User Guide Whitepaper
Operator Binary Cloud Operator Operator Terminal
Demos Changelog Pricing
About Careers
Security Governance Constitution
Terms Privacy
DropOps Logo

Cloud Operator for AWS

Our first Cloud Operator release with Zero Standing Privileges and Just-in-Time access

Cloud Operator for AWS is our first cloud-native release. While the Solo Operator focuses on local system administration, the Cloud Operator for AWS provides Zero Standing Privileges and Just-in-Time privilege escalation for secure cloud operations. Built with AWS IAM-friendly patterns, this architecture is designed to be adaptable to other cloud providers - GCP, Azure, and more are coming soon.

Cloud Operator Options

Cloud Operators use a separate slot allocation from Solo Operators (Personal: 1 cloud slot, Professional: 5 cloud slots). The Cloud Operator for AWS is our flagship release with intent-based security. For advanced users who know what they're doing, the Cloud Operator Binary provides multi-cloud CLI access on any system:

cloud_sync

Cloud Operator Binary

--cloud flag (Advanced)

For advanced users: the same ~8MB binary with the --cloud flag unlocks cloud CLI tools. Runs on any Linux system with port 443 outbound - any cloud provider, any environment. You bring your own credentials.

check_circle Unlocks

aws gcloud az terraform kubectl

+ all Solo Operator commands

info Best For

  • Multi-cloud environments (AWS, GCP, Azure)
  • Any Linux system with your credentials
  • Advanced users who manage their own security
Personal+ 1 cloud slot
Learn more →
cloud

Cloud Operator for AWS

Recommended - Zero Standing Privileges

Our first Cloud Operator release. Pre-configured EC2 AMI with Zero Standing Privileges and Just-in-Time access. AI requests permissions only when needed - built with AWS IAM-friendly patterns, adaptable to other cloud providers coming soon.

check_circle Pre-installed & Ready

aws terraform kubectl ansible helm

shield Exclusive Feature

Intent-Based Policy Execution: AI requests AWS permissions on-demand. You approve, it executes, permissions stay revocable.

Personal+ 1 cloud slot
Learn more →
Feature Cloud Operator Binary (Advanced) Cloud Operator for AWS (Recommended)
Deployment Any Linux system with --cloud Launch EC2 from AMI
Cloud Providers AWS, GCP, Azure (any) AWS (more coming soon)
Tools Pre-installed - check_circle Yes
Zero Standing Privileges - check_circle Yes
Just-in-Time Access - check_circle Yes
Credential Management You bring your own IAM Role via IMDS
Slot Cost 1 cloud slot 1 cloud slot

cloud_sync Cloud Operator Binary (Advanced)

For advanced users who know what they're doing: the same ~8MB reference implementation with the --cloud flag. This unlocks cloud CLI commands (aws, gcloud, az, terraform, kubectl) on any Linux system with port 443 outbound to operator.dropops.ai - any cloud provider, any environment.

When to use: You have existing infrastructure with cloud credentials configured, need multi-cloud support (AWS, GCP, Azure), or want to run the Operator in environments where the Cloud Operator for AWS AMI isn't available. You manage your own credential security.

Deployment

Download the Operator Binary as normal, then start it with the --cloud flag:

Terminal 
$ curl -fsSL https://dropops.ai/operator/drop | bash

# Follow prompts to download the binary...

$ ./dropops-operator --cloud

=================
DropOps Operator
Version: 1.0.0
=================
MODE: Cloud Operator (--cloud flag enabled)
Cloud CLI commands are UNLOCKED: aws, gcloud, az, terraform, kubectl
 - Requires port 443 outbound only
============================================
INFO: DropOps Operator initializing...
INFO: Authentication successful
INFO: DropOps Operator started successfully!
INFO: Standing by

Credentials

The Cloud Operator Binary uses credentials from the host system. Configure them before starting:

  • AWS - ~/.aws/credentials, environment variables, or IAM role (if on EC2)
  • GCP - gcloud auth login or service account JSON
  • Azure - az login or service principal
  • Kubernetes - ~/.kube/config with cluster contexts

Note: Unlike the Cloud Operator for AWS, the Cloud Operator Binary does not include Zero Standing Privileges or Just-in-Time access. The AI uses whatever permissions your credentials already have. For improved security boundaries, we recommend the Cloud Operator for AWS.

cloud Cloud Operator for AWS

Our first Cloud Operator release, purpose-built for AWS. A pre-configured EC2 instance with all infrastructure tools pre-installed, using Zero Standing Privileges and Just-in-Time access. The AI launches with zero AWS access and requests permissions only when needed. Built with AWS IAM-friendly patterns - this architecture is designed to be adaptable to other cloud providers (GCP, Azure, and more coming soon).

