Skip to content

RosettaBox

Governance, FinOps, compliance, and account lifecycle management -- unified across all clouds.

RosettaBox is RosettaHub's cloud governance product -- a complete platform for account vending, budget enforcement, compliance, and automated landing zones across AWS, Azure, GCP, Alibaba Cloud, OVH, and OpenStack.

RosettaBox is not just an API. It includes:

  • A rich web console with governance dashboards, FinOps views (Superset), compliance posture panels, and organizational hierarchy management
  • A desktop app with full governance capabilities
  • A CLI for automation, scripting, and CI/CD integration
  • SDKs in Python, Java, and JavaScript
  • An OpenAPI specification -- every operation available in the UI is also available programmatically
  • MCP Servers for AI-powered governance interaction

Every interface is unified across clouds. Where RosettaCloud converges the delivery of core multi-cloud resource types, RosettaBox converges the policies, budgets, accounts, and compliance controls that govern them -- and provides federated cloud console access for native services beyond the RosettaCloud scope.

RosettaCloud can be used independently for multi-account key management, cloud-agnostic IaC, and basic cost visibility. When combined with RosettaBox cloud operations, you get the full Supercloud -- where the real-time Monitoring Service enforces a single governance decision across every resource-creation path, including RosettaCloud self-service.

Unified Governance Across Clouds

RosettaBox governance is primarily proprietary -- the platform enforces policies, quotas, and access controls through its own engines, not through third-party tools:

Proprietary Governance (RosettaHub-built)

Capability What it does How it works
Account sandboxing Isolate users/teams in their own cloud accounts with guardrails RBAC roles translate to cloud-native permissions automatically (SCPs on AWS, IAM policies on other clouds)
Quota enforcement Limit maximum storage size, number of machines, instance types per user/team/org Platform-level enforcement via RBAC roles
Budget enforcement Hard spending caps evaluated continuously against live cost -- block before overspend reaches the next-day bill Live cost estimates + continuous cost-vs-budget checks
Region restrictions Control which cloud regions users can deploy to RBAC roles + platform policy
Service restrictions Control which cloud services users can access RBAC roles + platform policy
RBAC Role-based access control across all clouds from one model -- roles automatically convert to the right permissions on each cloud Platform-level, cloud-agnostic
Spot hibernation Proprietary 60-90% cost reduction on Spot workloads Platform-level
FinOps dashboards Idle detection, savings recommendations, cost views Superset integration

Compliance Standards Scanning (Cloud Custodian)

In addition to proprietary governance, RosettaBox integrates Cloud Custodian (CNCF open-source) specifically for compliance standards scanning:

  • 312 policies across 10 standards (SOC 2, HIPAA, ISO 27001, PCI DSS v4, FedRAMP, GDPR, NIST 800-53/171/CSF, CIS AWS)
  • 97-100% control coverage per standard
  • Compliance posture scanning, auto-remediation, and audit reporting

Cloud Custodian handles compliance standards only. All other governance -- account sandboxing, quotas, budgets, region/service restrictions, RBAC, Spot hibernation, FinOps -- is RosettaHub-proprietary.

Cross-Cloud Consistency

All governance capabilities apply uniformly across clouds:

Capability AWS Azure GCP Alibaba Cloud
Account vending
Sandboxed environments
Budget enforcement
Quota enforcement
Compliance policies
Automated landing zones

A governance rule written once applies uniformly across all connected clouds.

The Observe, Govern, Automate Progression

RosettaBox follows a tiered trust model that lets organizations adopt governance incrementally:

  1. Observe -- gain visibility into cloud usage, costs, and compliance posture without restricting users
  2. Govern -- introduce budgets, policies, and approval workflows that constrain what users can do
  3. Automate -- codify governance as automated guardrails so that compliant behavior is the default, not the exception

Detailed model

For a full explanation of the three tiers and how to transition between them, see The RosettaBox Model.

Account Vending and Sandboxing

RosettaBox automates the provisioning and isolation of cloud accounts:

  • Automated account vending -- new cloud accounts are created on demand from the organization's root account, pre-configured with baseline policies and network settings
  • Project isolation -- each Project receives its own sandboxed environment with dedicated cloud accounts, preventing resource and cost leakage between teams
  • Context injection -- users receive pre-configured credentials and environment variables when they enter a project, eliminating manual setup

The organizational root account is partitioned into Projects, and users are assigned to those sandboxed environments with role-appropriate permissions.

