BYO Cloud
Cendriix follows a Bring Your Own Cloud (BYO-Cloud) execution model: your agents run inside your AWS account, not ours. The Cendriix control plane orchestrates work, but every tool call — code checkout, build, deploy, infrastructure mutation — executes against resources you own.
Why BYO Cloud
| Benefit | Detail |
|---|---|
| Data residency | Source code, secrets, and artifacts never leave your VPC |
| Least privilege | You define exactly which AWS services agents may touch |
| Audit | CloudTrail in your account records every API call agents make |
| Cost visibility | Agent compute appears on your AWS bill, not a third-party line item |
| Compliance | SOC 2, HIPAA, and GDPR controls remain under your governance |
How it works
The Cendriix control plane runs in a dedicated AWS account. When an agent needs to act on your infrastructure, the platform uses an IAM cross-account relay:
Cendriix Control Plane (us-east-1)
├── Orchestrator
├── Agent Runtime (EKS)
└── DataPlane IAM Relay
│
│ sts:AssumeRole
▼
Your AWS Account
├── Customer Cross-Account Role
├── Your GitHub / GitLab / Jira
└── Your Infrastructure (EKS, Lambda, RDS, etc.)- Agent Runtime — runs on EKS in the Cendriix VPC, executing the orchestration plan.
- DataPlane IAM Relay — a cross-account trust relationship between the Cendriix account and your account.
- Customer Cross-Account Role — an IAM role in your account that the relay assumes via
sts:AssumeRole. - Agents use the assumed credentials to interact with your cloud resources, source control, and tooling.
Setup
BYO Cloud is configured during workspace onboarding. You can also add or update the connection later from Settings → Cloud.
Step 1 — Create the IAM role
In your AWS account, create an IAM role with a trust policy that allows the Cendriix orchestration service account to assume it. The exact trust policy JSON is displayed in the onboarding wizard.
Step 2 — Attach the Cendriix policy
Attach the Cendriix-managed IAM policy to the role. This grants the minimum permissions agents need:
| Permission | Purpose |
|---|---|
bedrock:InvokeModel | LLM inference for agent reasoning |
dynamodb:GetItem, PutItem, Query | Agent state and run metadata |
s3:GetObject, PutObject | Build artifacts, code snapshots |
sts:AssumeRole | Cross-account relay |
You can further restrict these permissions by resource ARN to limit agents to specific tables, buckets, or Bedrock models.
Step 3 — Enter the role ARN
Paste the IAM role ARN into the onboarding wizard (or Settings → Cloud → Update Role ARN). Cendriix validates the role by performing a dry-run sts:AssumeRole call. If validation succeeds, the connection is live.
Step 4 — Verify
After connection, run a test workflow to confirm agents can reach your resources. The run workspace shows a green “Cloud Connected” badge when the relay is active.
Security model
- No standing access — the relay only assumes your role during active agent execution. Credentials are short-lived (default 1-hour STS session).
- Per-tenant isolation — each workspace has its own cross-account role. One customer’s relay cannot access another’s resources.
- Guardrails — Policies can restrict which AWS services, regions, or resource types agents may interact with.
- Audit trail — every
AssumeRolecall is recorded in your CloudTrail and in the Cendriix Audit Log. - Revocable — delete the IAM role or remove the trust policy at any time to immediately sever agent access.
Without BYO Cloud
If you do not connect a cloud account, agents can still operate on SaaS-hosted connectors (GitHub, Jira, Slack, etc.) via OAuth. BYO Cloud is required only for workflows that touch your own AWS infrastructure (deployments, infrastructure mutations, Bedrock models).
See also: Connectors, Policies & Guardrails, Runs & Orchestration