Autonomous Cloud Governance · PaaS

Govern your cloud
with intelligent agents

NURATRIX's govCloud platform deploys autonomous AI agents that continuously monitor, enforce, and optimize your cloud environment — from cost to compliance — so your team never has to.

Amazon AWS

Microsoft Azure

Google GCP

| Compliant with

FedRAMP

SOC 2

HIPAA

ITAR

govCloud Platform

Cloud governance as a
managed service

govCloud is Nuratrix's Platform-as-a-Service that wraps your entire AWS estate with a layer of autonomous intelligence. Deploy in minutes. Govern continuously.

Policy Automation Cost Governance Security Posture Drift Detection Compliance Audit Multi-Account

govCloud Architecture

🧠

AI Orchestration Layer

Autonomous agents coordinated by govCloud's central intelligence engine

🔌

AI Integration Layer

Hooks into Slack, Teams, Email and other notification mechanisms

📋

Policy Engine

Declarative rules evaluated continuously against live state

🔔

Response & Alerting

Auto-remediation actions and alerts

📊

govCloud Dashboard

Unified view of posture, costs, compliance score, and agent activity

Platform metrics

Built for real-world cloud scale

Autonomous Agents

99.9%

Platform Uptime SLA

∞

AWS Accounts Supported

<60s

Violation Response Time

24/7

Continuous Monitoring

Autonomous agents

Nine domain agents. One central brain.

Each govCloud agent specializes in one domain. The Orchestrator sits above them all — routing queries, resolving conflicts, and synthesizing every finding into a single coherent picture.

🧠 Central Intelligence Layer

Orchestrator Agent

The Orchestrator is the coordination engine that sits above all nine domain agents. It routes natural-language queries to the right specialist, resolves conflicts when multiple agents flag the same resource with different severities, and synthesizes cross-domain findings into a ranked daily briefing delivered to your team.

Multi-agent Routing Conflict Resolution Daily Briefings Natural Language

⚡

Smart routing — interprets intent and dispatches each query to the best-fit agent automatically

⚖️

Conflict resolution — when Security and Compliance agents disagree on severity, the Orchestrator applies policy precedence to produce a single authoritative verdict

📊

Cross-domain synthesis — aggregates findings from all active agents into a prioritized summary so your team acts on what matters most

💬

Chat interface — ask plain-English questions about your cloud and get answers sourced from all active agents in real time

🛡️

Active

Security Sentinel Agent

Continuously scans IAM policies, S3 bucket ACLs, security groups, and encryption settings. Auto-remediates misconfigurations and opens findings in your SIEM.

IAM Analysis S3 Posture Auto-remediate CloudTrail

💰

Active

FinOps Cost Agent

Monitors spend across accounts, detects anomalies, identifies right-sizing opportunities, and terminates idle resources based on configurable policies.

Cost Explorer Right-sizing Idle Cleanup Budget Alerts

✅

Active

Compliance Auditor Agent

Maps your AWS environment to FedRAMP, SOC 2, HIPAA, CIS Benchmarks, and NIST frameworks. Generates audit-ready evidence packages on demand.

FedRAMP HIPAA CIS Benchmarks SOC 2

🔍

Active

Drift Detection Agent

Compares live infrastructure state against approved baselines (Terraform, CloudFormation). Alerts on every unauthorized change and can trigger rollback workflows.

IaC Baseline Change Detection Rollback AWS Config

🌐

Active

Network Governance Agent

Audits VPC configurations, flow logs, Transit Gateway routing, and exposed endpoints. Blocks non-compliant ingress rules and maps your network blast radius.

VPC Audit Flow Logs Exposure Map Route Tables

🚨

Active

Incident Response Agent

Automatically triages GuardDuty findings, CloudTrail anomalies, and Security Hub alerts. Correlates signals across accounts, builds incident timelines, and triggers runbooks via Slack, Teams, or ServiceNow.

GuardDuty Auto-Triage Runbooks Security Hub

📈

Active

Cost Anomaly Agent

Detects sudden spend spikes across services, linked accounts, and regions using AWS Cost Explorer. Identifies root causes and triggers escalation workflows for anomalies above configurable thresholds.

