AI Platform Engineer

Infrastructure risks routed to owners before execution.

Detect reliability, security, cost, and deployment risks. Explain impact, recommend safe fixes, and require approval before any change runs.

Scan completeRun #1 found 6 infrastructure risks across 5 signal sources for CloudOps Demo Workspace.
6 waiting for approval
Active risks60 dismissed from review
Critical1Security or production exposure
Need approval60 executed safely
Monthly savings$148Estimated avoidable spend

Risk Inbox

AI-detected infrastructure risks

6 need approval
HighGitHubNeeds Approval
Route: Platform Team

Demo Failure For CloudOps workflow failure

Demo Failure For CloudOps on main ended with failure and needs platform review before another release attempt.

Impactcloudops-command-center may not be safely receiving the latest release until the failed workflow is investigated and rerun.
Evidence98% confidence
  • Repository: AZ1600/cloudops-command-center
  • Workflow run #1
  • Branch: main
  • Conclusion: failure
  • Run URL: https://github.com/AZ1600/cloudops-command-center/actions/runs/28339678676
Inspect the failed workflow logs, fix the failing step, and rerun the pipeline after approval.
  1. Open the GitHub Actions run and inspect the failed job logs.
  2. Identify whether the failure is code, infrastructure, dependency, or secret related.
  3. Patch the issue in a pull request or rerun only after owner approval.
HighTerraformNeeds Approval
Route: Cloud Platform

Terraform drift detected in security group

A production security group was changed outside Terraform and now allows SSH from a wider CIDR range.

Impactnetworking has a security exposure that could increase compliance, data access, or incident response risk.
Evidence92% confidence
  • Terraform plan shows ingress drift
  • Port 22 changed from office CIDR to 0.0.0.0/0
  • Resource managed by networking module
Restore the managed security group rule through Terraform and add drift detection to CI.
  1. Verify whether emergency access was approved.
  2. Revert the SSH ingress CIDR back to the approved range.
  3. Run Terraform plan against the networking workspace.
MediumAWSNeeds Approval
Route: FinOps Owner

Unattached volumes increasing monthly spend

Several unattached EBS volumes have not been used for more than 30 days.

Impactanalytics-cluster is likely wasting cloud spend that can be reduced without changing customer-facing functionality.
Evidence90% confidence
  • 8 unattached gp3 volumes
  • Estimated waste: $148/month
  • No read/write activity in 30 days
Snapshot unattached volumes, apply retention policy, then delete confirmed unused resources.
  1. Tag each unattached volume with owner and review deadline.
  2. Create a final snapshot for rollback safety.
  3. Delete volumes with no owner response after approval.
HighKubernetesNeeds Approval
Route: Data Platform

Kubernetes workload is crash looping

The ingestion worker restarted 17 times in the last hour and is failing readiness checks.

Impactworker-ingestion has reliability symptoms that may affect user experience or delay background processing.
Evidence92% confidence
  • CrashLoopBackOff on worker-ingestion-7d9
  • Readiness probe failed
  • Queue depth increased by 42%
Pause noisy restarts, inspect logs, and roll back or patch the failing worker image.
  1. Check previous container logs for the first failing stack trace.
  2. Compare the current image tag with the last healthy deployment.
  3. Scale a canary worker after applying the fix.
CriticalAWSNeeds Approval
Route: Security Owner

S3 bucket policy allows broad public access

A storage bucket used for customer uploads has a policy that permits public object reads.

Impactcustomer-assets has a security exposure that could increase compliance, data access, or incident response risk.
Evidence95% confidence
  • Block Public Access is disabled
  • Policy contains Principal '*'
  • Bucket stores uploaded customer documents
Re-enable S3 Block Public Access and replace public reads with signed URLs.
  1. Confirm the bucket does not intentionally host public website assets.
  2. Enable account and bucket-level Block Public Access.
  3. Update application access to use pre-signed URLs or CloudFront signed URLs.
HighGitHubNeeds Approval
Route: Platform Team

Production deployment failed

The latest main branch deployment failed after a database migration step timed out.

Impactpayments-api cannot safely receive the latest release until the failed deployment is investigated and rerun.
Evidence92% confidence
  • GitHub Actions run #184 failed
  • Migration job exceeded 10 minute timeout
  • Production still running previous release
Inspect the failing deployment, fix the migration timeout, and rerun the release pipeline.
  1. Open the failed GitHub Actions run and inspect the migration logs.
  2. Check database lock and connection timeout metrics.
  3. Patch the migration or increase the safe timeout.

Owners

Routing map

Platform Teamcloudops-command-center, payments-api
Risks
2
Urgent
2
Waiting
2
Done
0
Cloud Platformnetworking
Risks
1
Urgent
1
Waiting
1
Done
0
Data Platformworker-ingestion
Risks
1
Urgent
1
Waiting
1
Done
0
Security Ownercustomer-assets
Risks
1
Urgent
1
Waiting
1
Done
0
FinOps Owneranalytics-cluster
Risks
1
Urgent
0
Waiting
1
Done
0

Approval Queue

Safe execution gate

Approved remediations will appear here before execution.

