Getting Started

Setup usually takes 5–10 minutes for the first account.

1. Create your account

Go to opscurb.com/signup, sign up, and verify your email. You can start on Free and upgrade later.

2. Connect your AWS account

OpsCurb uses a tiered AWS access model.

Start with the required Core Scan Role

In OpsCurb, open Settings.
Click Add AWS Account.
Copy the OpsCurb AWS Account ID and the generated Core External ID.
In AWS, create a role trusted by OpsCurb's AWS account and require that External ID.
Attach the generated Core scan permissions policy shown in the OpsCurb UI.
Back in OpsCurb, enter:
- AWS account ID
- Core Scan Role ARN
- Regions to scan
Save.

After saving, OpsCurb starts your first core scan automatically.

Add optional roles later only if needed

Optional capability roles can be connected later from Settings → Edit Account:

Deep Inspect
Advanced log diagnostics
S3 inventory
IAM hygiene
Tag inventory

Use the public Permissions Matrix to decide which optional roles your team actually wants to enable.

Why the setup is split

The Core Scan Role keeps the first connection narrower and easier to review.
Sensitive surfaces such as CloudWatch Logs, S3 inventory, IAM listings, and tag inventory are opt-in.
Separate optional roles provide stronger hardening, narrower permission boundaries, and cleaner isolation than folding those capabilities into one broader role.
You can prove value first, then enable deeper workflows only where justified.

3. Run scans

Free: limited manual scans (1 per month)
Growth: daily automated scans, plus up to 10 manual rescans per month
Scale: daily automated scans, plus manual scans on demand

To run a scan now: Settings → AWS Accounts → Run Scan.

4. Review findings

Each finding includes resource, region, estimated monthly waste, and recommended next steps. Use filters to focus by severity, region, account, status, and ownership.

The findings workspace has two operating modes, toggled at the top of the page:

My Queue — shows findings where you are the likely or assigned owner. Use the My Infra, My Owned, and My Overdue sub-filters to stay focused on your slice.
Central Ops — shows rollup cards for owner gaps, unowned waste needing commitment, linked-ticket gaps, repeat issue families, and routing bottlenecks. Each card drills into the list with pre-applied filters so you can triage directly.

If this is your first scan and findings are unassigned, look for the First-scan assignment lanes panel. It groups unassigned findings by resource type so you can assign ownership one operating surface at a time rather than finding-by-finding.

On Growth and above, click any finding to open the detail panel:

Overview tab — context, severity, and impact framing
Inspect tab — Deep Inspect evidence and confidence signals where available
Remediate tab — copy-paste CLI commands, console steps, and a Remediation Brief with the safe execution window, approval tier required, reversibility, and a Terraform/IaC hint where applicable

After the first scan, focus on:

the top 3 actions to review first
the exact monthly impact attached to those actions
any blocked, unowned, or overdue finding that shows where savings could stall

If that first queue looks real, the next step is the 14-day Growth trial so OpsCurb can push the work into Jira or Linear and keep it owned.

5. Set up notifications

Slack (Growth+):
1. Settings → Slack Integration → Connect Slack (OAuth)
2. Enable Slack alerts and save
3. Optional: enable assignee DMs with a bot token (xoxb-...)
Discord anomaly alerts (Scale):
1. Settings → Anomaly Alerts
2. Open Notification Channels
3. Enable Discord and add webhook URL
Weekly digest email (Growth+):
1. Settings → Weekly Digest
2. Enable email and add recipients

More details: Integrations.

Need help?

Email support@opscurb.com. If you want help validating the first queue live, you can also book an optional guided review. Also see FAQ, Troubleshooting, and the public Permissions Matrix.