Spike Detection Root Cause Cost Explorer Escalation

🔑

Active

IAM Access Analyzer

Surfaces public resource exposures via AWS Access Analyzer, flags unused IAM roles and stale access keys, and audits users missing MFA — continuously reducing your IAM blast radius.

Access Analyzer Unused Perms MFA Audit Stale Keys

💾

Active

Backup & DR Agent

Audits AWS Backup plans, vault encryption, and recovery point freshness. Flags unprotected production resources, cross-region backup gaps, and recent job failures before they become a disaster.

Backup Plans Vault Audit RPO Checks Cross-Region

Knowledge integrations

Agents that know your context

Connect govCloud to your existing knowledge bases via AWS Bedrock. Agents retrieve your runbooks, architecture docs, compliance evidence, and incident history when making decisions — so every finding comes with relevant context from your own data.

📄 Document sources

Amazon S3

Confluence

SharePoint Online

Salesforce

Web Crawler

Custom API

ServiceNow KB

Jira / Notion

🗄️ Vector stores

Amazon OpenSearch

Elasticsearch

Pinecone

Redis Enterprise

MongoDB Atlas

Aurora (pgvector)

OpenSearch Serverless

💡

Bring your own runbooks

Point govCloud at your S3 bucket or Confluence space and agents will automatically ground their recommendations in your team's documented standards — no retraining required.

Agent bundles

Pick the agents your cloud needs

govCloud deploys autonomous AI agents directly into your AWS account via a one-click CloudFormation role. Choose the bundle that fits your priorities — then deploy in minutes.

Monthly

Annual Save 20%

FinOps Bundle

Maximize cloud spend visibility and eliminate cost waste with AI-driven anomaly detection.

^$499 / mo

Billed annually — save $1,200/yr

✦ Includes 10 AWS accounts · $99/account/mo beyond 10

3 agents deployed

✓Security Sentinel — IAM, S3, encryption posture

✓FinOps Cost Agent — spend analysis & right-sizing

✓Cost Anomaly Agent — spike detection & root cause

–Network Security Agent

–IAM Access Analyzer

–Compliance Auditor

–Backup & DR Agent

–Incident Response Agent

–Infrastructure Drift Agent

Platform

✓Slack & Teams alerts

✓Email notifications

–ServiceNow integration

–govCloud Dashboard

Beyond govCloud

Nuratrix delivers end-to-end cloud services across AWS, Azure, and GCP — from migration strategy to training and certification.

🏗️

Cloud Infrastructure Setup

Full migration using the 5R strategy: Rehost, Refactor, Revise, Rebuild, or Replace your existing infrastructure.

💾

Storage & Disaster Recovery

Critical backups, business continuity, disaster recovery plans, storage lifecycle, and archive management.

🌐

Virtual Network Solutions

Cloud and hybrid environments, traffic filtering, routing, and virtual network integration.

🛡️

Security & Compliance

End-to-end protection for cloud infrastructure, application layers, and data privacy with compliance frameworks.

🤖

AI & Cognitive Solutions

Automate repetitive tasks, engage customers intelligently, and optimize quality with AI-driven workflows.

🚀

App & API Hosting

Reliable, cost-effective hosting for static sites, web apps, and APIs at any scale.

📦

Microservices & Containers

Containerize your architecture, manage images, and orchestrate seamless deployments.

⚙️

Custom Coding & DevOps

Bespoke development in all major languages plus full DevOps pipeline support.

📊

Data Analytics & Visualization

Transform raw data into actionable insights with advanced analytics and visual dashboards.

📡

IoT & Automation

Connect IoT devices, collect data, and support preventive maintenance with custom alerts.

⚡

Serverless Computing

Serverless solutions across all three stack layers — compute, integration, and data stores.

🎓

Cloud Training & Certification

Online and classroom training to prepare your team for Azure and AWS certifications.