Execution Log

Approved changes

Executed remediations will appear here with safety checks and command evidence.

Audit Log

Decision history

6/28/2026, 11:40:28 PMGitHub Actions runs imported

8 workflow runs reviewed for AZ1600/cloudops-command-center. 1 failed runs generated risks for owner approval.

6/28/2026, 7:27:55 PMGitHub Actions runs imported

6 workflow runs reviewed for AZ1600/cloudops-command-center. 0 failed runs generated risks for owner approval.

6/28/2026, 6:26:19 PMRisk scan reset

5 infrastructure risks restored for review.

6/28/2026, 6:25:28 PMTerraform drift detected in security group

pull request remediation approved for Cloud Platform. Execution is queued behind the safety gate.

6/28/2026, 6:23:32 PMInitial infrastructure scan

5 infrastructure risks detected and routed to owners.

Service Catalog

Owned platform assets

5 services tracked
Degradedproduction
1 active risks

payments-api

Owner
Platform Team
Runtime
FastAPI on ECS
Last change
Deployment failed 18 minutes ago
GitHubAWS
Criticalproduction
1 active risks

customer-assets

Owner
Security Owner
Runtime
S3 + CloudFront
Last change
Bucket policy changed today
AWSTerraform
Criticalproduction
1 active risks

worker-ingestion

Owner
Data Platform
Runtime
Kubernetes deployment
Last change
Image rollout 42 minutes ago
KubernetesMonitoring
Watchproduction
1 active risks

analytics-cluster

Owner
FinOps Owner
Runtime
EC2 + EBS
Last change
Volume audit 2 days ago
AWS
Degradedshared
1 active risks

networking

Owner
Cloud Platform
Runtime
Terraform module
Last change
Manual security group edit detected
TerraformAWS

Integrations

Infrastructure signal sources

4 active sources
Connected2 signals
Live fetch available

GitHub Actions

  • workflow runs
  • deployment failures
  • release history

Fetch workflow runs by repository and route failed deployments to owners.

Mock2 signals
4 minutes ago

AWS

  • S3 posture
  • cost findings
  • resource inventory

Add read-only IAM role for CloudWatch, Cost Explorer, and IAM Access Analyzer.

Mock1 signals
5 minutes ago

Kubernetes

  • pod health
  • restart counts
  • readiness failures

Connect cluster service account with read-only workload access.

Mock1 signals
8 minutes ago

Terraform

  • drift signals
  • plan output
  • module ownership

Import Terraform plan JSON from CI before apply.

Not connected0 signals
Not synced

Prometheus / Monitoring

  • alerts
  • SLO burn rate
  • latency anomalies

Connect alert webhook after the core remediation flow is stable.

GitHub Actions

Live workflow failure detection

Fetch workflow runs

Terraform Import

Plan JSON risk detection

Paste plan JSON

Runbooks

Controlled remediation procedures

5 active procedures
securitypull request
Security Owner

Public S3 Access Remediation

Applies to customer-assets and is currently linked to an active risk.

Safety checks
  1. Confirm the bucket is not intentionally hosting public website assets.
  2. Verify customer uploads can be served through signed URLs.
  3. Run Terraform plan before changing the bucket policy.
Rollback plan
  1. Revert the bucket policy pull request.
  2. Restore the last known-good access policy from version control.
  3. Re-run object access tests for customer downloads.
reliabilityworkflow
Data Platform

Kubernetes CrashLoopBackOff Response

Applies to worker-ingestion and is currently linked to an active risk.

Safety checks
  1. Read previous container logs before restarting pods.
  2. Check image tag against the last healthy release.
  3. Confirm queue backlog can tolerate a canary restart.
Rollback plan
  1. Roll deployment back to the previous image tag.
  2. Scale workers to the last stable replica count.
  3. Requeue failed jobs after readiness checks pass.
deploymentworkflow
Platform Team

Failed Production Deployment Recovery

Applies to payments-api and is currently linked to an active risk.

Safety checks
  1. Review failed migration logs and database lock metrics.
  2. Confirm production is still serving the previous healthy release.
  3. Require owner approval before rerunning deployment.
Rollback plan
  1. Keep traffic on the previous deployment.
  2. Disable the failing migration step until patched.
  3. Open an incident note with the failed run and owner.
securitypull request
Cloud Platform

Terraform Drift Correction

Applies to networking and is currently linked to an active risk.

Safety checks
  1. Confirm whether the out-of-band change had emergency approval.
  2. Generate a Terraform plan scoped to the drifted resource.
  3. Validate the restored CIDR does not block approved access.
Rollback plan
  1. Revert the remediation pull request.
  2. Reapply the previous approved security group rule.
  3. Attach the rollback decision to the audit log.
costsimulated
FinOps Owner

Unused Cloud Resource Cleanup

Applies to analytics-cluster and is currently linked to an active risk.

Safety checks
  1. Confirm unattached volumes have no read or write activity.
  2. Create a final snapshot before deletion.
  3. Notify the service owner before cleanup approval.
Rollback plan
  1. Restore the deleted volume from snapshot.
  2. Reattach the restored volume to the approved instance.
  3. Update the cost exception list if the volume is intentionally retained.