Federated Cloud Console Access

RosettaBox gives every user direct access to native cloud consoles (AWS, GCP, Azure, Alibaba Cloud) while maintaining governance guardrails. Users work in the real cloud provider console -- not a proxy or limited subset -- with full access to native services within their sandbox.

How Federation Works

Cloud Provider Federation Mechanism Sandbox Enforcement
AWS RosettaHub automatically creates IAM roles on each user's sub-account. Users assume these roles via STS (Security Token Service) to obtain time-limited console sessions. Service Control Policies (SCPs) on the sub-account restrict actions to the permitted sandbox. When budgets are exceeded, SCPs automatically block resource-creating actions while preserving read-only and delete access.
Alibaba Cloud Same model as AWS -- automatic IAM role creation with STS federation into sandboxed sub-accounts. Service Control Policies enforce sandbox boundaries and budget limits.
GCP RosettaHub shares the user's dedicated GCP project with a Google-recognized email address. Users sign in to the GCP Console with their Google identity. IAM policies on the project restrict permissions to the governed set of services and regions.
Azure Users access their dedicated Azure resource group through IAM policy-based access control. Azure RBAC policies enforce sandbox boundaries.

Why This Matters

For cloud experts -- DevOps engineers, platform teams, cloud architects -- federated console access means they can use the tools they already know (AWS Console, gcloud, Azure Portal) while RosettaBox enforces budgets, compliance, and sandbox isolation automatically. They get the full power of native cloud services with governance guardrails, without learning a new interface.

Even stronger with RosettaCloud

Cloud experts who prefer native consoles still benefit from the RosettaCloud: cross-cloud IaC via formations, shareable infrastructure templates, one-click deployments for team members, and reproducible environments that work identically on any provider. RosettaBox governs; RosettaCloud accelerates.

For tutorials on accessing native consoles, see AWS Console Access and GCP Console Access.

Automated Landing Zones

Landing zones are pre-configured, compliant cloud environments that are ready for immediate use. RosettaBox provisions them automatically, applying:

  • Network topology (VPCs, subnets, peering)
  • Identity and access baselines
  • Logging and audit trail configuration
  • Security group and firewall defaults

Zero-touch onboarding

New teams receive a fully compliant cloud environment without filing tickets or waiting for manual setup.

Closed-Loop FinOps™ — Real-Time and Beyond Shift-Left

"Shift-left FinOps" is a useful instinct -- catch cost issues before deploy. Closed-Loop FinOps™ is the full lifecycle: estimates at plan time, creation-time quota checks at launch, continuous cost-vs-budget evaluation while resources run, and auto-remediation for idle waste. Same model across every launch path -- Terraform, dashboard, CLI, API.

Unlike traditional cloud billing, which operates with hours or days of lag, RosettaBox maintains a live cost estimate for every cloud account and continuously re-evaluates cost against budget. A real-time Monitoring Service combines each cloud's pricing data with the latest billing reports to produce that live cost at any moment, and checks it against the budget continuously across AWS, Azure, GCP, and Alibaba Cloud -- so overspend is caught before it shows up on next-day billing data. Separately, cloud-account quotas (machines, volumes, storage) are enforced at resource-creation time.

Feature Description
Hourly cost estimates Every running resource carries an hourly cost estimate, visible to users in real time
Live cost tracking Costs are recorded when resources are provisioned, not when bills arrive
Hard budget limits Spending is blocked when a budget ceiling is reached -- no surprise overruns
Cloud resource visibility Users see their combined resources across all regions; managers see all resources across all sub-accounts
Superset dashboards Apache Superset dashboards provide rich analytics per root account, embedded via perspectives
FinOps FOCUS 1.3 Athena-based cost tables in the FOCUS standard, queryable by managers and users (users see only their own data)
Decentralized delegation Budget owners delegate portions of their budget to sub-organizations or projects
Transfer rights Delegated budgets carry transfer rights, enabling nested delegation chains

See Cost Management for full details on budget enforcement, delegation, FinOps FOCUS tables, and Superset dashboards.

