Skip to Content
BYO Cloud

BYO Cloud

Cendriix follows a Bring Your Own Cloud (BYO-Cloud) execution model: your agents run inside your AWS account, not ours. The Cendriix control plane orchestrates work, but every tool call — code checkout, build, deploy, infrastructure mutation — executes against resources you own.

Why BYO Cloud

BenefitDetail
Data residencySource code, secrets, and artifacts never leave your VPC
Least privilegeYou define exactly which AWS services agents may touch
AuditCloudTrail in your account records every API call agents make
Cost visibilityAgent compute appears on your AWS bill, not a third-party line item
ComplianceSOC 2, HIPAA, and GDPR controls remain under your governance

How it works

The Cendriix control plane runs in a dedicated AWS account. When an agent needs to act on your infrastructure, the platform uses an IAM cross-account relay:

Cendriix Control Plane (us-east-1) ├── Orchestrator ├── Agent Runtime (EKS) └── DataPlane IAM Relay │ sts:AssumeRole Your AWS Account ├── Customer Cross-Account Role ├── Your GitHub / GitLab / Jira └── Your Infrastructure (EKS, Lambda, RDS, etc.)
  1. Agent Runtime — runs on EKS in the Cendriix VPC, executing the orchestration plan.
  2. DataPlane IAM Relay — a cross-account trust relationship between the Cendriix account and your account.
  3. Customer Cross-Account Role — an IAM role in your account that the relay assumes via sts:AssumeRole.
  4. Agents use the assumed credentials to interact with your cloud resources, source control, and tooling.

Setup

BYO Cloud is configured during workspace onboarding. You can also add or update the connection later from Settings → Cloud.

Step 1 — Create the IAM role

In your AWS account, create an IAM role with a trust policy that allows the Cendriix orchestration service account to assume it. The exact trust policy JSON is displayed in the onboarding wizard.

Step 2 — Attach the Cendriix policy

Attach the Cendriix-managed IAM policy to the role. This grants the minimum permissions agents need:

PermissionPurpose
bedrock:InvokeModelLLM inference for agent reasoning
dynamodb:GetItem, PutItem, QueryAgent state and run metadata
s3:GetObject, PutObjectBuild artifacts, code snapshots
sts:AssumeRoleCross-account relay

You can further restrict these permissions by resource ARN to limit agents to specific tables, buckets, or Bedrock models.

Step 3 — Enter the role ARN

Paste the IAM role ARN into the onboarding wizard (or Settings → Cloud → Update Role ARN). Cendriix validates the role by performing a dry-run sts:AssumeRole call. If validation succeeds, the connection is live.

Step 4 — Verify

After connection, run a test workflow to confirm agents can reach your resources. The run workspace shows a green “Cloud Connected” badge when the relay is active.

Security model

  • No standing access — the relay only assumes your role during active agent execution. Credentials are short-lived (default 1-hour STS session).
  • Per-tenant isolation — each workspace has its own cross-account role. One customer’s relay cannot access another’s resources.
  • GuardrailsPolicies can restrict which AWS services, regions, or resource types agents may interact with.
  • Audit trail — every AssumeRole call is recorded in your CloudTrail and in the Cendriix Audit Log.
  • Revocable — delete the IAM role or remove the trust policy at any time to immediately sever agent access.

Without BYO Cloud

If you do not connect a cloud account, agents can still operate on SaaS-hosted connectors (GitHub, Jira, Slack, etc.) via OAuth. BYO Cloud is required only for workflows that touch your own AWS infrastructure (deployments, infrastructure mutations, Bedrock models).

See also: Connectors, Policies & Guardrails, Runs & Orchestration

Last updated on