Refine Documentation

Refine connects to your AWS account via a read-only IAM role. No AWS credentials are ever stored. The role can be revoked from the AWS console at any time.

Steps

1. Sign in to your Refine account and open the onboarding flow.
2. Copy the Refine AWS account ID and your unique External ID from the onboarding screen.
3. In your AWS console, go to IAM → Roles → Create role. Choose "Another AWS account", paste the Refine account ID, and require the External ID.
4. Attach the policy below as a customer-managed policy.
5. Paste the role ARN back into Refine's onboarding flow. The first scan typically completes within a few minutes.

Permissions policy (short version)

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ce:Get*", "cur:Describe*", "iam:Get*", "iam:List*",
      "ec2:Describe*", "s3:GetBucket*", "s3:ListBucket",
      "cloudtrail:Get*", "guardduty:Get*", "rds:Describe*"
    ],
    "Resource": "*"
  }]
}

The full policy is on Security & Trust.

Trust relationship

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::<REFINE_ACCOUNT_ID>:root" },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": { "sts:ExternalId": "<YOUR_EXTERNAL_ID>" }
    }
  }]
}

The bill analyzer accepts CSV, XLSX, and PDF exports for a one-shot savings report — no signup required.

1. Visit the free bill analyzer.
2. In the AWS billing console, go to Billing → Bills and download the CSV (or the invoice as PDF).
3. Drag-and-drop the file onto the upload widget.
4. Analysis completes in under 60 seconds. The report includes service breakdown, top-5 savings recommendations, and anomaly flags.

The uploaded bill is deleted after analysis. See data retention.

The dashboard surfaces four widgets that do most of the work:

• Optimization Score — single 0–100 number for cost efficiency. Methodology disclosed.
• Security Score — single 0–100 number for posture. Pairs with Optimization Score on the dashboard.
• AI Narrative Summary — plain-English summary of where money is going.
• Top Cost Drivers — services ranked by spend with month-over-month change.

The customer-hierarchy switcher in the header re-scopes everything to a specific customer or account.

Invite team members under Settings → Users & Roles. Roles available:

• Admin — full access including billing and IAM role management
• Member — read/write on dashboards, recommendations, and reports
• Viewer — read-only across all surfaces
• Report-only — receives scheduled reports; no dashboard access (useful for customer-side contacts on MSP hierarchies)

SSO (SAML / OIDC) is on the Enterprise roadmap. Today, authentication is Amazon Cognito with email + password and optional MFA.

The Cost Analysis surface breaks spend down by service, region, account, and tag. Drill from total spend to specific line items without leaving the page. Full details on the Cost Optimization page.

Service-level and resource-level recommendations come from CUR (AWS Cost and Usage Report) plus Refine's analysis engine. Recommendations are ranked by projected dollar savings — start from the top.

Each recommendation includes:

• The change in plain English
• Projected monthly savings (low / expected / high)
• The exact AWS API call to make
• Where applicable, a "Fix Available" button — opt-in, with a scoped policy per fix type; the baseline role stays read-only

Forecasting projects month-end spend using trend-aware analysis (rolling 90-day usage, calibrated for seasonal patterns and step changes). Active Reserved Instances and Savings Plans are deducted so projections reflect net cost. See Forecasting & Budgets.

Tag Governance surfaces untagged resources, allocation gap trend, drift detection, and required-tag tracking. Refine does not apply tags — that is a write operation outside the baseline read-only role. Use AWS Tag Editor or your IaC tool of choice. See Tag Governance.

380+ checks across IAM, Storage, Network, Compute, and Logging, calibrated against AWS Well-Architected, AWS Foundational Security Best Practices, and CIS Benchmarks. The full 5×4 matrix can be browsed at the security findings catalog.

Findings are tiered into four severities:

• Critical — active or near-active risk (publicly exposed S3, IAM admin credentials in code, CloudTrail disabled). Address immediately.
• High — configuration weaknesses likely to be exploited or fail audit (unencrypted EBS, IMDSv2 not enforced).
• Medium — hardening opportunities; improve posture without immediate exploit risk.
• Low — hygiene. Address as time allows.

For findings where remediation is safe and well-known, the "Fix Available" badge applies the change with one click. Fix Available requires a scoped, opt-in policy per fix type — the baseline IAM role is read-only and never carries write permissions. Every applied fix is recorded in your fix history.

Refine builds a rolling 30-day baseline per service per account. Anomalies use robust statistics (median absolute deviation) so noisy workloads don't bury real signals. Each anomaly is paired with AI commentary that explains the why. Details on Anomaly Detection.

Tune anomaly sensitivity per service or per account:

• High — flags smaller deviations; suitable for production
• Medium — default; balances signal and noise
• Low — only flags large deviations; useful for dev/sandbox
• Off — no anomaly detection for that scope

Quiet hours can suppress non-critical alerts for dev/sandbox accounts overnight or on weekends.

Today: email routing with severity-tiered recipient sets. Slack, Microsoft Teams, and PagerDuty are on the roadmap. Configure routing under Settings → Notifications.

Refine organizes accounts as Org → Customer → Account. The customer-hierarchy switcher in the header re-scopes everything to the customer you select. Data is strictly isolated between customers. Full architecture on the Multi-Account page.

Manage users and roles under Settings → Users & Roles. Roles include Admin, Member, Viewer, and Report-only. SSO (SAML / OIDC) is on the Enterprise roadmap.

Schedule reports under Settings → Reports. Cadence options: daily, weekly, or monthly. Recipients are configured per schedule. For multi-customer orgs (MSPs), each customer gets its own schedule with strict data isolation.

All data at rest is encrypted with AWS KMS-managed keys. All data in transit uses TLS 1.2 or higher. Refine is hosted entirely on AWS — your data stays inside the AWS trust boundary. Full architecture on Security & Trust.

The Refine IAM role is strictly read-only. The full permissions policy is documented in the read-only IAM policy along with the trust relationship. "Fix Available" remediation uses a separate, scoped, opt-in policy per fix type.

Retention defaults to 90 days and is configurable under Settings → Account. To request immediate deletion:

1. Email info@habilelabs.io from the address associated with the account, OR
2. Use the in-app deletion flow under Settings → Account → Delete account.

Deletion is processed within 5 business days. We send written confirmation when complete.

Yes. Both Connect AWS and Upload Bill plans are free forever, no usage caps, no credit card. An Enterprise tier with SSO, longer retention, and dedicated support is on the roadmap — the underlying analysis stays free.

Read-only IAM role only. We never store AWS credentials. The exact policy is documented on the Security & Trust page.

Yes. Unlimited orgs and unlimited accounts, with a switcher in the header. White-label customization for MSP partners is on the roadmap.

No. Customer data is not used for model training. AI narratives are generated per-request via OpenAI (migrating to Amazon Bedrock). Aggregated anonymized usage stats improve recommendation quality.