Get in touch

Start your govCloud
journey today

Questions about pricing, a custom enterprise plan, or want to see a live demo?
Email us directly: services@nuratrix.com

#!/bin/bash
# ─────────────────────────────────────────────────────────────────────────────
# Nuratrix govCloud — Management Account Setup Script
#
# Run this from your AWS MANAGEMENT ACCOUNT with the AWS CLI configured.
# It performs the full one-time setup to onboard govCloud:
#
#  1.  Verify this is the management account
#  2.  Get org root ID
#  3.  Create (or reuse) a dedicated OU for the governance account
#  4.  Create (or reuse) the governance account
#  5.  Wait for account creation
#  6.  Move account into the OU (skipped if already there)
#  7.  Register governance account as CloudFormation StackSets delegated admin
#         (skipped if already registered)
#  8.  Deploy the Nuratrix bootstrap stack in the governance account
#         (creates NuratrixGovCloudRole + Terraform state bucket)
#  9.  Verify role access and return to management account
#
# Safe to re-run — every step checks whether the resource already exists
# and skips creation if so. This means a failed run can be retried without
# needing to delete any AWS accounts or OU resources.
#
# When complete, copy the values in the summary back into the nuratrix.com
# onboarding form to continue with payment and deployment.
# ─────────────────────────────────────────────────────────────────────────────

set -euo pipefail

# ── CONFIGURATION — pre-filled by nuratrix.com ────────────────────────────────
ACCOUNT_EMAIL="__GOVERNANCE_EMAIL__"
ACCOUNT_NAME="governance-platform"
OU_NAME="__OU_NAME__"
CUSTOMER_NAME="__CUSTOMER_NAME__"
EXTERNAL_ID="__EXTERNAL_ID__"
ROLE_NAME="OrganizationAccountAccessRole"
NURATRIX_GITHUB_ORG="nuratrix"
NURATRIX_GITHUB_REPO="governance-platform"
BOOTSTRAP_TEMPLATE_URL="https://s3.us-east-1.amazonaws.com/nuratrix.com/cloudformation/governance_account_bootstrap.yaml"
# ──────────────────────────────────────────────────────────────────────────────

echo "════════════════════════════════════════════════════════════════════"
echo "  Nuratrix govCloud — Management Account Setup"
echo "  Customer : $CUSTOMER_NAME"
echo "════════════════════════════════════════════════════════════════════"

# ── Step 1: Verify management account ────────────────────────────────────────
echo ""
echo "▶ Step 1: Verifying management account..."
CURRENT_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
ORG_MGMT=$(aws organizations describe-organization \
  --query 'Organization.MasterAccountId' --output text 2>/dev/null || echo "")

if [ -z "$ORG_MGMT" ]; then
  echo "   ✗ AWS Organizations is not configured in this account."
  echo "   Please set up AWS Organizations before running this script."
  exit 1
fi

if [ "$CURRENT_ACCOUNT" != "$ORG_MGMT" ]; then
  echo "   ✗ This script must be run from the management account."
  echo "   Current account    : $CURRENT_ACCOUNT"
  echo "   Management account : $ORG_MGMT"
  exit 1
fi
echo "   ✓ Running in management account ($CURRENT_ACCOUNT)"

# ── Step 2: Get root ID ───────────────────────────────────────────────────────
echo ""
echo "▶ Step 2: Getting org root ID..."
ROOT_ID=$(aws organizations list-roots \
  --query 'Roots[0].Id' \
  --output text)
echo "   Root ID: $ROOT_ID"

# ── Step 3: Create (or reuse) governance OU ──────────────────────────────────
echo ""
echo "▶ Step 3: Checking for existing OU: $OU_NAME..."
EXISTING_OU_ID=$(aws organizations list-organizational-units-for-parent \
  --parent-id "$ROOT_ID" \
  --query "OrganizationalUnits[?Name=='${OU_NAME}'].Id" \
  --output text)

if [ -n "$EXISTING_OU_ID" ]; then
  OU_ID="$EXISTING_OU_ID"
  echo "   ↩ OU already exists — reusing: $OU_ID"
else
  echo "   Creating OU: $OU_NAME..."
  OU_ID=$(aws organizations create-organizational-unit \
    --parent-id "$ROOT_ID" \
    --name "$OU_NAME" \
    --query 'OrganizationalUnit.Id' \
    --output text)
  echo "   ✓ OU created: $OU_ID"
fi

