Lensix
AWS · Azure · GCP

Stop flying blind in the cloud

Automated checks catch security holes, wasted spend, performance bottlenecks, and reliability gaps across AWS, Azure, and GCP - before your users or your finance team find them first.

100% read-only access — Lensix can view your cloud resources but can never create, modify, or delete anything in your account. You control the access and can revoke it instantly.

AWS, Azure & GCPSeverity-ranked findingsFree to startUp in minutes
Get started freeSign in

Covers every angle - not just security

Security

Encryption, public access controls, MFA, TLS, identity least privilege

Cost

Unused resources, oversized instances, idle services

Performance

Right-sizing, Performance Insights, caching, throughput

Reliability

High availability, deletion protection, backup retention, redundancy

Operations

Audit logging, config rules, access logging, lifecycle policies

Free

No credit card required

3

Cloud providers

5

Coverage pillars

100%

Read-only - zero changes

Security & trust

Letting a tool into your cloud is a real decision

We take that seriously. Here is exactly what access Lensix gets, how it works technically, and how you revoke it whenever you want.

Read-only — technically enforced, not just promised

For AWS, Lensix uses the AWS-managed ReadOnlyAccess policy — written and maintained by AWS. It permits only describe and list API calls. There is literally no API call Lensix can make that creates, modifies, or deletes anything in your account.

Azure uses the Reader role. GCP uses the Viewer role. These are the lowest-privilege read-access roles each cloud offers.

You create it, you control it — revoke anytime

For AWS, you deploy the IAM role in your own account using our CloudFormation template or manual step-by-step instructions. The role and its permissions live entirely in your AWS account — Lensix never holds your AWS credentials.

Want to cut access? Delete the IAM role — Lensix is locked out immediately, no ticket or cancellation required. Same for Azure and GCP: remove the role assignment or delete the service account and access is gone instantly.

Built by cloud security specialists

Lensix is built by Absolute Ops, a team with extensive hands-on cloud security experience — conducting security reviews, architecture assessments, and compliance audits for organizations across healthcare, finance, and technology.

We built Lensix because we kept doing the same manual cloud reviews repeatedly. We understand what we're asking you to grant — and we designed the access model specifically to minimize what Lensix needs.

Configuration findings, not your data

Lensix reads resource metadata — things like “this S3 bucket has public access enabled” or “this RDS instance has no deletion protection.” It does not read, transfer, or store the contents of your S3 buckets, database records, Secrets Manager values, or any business data.

What we store: resource identifiers, check names, severity levels, and regions — the minimum needed to show you findings and track when they're resolved.

Up and running in minutes

Connect your cloud accounts with read-only credentials. Nothing in your environment is ever modified.

  1. 1

    Create your account

    Register your organization in seconds. Invite your team with admin or member roles.

  2. 2

    Connect your cloud accounts

    Add AWS accounts via a read-only IAM role, Azure via service principal, or GCP via a service account. Lensix starts scanning immediately - nothing in your environment is ever modified.

  3. 3

    See what actually needs fixing

    Open your dashboard and get a prioritized list of real issues: open security holes, wasted spend, overdue backups, and more - ranked by severity so you start with what matters.

Built for teams who own the infrastructure

Whether you're a solo engineer or a platform team, Lensix gives you a continuous view of what's broken, what's expensive, and what's at risk - without any agents to deploy or rules to write.

  • Not just security

    Most tools scan for misconfigurations and call it done. Lensix also flags wasted spend, under-provisioned databases, missing backups, and broken audit trails - because your cloud has more problems than just open ports.

  • AWS, Azure & GCP - fully covered

    Connect any combination of accounts across the three major clouds. All findings land in a single dashboard, filterable by provider and account.

  • Know what to fix first

    An open S3 bucket is not the same priority as a missing lifecycle policy. Every finding is ranked critical, high, medium, low, or info - so you spend time on what actually matters.

  • One dashboard, many accounts

    Managing three AWS accounts across two environments? Lensix consolidates every account's findings into a single view, scoped to your organization. Add accounts in minutes.

  • Fixes update themselves

    Fix the issue, run the next scan, and it's gone. Lensix automatically clears resolved findings - your dashboard is always a live snapshot of what's broken, not a stale report.

  • Tune it to your environment

    Disable checks that don't apply, adjust severity for your risk tolerance, and suppress known exceptions with expiry dates - without touching a config file.

Comprehensive coverage across your cloud stack

From compute and storage to messaging and identity, Lensix monitors the services your workloads depend on.

Compute & Containers

  • EC2
  • Lambda
  • ECS
  • EKS
  • ECR

Storage

  • S3
  • EBS
  • EFS

Databases

  • RDS
  • DynamoDB / DAX
  • ElastiCache
  • Redshift
  • OpenSearch
  • DocumentDB
  • Neptune

Networking

  • VPC
  • Security Groups
  • Load Balancers
  • API Gateway
  • CloudFront

Identity & Account

  • IAM Users
  • Account Controls
  • CIS CloudWatch Alarms
  • Secrets Manager

Messaging & Streaming

  • SNS
  • SQS
  • Kinesis
  • MSK
  • MQ

Analytics & Data

  • Athena
  • EMR

DevOps & Cost

  • CodeBuild
  • Cost & Budgets
  • WorkSpaces

Common questions

What is Lensix?
Lensix is a free cloud health monitoring tool that automatically scans your AWS, Azure, and GCP accounts for security risks, cost waste, performance bottlenecks, and reliability gaps - then ranks findings by severity so your team always knows what to fix first.
Is Lensix free?
Yes. Lensix is free to use - create an account, connect your cloud accounts, and start scanning. No credit card required.
Which cloud providers does Lensix support?
AWS, Azure, and GCP are all fully supported. Connect any combination and see findings from all accounts in a single dashboard.
What does Lensix check for?
Five areas: Security (unencrypted resources, public access, missing MFA, weak TLS), Cost (idle instances, unused storage, oversized databases), Performance (underutilized resources, missing caching), Reliability (no backups, deletion protection disabled, single points of failure), and Operations (CloudTrail gaps, missing access logging, expired certificates).
How does Lensix connect to my cloud accounts?
AWS uses a read-only cross-account IAM role - you provide the Role ARN and External ID. Azure uses a service principal. GCP uses a service account. Lensix calls only read-only APIs and never creates, modifies, or deletes anything in your environment.
Can I scan multiple accounts?
Yes. Add as many AWS, Azure, or GCP accounts as you need. All findings appear in one dashboard, filterable by provider and account.
Does Lensix make changes to my environment?
Never. Lensix is entirely read-only across every provider it supports. The scanner calls only read-only APIs.

See what's hiding in your cloud

Free to start - no credit card, no agent to deploy, no rules to write. Connect your AWS, Azure, or GCP account and you'll have prioritized findings before your next standup.

Create an account