Recommended for cloud operations: The Cloud Operator for AWS provides clear intent boundaries and improved security through its Zero Standing Privileges model. The AI starts with zero access and asks before touching any AWS resource. All permissions are revocable through conversation.

Key Benefits

rocket_launch One-Click Deployment

Deploy everything with a single CloudFormation stack. One template creates the IAM roles, permission boundary, 40+ intent policies, and launches the EC2 instance:

  1. Step 1: Get your API key from dropops.ai (required before launch)
  2. Step 2: Deploy cloud-operator.yaml - Creates roles, policies, and launches EC2
  3. Step 3: Bind the active operator to your chat session

See the full setup guide for step-by-step instructions.

security Zero Standing Privileges

The Operator launches with zero access to your AWS resources. It can only identify itself - nothing else. When you ask it to do something, it asks permission first: "Should I be able to see EC2 instances?" You say Yes or No. Ask the AI to revoke any permission anytime - it will actually detach the IAM policy from the Operator Role. No pre-configured access, no standing permissions.

DENY-Only Permission Boundary: The permission boundary uses DENY-only rules - it blocks dangerous operations (IAM modifications, instance termination, secrets write, etc.) but grants nothing. All capabilities must be explicitly granted through Intent policies that require your approval.

build Pre-Installed Toolbox

Comes with Terraform, AWS CLI v2, kubectl, Helm, jq/yq, Python 3, Git, and more - everything your DevOps team needs, ready to go.

security Enterprise-Grade Security

Outbound-only architecture with zero listening ports. AWS credentials come from IAM roles via instance metadata (IMDS) - no AWS access keys stored on disk. DropOps platform authentication uses a separate API key from your Operator Panel.

cleaning_services Inline Sensitive Data Scrubbing

Sensitive data never touches storage. The Sentinel scrubber runs inline between command execution and persistence. AWS account IDs, access keys, ARNs, IP addresses, credentials, and 30+ sensitive patterns are replaced with safe placeholders before data is written to the local audit vault or transmitted anywhere. Zero-trust principle: if it's sensitive, it's never persisted.

shield Security & Backup Tools

Pre-installed security tools including Restic for encrypted S3 backups, fail2ban for intrusion prevention, and auditd for security auditing and file access monitoring.

hub Multi-Operator Management

Bind multiple Cloud Operators to the same session - manage your production, staging, and development AWS environments from a single conversation. The AI automatically routes commands to the appropriate operator based on hostname or your specification.

Batch Approvals: When the same command needs to run across multiple operators, you see one approval dialog listing all impacted systems. Click "Approve for N Systems" once - no need to approve each operator individually. Results are displayed with hostname headers for clear attribution.

How It Works

rocket_launch Quick Start: Drop Script

The fastest way to deploy. One command handles AWS profile selection, region, API key input, and CloudFormation stack creation: 

$ curl -fsSL https://dropops.ai/operator/cloud-drop | bash

See the full documentation for a complete demo and alternative deployment options.

info Limited Availability

The Cloud Operator AMI is currently in Limited Availability. To get access:

  1. 1. Open the Operator Panel → Click Operator Download → Select Cloud tab
  2. 2. Enter your 12-digit AWS Account ID
  3. 3. Click the CloudFormation buttons to deploy IAM roles and launch the instance

The AMI is shared directly to your AWS account. Personal tier or above required.

