Cloud Operations¶

Governance, FinOps, compliance, and account lifecycle management -- unified across all clouds.

RosettaOps is RosettaHub's cloud operations product. It provides a single API surface for account vending, budget enforcement, compliance, and automated landing zones across AWS, Azure, GCP, Alibaba Cloud, OVH, and OpenStack. Where the MetaCloud converges compute and resource provisioning, RosettaOps converges the policies, budgets, accounts, and compliance controls that govern them.

The MetaCloud can be used independently for multi-account key management, cloud-agnostic IaC, and basic cost visibility. When combined with RosettaOps cloud operations, you get the full Supercloud -- a closed-loop platform where governance and provisioning are inseparable.

Unified Governance Across Clouds¶

RosettaOps exposes the same APIs for account vending, sandboxing, budget enforcement, compliance, and automated landing zones regardless of the target cloud:

Capability	AWS	Azure	GCP	Alibaba Cloud
Account vending
Sandboxed environments
Budget enforcement
Compliance policies
Automated landing zones

A governance rule written once applies uniformly across all connected clouds.

The Observe, Govern, Automate Progression¶

RosettaOps follows a tiered trust model that lets organizations adopt governance incrementally:

Observe -- gain visibility into cloud usage, costs, and compliance posture without restricting users
Govern -- introduce budgets, policies, and approval workflows that constrain what users can do
Automate -- codify governance as automated guardrails so that compliant behavior is the default, not the exception

Detailed model

For a full explanation of the three tiers and how to transition between them, see The RosettaOps Model.

Account Vending and Sandboxing¶

RosettaOps automates the provisioning and isolation of cloud accounts:

Automated account vending -- new cloud accounts are created on demand from the organization's root account, pre-configured with baseline policies and network settings
Project isolation -- each Project receives its own sandboxed environment with dedicated cloud accounts, preventing resource and cost leakage between teams
Context injection -- users receive pre-configured credentials and environment variables when they enter a project, eliminating manual setup

The organizational root account is partitioned into Projects, and users are assigned to those sandboxed environments with role-appropriate permissions.

Federated Cloud Console Access¶

RosettaOps gives every user direct access to native cloud consoles (AWS, GCP, Azure, Alibaba Cloud) while maintaining governance guardrails. Users work in the real cloud provider console -- not a proxy or limited subset -- with full access to native services within their sandbox.

How Federation Works¶

Cloud Provider	Federation Mechanism	Sandbox Enforcement
AWS	RosettaHub automatically creates IAM roles on each user's sub-account. Users assume these roles via STS (Security Token Service) to obtain time-limited console sessions.	Service Control Policies (SCPs) on the sub-account restrict actions to the permitted sandbox. When budgets are exceeded, SCPs automatically block resource-creating actions while preserving read-only and delete access.
Alibaba Cloud	Same model as AWS -- automatic IAM role creation with STS federation into sandboxed sub-accounts.	Service Control Policies enforce sandbox boundaries and budget limits.
GCP	RosettaHub shares the user's dedicated GCP project with a Google-recognized email address. Users sign in to the GCP Console with their Google identity.	IAM policies on the project restrict permissions to the governed set of services and regions.
Azure	Users access their dedicated Azure resource group through IAM policy-based access control.	Azure RBAC policies enforce sandbox boundaries.

Why This Matters¶

For cloud experts -- DevOps engineers, platform teams, cloud architects -- federated console access means they can use the tools they already know (AWS Console, gcloud, Azure Portal) while RosettaOps enforces budgets, compliance, and sandbox isolation automatically. They get the full power of native cloud services with governance guardrails, without learning a new interface.

Even stronger with the MetaCloud

Cloud experts who prefer native consoles still benefit from the MetaCloud: cross-cloud IaC via formations, shareable infrastructure templates, one-click deployments for team members, and reproducible environments that work identically on any provider. RosettaOps governs; the MetaCloud accelerates.

For tutorials on accessing native consoles, see AWS Console Access and GCP Console Access.

Automated Landing Zones¶

Landing zones are pre-configured, compliant cloud environments that are ready for immediate use. RosettaOps provisions them automatically, applying:

Network topology (VPCs, subnets, peering)
Identity and access baselines
Logging and audit trail configuration
Security group and firewall defaults

Zero-touch onboarding

New teams receive a fully compliant cloud environment without filing tickets or waiting for manual setup.

Real-Time FinOps¶

Unlike traditional cloud billing, which operates with hours or days of lag, RosettaOps tracks costs at the moment resources are created by combining hourly cost estimates on every running resource with cloud billing reports from the provider.