Compliance Enforcement

RosettaBox enforces compliance through policy-as-code, supporting major frameworks and benchmarks:

  • Cloud Custodian policies for automated resource-level enforcement
  • ISO 27001 information security controls
  • HIPAA safeguards for protected health information
  • CIS Benchmarks for cloud infrastructure hardening
  • NIST SP 800-53 security and privacy controls

Policies are evaluated continuously, and non-compliant resources can be flagged, quarantined, or terminated automatically.

The platform provides dedicated compliance views for managing and monitoring policy enforcement:

View Description
Cloud Custodian Policies Define and manage Cloud Custodian policy rules
Compliance Standards Configure compliance standard packages (ISO 27001, CIS, HIPAA, NIST)
Policy Execution Outputs Review results from automated policy enforcement runs

Resource Management

RosettaBox provides direct visibility into cloud provider resources and the ability to act on them in bulk. Users see their resources combined across all regions; managers see all resources across all sub-accounts. Bulk actions -- Stop All, Terminate All, and Cleanup All -- can be filtered by service and region, giving managers precise control over what gets affected.

See Resource Management for native cloud views, bulk actions, service/region filtering, and resource safeguards.

Permissions Management

RosettaBox controls what cloud services, regions, and instance types are available to users and organizations. Permissions are set at the organization level and inherited downward:

Permission Description
Clouds Which cloud providers users can access
Cloud Services Available services per provider (EC2, S3, Lambda, etc.)
Cloud Regions Geographic regions where resources can be provisioned
Instance Types Compute instance types available for launching (CPU, memory, GPU configurations)
DB Instance Types Database instance types for managed database services
Limit Requests Service limit increase requests submitted to cloud providers

Administrators configure permissions through role assignments at the organization, sub-organization, or user level. Users cannot exceed the permissions set by their organization's CPOC.

Security and Automation

RosettaBox includes automated safeguards that protect cloud accounts without manual intervention:

Account Protection

Feature Description
Automatic abuse handling When a cloud provider reports abuse on an account, the user and their managers are automatically notified and access keys are immediately reset
Compromised key response Access keys flagged as compromised by the cloud provider are reset immediately
Regular key rotation Cloud access keys on all managed accounts are rotated on a regular schedule
Auto-disable on compromise Cloud accounts are automatically disabled if keys are compromised or abuse is detected
Quarantine Accounts can be quarantined with manual-only restoration for security incidents

Resource Safeguards

Auto-stop idle instances, Spot instance management, instance count limits, and storage quotas. See Resource Management for the full list.

Notifications and Auditing

Feature Description
Email notifications Automated alerts for warnings and critical events sent to users and administrators
Action auditing Full audit trail of all user actions and cloud account operations
Cloud provider monitoring AWS (Lambda, CloudWatch, CloudTrail), GCP (Cloud Functions, Alerts), Azure (Functions, Monitor, Activity Logs)

The Organizational Hierarchy

RosettaBox structures governance around organizations, users, and projects. Both users and projects can have their own dedicated cloud accounts with budgets.

graph TD
    Org["Organization\n(top-level governance boundary)"]
    SubOrg["Sub-organization\n(nested delegation)"]
    U1["User\n(roles + cloud accounts)"]
    U2["User\n(roles + cloud accounts)"]
    P1["Project\n(isolation unit)"]
    CA_U["User Cloud Accounts\n(dedicated budgets)"]
    CA_P["Project Cloud Accounts\n(dedicated budgets)"]

    Org --> SubOrg
    Org --> U2
    Org --> P1
    SubOrg --> U1
    U1 --> CA_U
    U2 --> CA_U
    P1 --> U1
    P1 --> U2
    P1 --> CA_P

    style Org fill:#e8eaf6,stroke:#283593,color:#000
    style SubOrg fill:#e3f2fd,stroke:#1565c0,color:#000
    style U1 fill:#f3e5f5,stroke:#6a1b9a,color:#000
    style U2 fill:#f3e5f5,stroke:#6a1b9a,color:#000
    style P1 fill:#fff3e0,stroke:#e65100,color:#000
    style CA_U fill:#e8f5e9,stroke:#2e7d32,color:#000
    style CA_P fill:#e8f5e9,stroke:#2e7d32,color:#000
  • Organizations define the top-level governance boundary and can be nested into sub-organizations for delegated management
  • Users belong to organizations and can have zero, one, or multiple dedicated cloud accounts with individual budgets. A user with no personal cloud accounts can still work within a project's cloud accounts through assigned project roles.
  • Projects are isolation units with their own dedicated cloud accounts and budgets. Users participate in projects through assigned project roles (CPOC, ADMIN, SUPERUSER).
  • Roles can be assigned directly to users or inherited from the organizations they belong to. A role held at a parent organization applies to all sub-organizations beneath it.