1
Get Your DropOps API Key
Required before launch. Go to dropops.ai, open the Operator dropdown at the top of the page, and copy an available Operator API key.
2
Deploy CloudFormation Stack
Deploy cloud-operator.yaml - creates the two-role architecture (Operator + Escalation), DENY-only permission boundary, 40+ intent policies, security group, and launches the EC2 instance with your API key.
3
Bind Operators to Your Session
The Operator appears as Active in the Operator dropdown. Click the link icon to bind it to your chat session. Multi-Operator Support: Bind multiple Cloud Operators simultaneously to manage production, staging, and dev environments from a single conversation.
Active Operator ready to bind
arrow_downward Tell DropOps what you want done
1
User States Intent
"I want to list all EC2 instances" or "Deploy this Terraform config"
2
DropOps Checks Governing Policy
Does the current policy allow fulfilling this intent?
✓ Allowed
Execute intent immediately
✗ Not Allowed
Continue to step 3
3
Determine Least-Privilege Additions
DropOps calculates the minimal policy changes required to fulfill your intent
4
Propose Policy Changes
DropOps presents the exact permissions it needs and why
5
User Reviews Proposed Changes
You review the proposed policy additions
✓ Approved
Continue to step 6
✗ Denied
Proceed to Step 8
6
Attach Pre-Defined Intent Policy
DropOps uses the Two-Role Architecture to attach a pre-defined managed policy to the Operator Role (AI cannot write arbitrary IAM)
7
Execute Original Intent
DropOps fulfills your original request with the newly granted permissions
8
Present Results & Await Response
DropOps presents results, may ask follow-up questions, and awaits the user's response
replay Cycle continues with user's next intent

Intent-Based Permissions

Stop writing JSON IAM policies. With intent-based permissions, the AI translates your answers into secure AWS policies:

AI Question What It Grants
"See other EC2 instances?" ec2:Describe*
"Start/stop EC2 instances?" ec2:StartInstances, StopInstances, RebootInstances
"Read from S3 buckets?" s3:GetObject, s3:ListBucket
"Manage Terraform state?" S3 + DynamoDB for tfstate
Cloud Operator dynamic intent-based permissions flow

Security Architecture

The Cloud Operator follows the same zero-trust, outbound-only security model as all DropOps components. Your infrastructure credentials never leave your AWS account.

  • Outbound 443 Only - The Operator initiates all connections. No inbound ports, no firewall exceptions needed.
  • No Stored AWS Credentials - AWS credentials come from IAM roles via EC2 Instance Metadata Service (IMDS). DropOps platform auth uses a separate API key from your Operator Panel.
  • IMDSv2 Preferred - Enhanced instance metadata security prevents SSRF attacks.
  • Least Privilege - Cloud Operator role has minimal permissions. Additional access is granted only when you approve.
  • Human-in-the-Loop - Every command requires your explicit approval before execution. Batch approvals let you approve the same command across multiple operators with a single click.
  • Audit Trail - All permission changes are traceable via AWS CloudTrail.

Pre-Installed Tools

The DropOps Cloud Operator for AWS comes pre-loaded with common infrastructure and Linux troubleshooting tools. Need something else? Just ask the AI to install it - the Operator runs with sudo privileges so any tool can be added on demand:

Terraform
Infrastructure as Code
AWS CLI v2
AWS Management
kubectl
Kubernetes Control
Helm
K8s Package Manager
jq / yq
Data Processing
Python 3
Custom Scripts

Recommended Configuration

memory Instance Type

t3.micro or t2.micro (recommended) - 2 vCPUs, 1 GB RAM. Sufficient for most workloads with cost-effective pricing.

lan Network Requirements

Outbound HTTPS (443) only. No inbound ports required. Works behind NAT and corporate firewalls. DNS (53) is optional - The DropOps Cloud Operator for AWS includes necessary /etc/hosts entries. If your infrastructure allows outbound DNS, DropOps can manage the local firewall to open port 53 on-demand as needed.

Note: The Cloud Operator for AWS requires a DropOps subscription plan that includes Cloud Operator access. AWS infrastructure costs (EC2, data transfer) are billed separately through your AWS account.

Ready to Get Started?

Deploy AI-powered Cloud Operators for infrastructure automation today.

Binary Setup Guide AWS AMI Setup Guide View Plans & Pricing

Related

Documentation Security AI Governance Pricing