Feature	Description
Hourly cost estimates	Every running resource carries an hourly cost estimate, visible to users in real time
Live cost tracking	Costs are recorded when resources are provisioned, not when bills arrive
Hard budget limits	Spending is blocked when a budget ceiling is reached -- no surprise overruns
Cloud resource visibility	Users see their combined resources across all regions; managers see all resources across all sub-accounts
Superset dashboards	Apache Superset dashboards provide rich analytics per root account, embedded via perspectives
FinOps FOCUS 1.3	Athena-based cost tables in the FOCUS standard, queryable by managers and users (users see only their own data)
Decentralized delegation	Budget owners delegate portions of their budget to sub-organizations or projects
Transfer rights	Delegated budgets carry transfer rights, enabling nested delegation chains

See Cost Management for full details on budget enforcement, delegation, FinOps FOCUS tables, and Superset dashboards.

Compliance Enforcement¶

RosettaOps enforces compliance through policy-as-code, supporting major frameworks and benchmarks:

Cloud Custodian policies for automated resource-level enforcement
ISO 27001 information security controls
HIPAA safeguards for protected health information
CIS Benchmarks for cloud infrastructure hardening
NIST SP 800-53 security and privacy controls

Policies are evaluated continuously, and non-compliant resources can be flagged, quarantined, or terminated automatically.

The platform provides dedicated compliance views for managing and monitoring policy enforcement:

View	Description
Cloud Custodian Policies	Define and manage Cloud Custodian policy rules
Compliance Standards	Configure compliance standard packages (ISO 27001, CIS, HIPAA, NIST)
Policy Execution Outputs	Review results from automated policy enforcement runs

Resource Management¶

RosettaOps provides direct visibility into cloud provider resources and the ability to act on them in bulk. Users see their resources combined across all regions; managers see all resources across all sub-accounts. Bulk actions -- Stop All, Terminate All, and Cleanup All -- can be filtered by service and region, giving managers precise control over what gets affected.

See Resource Management for native cloud views, bulk actions, service/region filtering, and resource safeguards.

Permissions Management¶

RosettaOps controls what cloud services, regions, and instance types are available to users and organizations. Permissions are set at the organization level and inherited downward:

Permission	Description
Clouds	Which cloud providers users can access
Cloud Services	Available services per provider (EC2, S3, Lambda, etc.)
Cloud Regions	Geographic regions where resources can be provisioned
Instance Types	Compute instance types available for launching (CPU, memory, GPU configurations)
DB Instance Types	Database instance types for managed database services
Limit Requests	Service limit increase requests submitted to cloud providers

Administrators configure permissions through role assignments at the organization, sub-organization, or user level. Users cannot exceed the permissions set by their organization's CPOC.

Security and Automation¶

RosettaOps includes automated safeguards that protect cloud accounts without manual intervention:

Account Protection¶

Feature	Description
Automatic abuse handling	When a cloud provider reports abuse on an account, the user and their managers are automatically notified and access keys are immediately reset
Compromised key response	Access keys flagged as compromised by the cloud provider are reset immediately
Regular key rotation	Cloud access keys on all managed accounts are rotated on a regular schedule
Auto-disable on compromise	Cloud accounts are automatically disabled if keys are compromised or abuse is detected
Quarantine	Accounts can be quarantined with manual-only restoration for security incidents

Resource Safeguards¶

Auto-stop idle instances, Spot instance management, instance count limits, and storage quotas. See Resource Management for the full list.

Notifications and Auditing¶

Feature	Description
Email notifications	Automated alerts for warnings and critical events sent to users and administrators
Action auditing	Full audit trail of all user actions and cloud account operations
Cloud provider monitoring	AWS (Lambda, CloudWatch, CloudTrail), GCP (Cloud Functions, Alerts), Azure (Functions, Monitor, Activity Logs)

The Organizational Hierarchy¶

RosettaOps structures governance around organizations, users, and projects. Both users and projects can have their own dedicated cloud accounts with budgets.

graph TD
    Org["Organization\n(top-level governance boundary)"]
    SubOrg["Sub-organization\n(nested delegation)"]
    U1["User\n(roles + cloud accounts)"]
    U2["User\n(roles + cloud accounts)"]
    P1["Project\n(isolation unit)"]
    CA_U["User Cloud Accounts\n(dedicated budgets)"]
    CA_P["Project Cloud Accounts\n(dedicated budgets)"]

    Org --> SubOrg
    Org --> U2
    Org --> P1
    SubOrg --> U1
    U1 --> CA_U
    U2 --> CA_U
    P1 --> U1
    P1 --> U2
    P1 --> CA_P

    style Org fill:#e8eaf6,stroke:#283593,color:#000
    style SubOrg fill:#e3f2fd,stroke:#1565c0,color:#000
    style U1 fill:#f3e5f5,stroke:#6a1b9a,color:#000
    style U2 fill:#f3e5f5,stroke:#6a1b9a,color:#000
    style P1 fill:#fff3e0,stroke:#e65100,color:#000
    style CA_U fill:#e8f5e9,stroke:#2e7d32,color:#000
    style CA_P fill:#e8f5e9,stroke:#2e7d32,color:#000