Management Roles

RosettaBox uses a role-based access control model with three management roles:

Role Scope Capabilities
CPOC Limited administrative access Manage registrations, view budgets, basic user administration
ADMIN Full administrative access All CPOC capabilities plus cloud account management, policy configuration
SUPERUSER Complete control All ADMIN capabilities plus credential management, account cleanup, destructive operations

Role Inheritance

If a user holds a role on an organization, they automatically hold at least that role on every sub-organization beneath it. A SUPERUSER at the top level is a SUPERUSER everywhere.

Architecture Connection

RosettaBox and RosettaCloud share the same governance layer:

  • The RosettaCloud defines the resource types that can be provisioned -- machines, storages, formations
  • RosettaBox defines who can provision them, how much they can spend, and what compliance rules apply

The real-time Monitoring Service enforces a single governance decision across every resource-creation path at once. When a budget or quota is reached, both the federated cloud-console access (via RosettaBox) and RosettaCloud's meta-keys are blocked simultaneously -- no handoff, no gap.

Two Paths, One Platform

The Supercloud serves two distinct needs simultaneously:

Path Who Uses It What They Get
Native cloud access via federated consoles Cloud experts, cloud learners, users of native services (SageMaker, Bedrock, Vertex AI, etc.) Direct AWS/GCP/Azure/Alibaba console access within a governed sandbox. Full access to native cloud services.
RosettaCloud abstraction via formations and sessions Researchers, educators, students, data scientists One-click launches, shared templates, and cloud-agnostic IaC. No cloud expertise required.

Both paths operate within the same organizational hierarchy, governed by the same budgets and policies. Many users use both -- launching formations for day-to-day work while accessing native consoles for provider-specific services. RosettaCloud does not abstract 100% of cloud services; native console access complements it for services like AI/ML, advanced analytics, and cloud-specific tooling.

RosettaBox governance applies across all verticals -- education, research, enterprise, SMB, and government -- providing dedicated cloud accounts, budget enforcement, and compliance regardless of domain.

graph LR
    subgraph mc ["RosettaCloud"]
        Provision["Provision resources\n(machines, storages, formations)"]
    end

    subgraph ro ["RosettaBox"]
        Budgets["Budget enforcement"]
        Policies["Compliance policies"]
        Audit["Audit + cost tracking"]
    end

    User(["User request"]) --> Policies
    Policies -->|"Policy check passed"| Budgets
    Budgets -->|"Budget available"| Provision
    Provision -->|"Resource events"| Audit
    Audit -->|"Informs policy updates"| Policies

    style mc fill:#fff3e0,stroke:#e65100,color:#000
    style ro fill:#e3f2fd,stroke:#1565c0,color:#000
    style User fill:#f5f5f5,stroke:#616161,color:#000

Access Methods

All RosettaBox capabilities are available through multiple interfaces:

Interface Use Case
Portal Interactive administration through the web console
API Programmatic access for automation and integration
CLI Command-line interface for scripting and DevOps workflows
SDKs Python, Java, JavaScript, and additional language bindings

Sharing Made Simple

RosettaBox makes sharing cloud artifacts as straightforward as sharing a document:

  • Share by username, group name, or organization name
  • Select access rights from a simple permissions interface
  • No need to define IAM policies, locate cloud account IDs, or configure cross-account roles

Consumer-grade simplicity

Sharing a cloud storage, virtual machine image, or IAM user is as easy as sharing a folder on a consumer file-sharing service.

What's in This Section

Page Description
Organizations Create hierarchies, assign managers, and configure governance boundaries
Users Add and remove users, manage permissions and roles
Cloud Accounts Monitor budgets, control access, and manage cloud account lifecycles
Projects Create isolated environments with dedicated resources and budgets
User Onboarding Self-registration, manager registration, SSO, and automatic provisioning
Resource Management Native cloud visibility, bulk actions with service/region filtering, and resource safeguards
Cost Management Real-time cost tracking, budget enforcement, and AI-driven forecasting
Compliance Scanning Continuous compliance monitoring across frameworks
AI Usage Tracking Monitor and control AI and LLM usage across providers