Intro to CloudCheckr CMx

CloudCheckr has re-imagined the user experience with its new platform: CloudCheckr CMx.

By building a brand-new UI, we expand on everything that makes CloudCheckr great while delivering new experiences that appeal to a wider user base. This includes things like mobile support, better aesthetics, simpler navigation, improved API functionality and documentation, and more.

Review the Frequently Asked Questions (FAQs) to learn more about what this new platform will provide you.

A New CloudCheckr Experience

It’s easy: just log in using one of the following new URLs that correspond to a CloudCheckr region and your current username and password:


Current URL


US Production




Only administrators will have access to the new platform. Administrators must provide access permissions to all other users before they can log in to the new platform.

Yes! This release does not replace your access to the current UI and API. You can switch back and forth between the two UIs and compare them side by side.

The biggest improvements for our customers include:

  • A platform built from the ground up to be scalable and performant
  • A modern design is more visually appealing and scales across multiple device sizes
  • A dynamic account hierarchy brings organization to your account list by allowing up to 11 layers of account groupings
  • API-first model ensures UI and API functionality remains consistent

The following are some enhancements you will see as part of API 2.0:

  • A platform built from the ground up to be scalable and performant
  • A new and improved documentation system built on
  • A more intuitive user experience—search parameters, filtering, and ordering leveraging the OData standard
  • Consistent response formatting and pagination
  • Dynamic account hierarchy brings organization to your account list by allowing up to 11 layers of account groupings
  • API-first model ensures UI and API functionality remains consistent

The New CloudCheckr UI includes these innovative features:



Improved Navigation

  • Improved search functionality
  • Account Switcher makes jumping from one account to another quick and painless
  • Reorganized menu and layout

Account Hierarchy

  • Organize accounts within account groups for streamlined account management and scalable permissioning
  • Apply attributes to accounts for easily categorizing your accounts and grouping them into multi-account views (MAVs)

Role Based Access Control

  • Create roles that define a set of users, permissions, and accounts
  • Establish permission sets that serve as reusable templates of permissions
  • Align roles to the account hierarchy for at-scale user and account management

Early Access | New Ingestion Engine + Cost Reporting

  • Ingest AWS Cost and Usage Report (CUR) data in a fraction of the amount of time
  • Dynamic and interactive cost reports and dashboards
  • Pivot Explorer feature to create on-the-fly reporting and analysis

The topic, A New Experience for the Platform, gives an overview of all of the new features in this release, with links to documentation for each feature.

This initial release is foundational to our future platform strategy. Some of the enhancements we are working on include the following:

  • Account Management UX improvements: Simplifying account creation—providing more contextual information and making it easier to manage accounts within the new hierarchy
  • Account Credentialing: Improving the onboarding workflow when credentialing a new account in CloudCheckr
  • Customer (Partner) Management: Rolling out a new user experience for creating and managing customers and plans
  • New dashboarding and reporting

New Account Hierarchy

The account hierarchy introduces account groups to create a parent-child folder structure that allows you to organize your accounts in any way you see fit. This organization simplifies navigation and user permissioning.

  • Accounts: No change to accounts as you know them! These are the various cloud provider accounts that you have added to Cloudcheckr
  • Account Groups: These are new! Account groups are like folders for your accounts. You can use them to organize your accounts in a hierarchy—up to 11 levels deep—and administer access management at the group or account level using roles. Each account can only exist in one parent folder, but a folder can contain a mix of accounts from different cloud providers.
  • Multi-Account Views (MAVs): No change to MAVs as you know them! MAVs allow you to look at all the resources in multiple accounts through a single view. You can tag individual accounts and designate tags in the MAV to identify the accounts you want to combine. With MAVs, you can create complex views across large sets of accounts and slice and dice data across multiple tags.

Use cases for organizing accounts may include:

  • Match a complex organizational structure by creating groups for various divisions, business units, reporting lines, and other categories
  • Align your account hierarchy by region and provider
  • Enable accounts from multiple cloud providers to exist in the same account group

Account-related functionality includes:

  • Retrieve all accounts, account groups, and MAVs
  • Retrieve parents of accounts, account groups, and children of account groups
  • Update accounts and account groups
  • Create new account groups
  • Delete account groups
  • Move accounts and account groups throughout the hierarchy

The account hierarchy combines with the Role Based Access Control (RBAC) to streamline the administration of CloudCheckr. After establishing a logical account hierarchy, you can apply user roles to accounts and account groups that exist at any level of the hierarchy.

New Role Based Access Control (RBAC)

RBAC is a method of managing user access based on the roles assigned to those users. This is a hub-and-spoke model, where the role object acts as the hub for all access management. Permissions, users, and accounts are all applied to the role, and the intersection of those objects determines who has access to what in the system.

To further simplify things, we have introduced the concept of permission sets to Cloudcheckr access management. Permission sets are templates of permissions that you can apply as a group to roles instead of having to apply or remove individual permissions each time a role is created or modified.

  • Users: The actual end-users who received a username (email address) and password that allows them to log in to the application
  • Clients: Services that access the CloudCheckr API to make a request and return a response or data based on that request
  • Roles: The collection of permissions that a user inherits which enable them to perform certain tasks or operations in the CloudCheckr application
  • Permissions: The individual privileges in CloudCheckr that allow any user with that permission to perform a function or task such as view cost alerts and manage account groups
  • Permission Sets: A collection of privileges that you can apply as a group to your CloudCheckr roles. For example, you might have a View Only permission set that includes all view only permissions.

Roles allow you to organize your users based on similar access and job function. For example, all members of your finance team may exist in a singular role that grants each member access to cost and billing reports for all accounts. When a new team member joins, you can add them to the role so that they inherit the same entitlements as their peers.

RBAC allows you to organize your users and the account hierarchy allows you to organize your accounts. By marrying the two, you can broadly administer access management across your accounts and user base. While the goal is to standardize access management, you still can apply fine-grained entitlements when needed.

Access management-related functionality includes:

  • View all permissions
  • Create, update, or delete permission sets
  • Create, update, or delete roles (including account assignment)
  • Create update, or delete clients and access keys
  • Create, update, or delete users
  • Assign users to and remove users from roles

You don't need to recreate existing users or passwords. However, these users will not have access via the RBAC model until you assign them roles. Since this is a new permissioning model, we recommend creating permission sets and roles that meet the access needs of your user base.

Our team is ready to help. If you’re not sure how best to define your user roles, please reach out to schedule a session to review.

Also, API access keys will not be migrated over because the client/secret key functionality in RBAC is more robust and secure.

How did we do?