# ── Step 4: Create (or reuse) governance account ─────────────────────────────
echo ""
echo "▶ Step 4: Checking for existing account: $ACCOUNT_EMAIL..."
EXISTING_ACCOUNT_ID=$(aws organizations list-accounts \
  --query "Accounts[?Email=='${ACCOUNT_EMAIL}' && Status=='ACTIVE'].Id" \
  --output text)

if [ -n "$EXISTING_ACCOUNT_ID" ]; then
  GOVERNANCE_ACCOUNT_ID="$EXISTING_ACCOUNT_ID"
  echo "   ↩ Account already exists — reusing: $GOVERNANCE_ACCOUNT_ID"
else
  echo "   Creating governance account: $ACCOUNT_NAME ($ACCOUNT_EMAIL)..."
  REQUEST_ID=$(aws organizations create-account \
    --email "$ACCOUNT_EMAIL" \
    --account-name "$ACCOUNT_NAME" \
    --role-name "$ROLE_NAME" \
    --query 'CreateAccountStatus.Id' \
    --output text)
  echo "   Request ID: $REQUEST_ID"

# ── Step 5: Wait for account creation ──────────────────────────────────────
  echo ""
  echo "▶ Step 5: Waiting for account creation to complete..."
  while true; do
    STATUS=$(aws organizations describe-create-account-status \
      --create-account-request-id "$REQUEST_ID" \
      --query 'CreateAccountStatus.State' \
      --output text)
    echo "   Status: $STATUS"

if [ "$STATUS" == "SUCCEEDED" ]; then
      break
    elif [ "$STATUS" == "FAILED" ]; then
      REASON=$(aws organizations describe-create-account-status \
        --create-account-request-id "$REQUEST_ID" \
        --query 'CreateAccountStatus.FailureReason' \
        --output text)
      echo "   ✗ Account creation FAILED. Reason: $REASON"
      echo "   Re-run this script to retry — all completed steps will be skipped."
      exit 1
    fi

echo "   Still in progress — waiting 15 seconds..."
    sleep 15
  done

GOVERNANCE_ACCOUNT_ID=$(aws organizations describe-create-account-status \
    --create-account-request-id "$REQUEST_ID" \
    --query 'CreateAccountStatus.AccountId' \
    --output text)
  echo "   ✓ Account created: $GOVERNANCE_ACCOUNT_ID"
fi

# ── Step 6: Move account into governance OU (skip if already there) ───────────
echo ""
echo "▶ Step 6: Checking account placement..."
CURRENT_PARENT=$(aws organizations list-parents \
  --child-id "$GOVERNANCE_ACCOUNT_ID" \
  --query 'Parents[0].Id' \
  --output text)

if [ "$CURRENT_PARENT" == "$OU_ID" ]; then
  echo "   ↩ Account is already in OU $OU_ID — skipping move"
else
  echo "   Moving governance account into OU: $OU_NAME..."
  aws organizations move-account \
    --account-id "$GOVERNANCE_ACCOUNT_ID" \
    --source-parent-id "$CURRENT_PARENT" \
    --destination-parent-id "$OU_ID"
  echo "   ✓ Account moved"
fi

aws organizations list-accounts-for-parent \
  --parent-id "$OU_ID" \
  --query 'Accounts[*].{Name:Name,Id:Id,Status:Status}' \
  --output table

# ── Step 7: Register governance account as StackSets delegated administrator ──
echo ""
echo "▶ Step 7: Checking StackSets delegated admin registration..."

ALREADY_REGISTERED=$(aws organizations list-delegated-administrators \
  --service-principal stacksets.cloudformation.amazonaws.com \
  --query "DelegatedAdministrators[?Id=='${GOVERNANCE_ACCOUNT_ID}'].Id" \
  --output text 2>/dev/null || echo "")

if [ -n "$ALREADY_REGISTERED" ]; then
  echo "   ↩ Already registered as StackSets delegated admin — skipping"
else
  echo "   Activating CloudFormation Organizations access..."
  aws cloudformation activate-organizations-access 2>&1 || true

echo "   Enabling service access for StackSets delegated admin..."
  aws organizations enable-aws-service-access \
    --service-principal stacksets.cloudformation.amazonaws.com 2>&1 || true

