-NoCreateInstances.yaml

Onboarding Process

1
Enable Hourly Granularity

In your AWS management account, enable hourly Cost Explorer data under Billing and Cost Management → Cost Management Preferences.

2
Install READ Permissions

Deploy the ReadOnly Master CloudFormation stack in your management account. This automatically deploys the ReadOnly role to all member accounts via StackSets.

3
Invite cRI Account

Send an invitation from your management account to the RightSpend cRI account. CloudFix accepts the invitation and deploys the Write role.

4
Dry-Run (Optional)

Preview the commitment allocation produced by the algorithm before activating live optimization.

Account Transfer Process

When a customer transitions to managing their own cRI accounts, the following transfer process is used:

1
Customer sends invitation from their management account to the cRI account being transferred.
2
CloudFix handles: Accepts the invitation, checks tax settings (removes TRN if not inherited from master payer), and deploys the RightSpend Write role.
3
Customer updates root email (optional) — see AWS guide.

Billing & Terms

AWS Marketplace

RightSpend is available through AWS Marketplace as a SaaS subscription. Customers subscribe directly through AWS and charges appear on the AWS bill. EDP-eligible.

Pricing Model

Share of net new savings. If RightSpend doesn't save you money, you don't pay. Typical subscription rates range from 18-25% of realized savings.

API Impact

RightSpend calls ec2.DescribeInstances approximately once per hour per account. AWS rate limits for this API are 10 requests/second. RightSpend's usage represents 0.0028% of the rate limit — effectively negligible.

Questions about RightSpend security or onboarding? Contact us | Support docs