Organizations define the top-level governance boundary and can be nested into sub-organizations for delegated management
Users belong to organizations and can have zero, one, or multiple dedicated cloud accounts with individual budgets. A user with no personal cloud accounts can still work within a project's cloud accounts through assigned project roles.
Projects are isolation units with their own dedicated cloud accounts and budgets. Users participate in projects through assigned project roles (CPOC, ADMIN, SUPERUSER).
Roles can be assigned directly to users or inherited from the organizations they belong to. A role held at a parent organization applies to all sub-organizations beneath it.

Management Roles¶

RosettaOps uses a role-based access control model with three management roles:

Role	Scope	Capabilities
CPOC	Limited administrative access	Manage registrations, view budgets, basic user administration
ADMIN	Full administrative access	All CPOC capabilities plus cloud account management, policy configuration
SUPERUSER	Complete control	All ADMIN capabilities plus credential management, account cleanup, destructive operations

Role Inheritance

If a user holds a role on an organization, they automatically hold at least that role on every sub-organization beneath it. A SUPERUSER at the top level is a SUPERUSER everywhere.

Architecture Connection¶

RosettaOps and the MetaCloud form a closed governance loop:

The MetaCloud defines what can be provisioned -- machines, storages, formations
RosettaOps defines who can provision it, how much they can spend, and what compliance rules apply

The same platform that creates resources also enforces the budgets and policies that govern them. There is no gap between provisioning and governance.

Two Paths, One Platform¶

The Supercloud serves two distinct needs simultaneously:

Path	Who Uses It	What They Get
Native cloud access via federated consoles	Cloud experts, cloud learners, users of native services (SageMaker, Bedrock, Vertex AI, etc.)	Direct AWS/GCP/Azure/Alibaba console access within a governed sandbox. Full access to native cloud services.
MetaCloud abstraction via formations and sessions	Researchers, educators, students, data scientists	One-click launches, shared templates, and cloud-agnostic IaC. No cloud expertise required.

Both paths operate within the same organizational hierarchy, governed by the same budgets and policies. Many users use both -- launching formations for day-to-day work while accessing native consoles for provider-specific services. The MetaCloud does not abstract 100% of cloud services; native console access complements it for services like AI/ML, advanced analytics, and cloud-specific tooling.

RosettaOps governance applies across all verticals -- education, research, enterprise, SMB, and government -- providing dedicated cloud accounts, budget enforcement, and compliance regardless of domain.

graph LR
    subgraph mc ["MetaCloud"]
        Provision["Provision resources\n(machines, storages, formations)"]
    end

    subgraph ro ["RosettaOps"]
        Budgets["Budget enforcement"]
        Policies["Compliance policies"]
        Audit["Audit + cost tracking"]
    end

    User(["User request"]) --> Policies
    Policies -->|"Policy check passed"| Budgets
    Budgets -->|"Budget available"| Provision
    Provision -->|"Resource events"| Audit
    Audit -->|"Informs policy updates"| Policies

    style mc fill:#fff3e0,stroke:#e65100,color:#000
    style ro fill:#e3f2fd,stroke:#1565c0,color:#000
    style User fill:#f5f5f5,stroke:#616161,color:#000

Access Methods¶

All RosettaOps capabilities are available through multiple interfaces:

Interface	Use Case
Portal	Interactive administration through the web console
API	Programmatic access for automation and integration
CLI	Command-line interface for scripting and DevOps workflows
SDKs	Python, Java, JavaScript, and additional language bindings

RosettaOps makes sharing cloud artifacts as straightforward as sharing a document:

Share by username, group name, or organization name
Select access rights from a simple permissions interface
No need to define IAM policies, locate cloud account IDs, or configure cross-account roles

Consumer-grade simplicity

Sharing a cloud storage, virtual machine image, or IAM user is as easy as sharing a folder on a consumer file-sharing service.

What's in This Section¶

Page	Description
Organizations	Create hierarchies, assign managers, and configure governance boundaries
Users	Add and remove users, manage permissions and roles
Cloud Accounts	Monitor budgets, control access, and manage cloud account lifecycles
Projects	Create isolated environments with dedicated resources and budgets
User Onboarding	Self-registration, manager registration, SSO, and automatic provisioning
Resource Management	Native cloud visibility, bulk actions with service/region filtering, and resource safeguards
Cost Management	Real-time cost tracking, budget enforcement, and AI-driven forecasting
Compliance Scanning	Continuous compliance monitoring across frameworks
AI Usage Tracking	Monitor and control AI and LLM usage across providers