echo "   Registering governance account as delegated admin..."
  if aws organizations register-delegated-administrator \
    --account-id "$GOVERNANCE_ACCOUNT_ID" \
    --service-principal stacksets.cloudformation.amazonaws.com 2>&1; then
    echo "   ✓ Governance account ($GOVERNANCE_ACCOUNT_ID) registered as StackSets delegated admin"
  else
    echo ""
    echo "   ⚠ Automated registration failed. Complete this step manually:"
    echo ""
    echo "   1. Open the AWS CloudFormation console (management account)"
    echo "   2. In the left nav, click StackSets"
    echo "   3. If prompted, click 'Enable trusted access'"
    echo "   4. Go to: AWS Organizations console → Services"
    echo "      → CloudFormation StackSets → Register delegated administrator"
    echo "      → Enter account ID: $GOVERNANCE_ACCOUNT_ID"
    echo ""
    echo "   The rest of this script will continue — you can complete Step 7"
    echo "   manually and re-run the script to verify (it will skip if done)."
    echo ""
  fi
fi

# ── Step 8: Deploy bootstrap stack in governance account ─────────────────────
echo ""
echo "▶ Step 8: Deploying Nuratrix bootstrap stack in governance account..."
echo "   Assuming role into governance account..."

CREDS=$(aws sts assume-role \
  --role-arn "arn:aws:iam::${GOVERNANCE_ACCOUNT_ID}:role/${ROLE_NAME}" \
  --role-session-name "nuratrix-bootstrap-$$" \
  --query 'Credentials.{A:AccessKeyId,S:SecretAccessKey,T:SessionToken}' \
  --output json)

export AWS_ACCESS_KEY_ID=$(echo "$CREDS"     | python3 -c "import sys,json; print(json.load(sys.stdin)['A'])")
export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['S'])")
export AWS_SESSION_TOKEN=$(echo "$CREDS"     | python3 -c "import sys,json; print(json.load(sys.stdin)['T'])")

echo "   ✓ Assumed role — now operating in governance account"
aws sts get-caller-identity --query '{Account:Account,Arn:Arn}' --output table

echo "   Downloading bootstrap template..."
curl -s "$BOOTSTRAP_TEMPLATE_URL" -o /tmp/nuratrix-bootstrap.yaml

echo "   Deploying stack (takes ~2 minutes)..."
aws cloudformation deploy \
  --template-file /tmp/nuratrix-bootstrap.yaml \
  --stack-name "nuratrix-govcloud-bootstrap" \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides \
    CustomerName="$CUSTOMER_NAME" \
    ExternalId="$EXTERNAL_ID" \
    NuratrixGithubOrg="$NURATRIX_GITHUB_ORG" \
    NuratrixGithubRepo="$NURATRIX_GITHUB_REPO" \
  --no-fail-on-empty-changeset

echo "   ✓ Bootstrap stack deployed"

# Extract outputs from the stack
ROLE_ARN=$(aws cloudformation describe-stacks \
  --stack-name "nuratrix-govcloud-bootstrap" \
  --query "Stacks[0].Outputs[?OutputKey=='RoleArn'].OutputValue" \
  --output text)

STATE_BUCKET=$(aws cloudformation describe-stacks \
  --stack-name "nuratrix-govcloud-bootstrap" \
  --query "Stacks[0].Outputs[?OutputKey=='StateBucket'].OutputValue" \
  --output text)

echo "   Role ARN     : $ROLE_ARN"
echo "   State Bucket : $STATE_BUCKET"

# ── Step 9: Verify and return to management account ──────────────────────────
echo ""
echo "▶ Step 9: Returning to management account..."
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
aws sts get-caller-identity --query '{Account:Account,Arn:Arn}' --output table
echo "   ✓ Back in management account"

# ── Summary ───────────────────────────────────────────────────────────────────
echo ""
echo "════════════════════════════════════════════════════════════════════"
echo "  ✓ Setup complete! Copy these values into nuratrix.com to continue:"
echo ""
echo "  Governance Account ID : $GOVERNANCE_ACCOUNT_ID"
echo "  OU ID                 : $OU_ID"
echo "  Role ARN              : $ROLE_ARN"
echo "  State Bucket          : $STATE_BUCKET"
echo "════════════════════════════════════════════════════════════════════"

#!/bin/bash
# ─────────────────────────────────────────────────────────────────────────────
# Nuratrix govCloud — Single Account Setup Script
#
# Run this from your AWS account with the AWS CLI configured.
# Performs a one-time setup to deploy the Nuratrix govCloud platform:
#
#  1.  Verify account identity
#  2.  Deploy the Nuratrix bootstrap stack
#         (creates NuratrixGovCloudRole + Terraform state bucket)
#  3.  Print outputs to paste back into nuratrix.com
#
# Safe to re-run — CloudFormation skips unchanged resources.
# ─────────────────────────────────────────────────────────────────────────────

set -euo pipefail

# ── CONFIGURATION — pre-filled by nuratrix.com ────────────────────────────────
CUSTOMER_NAME="__CUSTOMER_NAME__"
EXTERNAL_ID="__EXTERNAL_ID__"
NURATRIX_GITHUB_ORG="nuratrix"
NURATRIX_GITHUB_REPO="governance-platform"
BOOTSTRAP_TEMPLATE_URL="https://s3.us-east-1.amazonaws.com/nuratrix.com/cloudformation/governance_account_bootstrap.yaml"
# ──────────────────────────────────────────────────────────────────────────────

echo "════════════════════════════════════════════════════════════════════"
echo "  Nuratrix govCloud — Single Account Setup"
echo "  Customer : $CUSTOMER_NAME"
echo "════════════════════════════════════════════════════════════════════"

# ── Step 1: Verify account ────────────────────────────────────────────────────
echo ""
echo "▶ Step 1: Verifying account identity..."
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
echo "   ✓ Deploying into account: $ACCOUNT_ID"
aws sts get-caller-identity --query '{Account:Account,Arn:Arn}' --output table

# ── Step 2: Deploy bootstrap stack ───────────────────────────────────────────
echo ""
echo "▶ Step 2: Deploying Nuratrix bootstrap stack..."
echo "   Downloading bootstrap template..."
curl -s "$BOOTSTRAP_TEMPLATE_URL" -o /tmp/nuratrix-bootstrap.yaml

echo "   ✓ Bootstrap stack deployed"

ROLE_ARN=$(aws cloudformation describe-stacks \
  --stack-name "nuratrix-govcloud-bootstrap" \
  --query "Stacks[0].Outputs[?OutputKey=='RoleArn'].OutputValue" \
  --output text)

STATE_BUCKET=$(aws cloudformation describe-stacks \
  --stack-name "nuratrix-govcloud-bootstrap" \
  --query "Stacks[0].Outputs[?OutputKey=='StateBucket'].OutputValue" \
  --output text)

echo "   Role ARN     : $ROLE_ARN"
echo "   State Bucket : $STATE_BUCKET"

# ── Summary ───────────────────────────────────────────────────────────────────
echo ""
echo "════════════════════════════════════════════════════════════════════"
echo "  ✓ Setup complete! Copy these values into nuratrix.com to continue:"
echo ""
echo "  Account ID   : $ACCOUNT_ID"
echo "  Role ARN     : $ROLE_ARN"
echo "  State Bucket : $STATE_BUCKET"
echo "════════════════════════════════════════════════════════════════════"

Govern your cloudwith intelligent agents

Cloud governance as amanaged service

Built for real-world cloud scale

Nine domain agents. One central brain.

Orchestrator Agent

Security Sentinel Agent

FinOps Cost Agent

Compliance Auditor Agent

Drift Detection Agent

Network Governance Agent

Incident Response Agent

Cost Anomaly Agent

IAM Access Analyzer

Backup & DR Agent

Agents that know your context

Pick the agents your cloud needs

Beyond govCloud

Cloud Infrastructure Setup

Storage & Disaster Recovery

Virtual Network Solutions

Security & Compliance

AI & Cognitive Solutions

App & API Hosting

Microservices & Containers

Custom Coding & DevOps

Data Analytics & Visualization

IoT & Automation

Serverless Computing

Cloud Training & Certification

Start your govCloudjourney today

Your deployment details

Run the setup script

Enter script outputs

Payment details

Confirm your deployment

Deployment initiated!

Govern your cloud
with intelligent agents

Cloud governance as a
managed service

Start your govCloud
journey today