Nubex Help Center

Nubex is a cloud cost management platform for engineering teams. It connects to your AWS account via read-only IAM roles and provides:

• Idle resource detection: Identifies EC2 and RDS instances running below utilization thresholds
• Cost anomaly alerts: Detects unexpected spend spikes and alerts via email or Slack
• Cloud cost dashboard: Visualizes spend by service, account, region, and time period

Currently AWS only. GCP and Azure support are on the roadmap.

1. Sign up at nubex.app
2. Create a read-only IAM role in your AWS account
3. Enable AWS Cost Explorer in your AWS Billing console
4. Connect the IAM role in Nubex → Settings → AWS Accounts
5. Configure your first alert (cost anomaly or idle resource)

Initial data sync takes up to 30 minutes for cost history. Idle detection data appears within 24 hours.

No. Nubex uses read-only IAM policies only. We never request write, modify, or delete permissions on any AWS resource. The minimum required permissions are: ce:GetCostAndUsage, cloudwatch:GetMetricData, cloudwatch:ListMetrics, ec2:DescribeInstances, and rds:DescribeDBInstances.

Nubex uses AWS cross-account IAM roles with sts:AssumeRole. You create a role in your AWS account with read-only permissions, and Nubex assumes that role to pull cost and utilization data. No access keys are stored or transmitted — this is the AWS-recommended pattern for secure cross-account integrations.

In AWS Console → IAM → Roles → Create Role:

1. Trusted entity type: Another AWS account
2. Account ID: Enter Nubex's account ID (shown in Nubex → Settings → AWS → Connect)
3. Enable "Require External ID" and enter your Nubex External ID
4. Attach the read-only policy (permissions listed above)
5. Name it something like NubexReadOnlyRole
6. Create the role and copy the ARN

In Nubex:

1. Settings → AWS Accounts → Add Account
2. Paste the Role ARN and click "Test Connection"

1. Trust policy: Does your IAM role's trust document include Nubex's account ID and your External ID?
2. Permissions: Is the required policy attached to the role?
3. Cost Explorer enabled: Go to AWS Console → Billing → Cost Explorer. New enablement can take up to 24 hours.
4. Propagation delay: New IAM roles take 2–5 minutes to propagate. Retry after 5 minutes.
5. Region: Are you connecting to the correct AWS region in Nubex?

The External ID is a random identifier Nubex generates per account to prevent the "confused deputy" attack — where a malicious actor tricks Nubex into assuming your role using a different Nubex account. Including the External ID in your IAM trust policy ensures only your Nubex account can assume the role. It's a required security best practice.

Yes. You can connect multiple AWS accounts, each with their own IAM role. This is useful for organizations with separate accounts per environment (dev, staging, production) or per team. View and manage all connected accounts in Settings → AWS Accounts.

Nubex queries AWS CloudWatch for CPU utilization metrics of your EC2 and RDS instances. It averages CPU over a configurable window (default: 14 days) and flags any resource averaging below the idle threshold (default: <10% CPU).

Resources flagged as idle are presented in your dashboard with estimated monthly cost, so you can evaluate whether to stop, downsize, or terminate them.

• EC2 instances (all instance types and regions where CloudWatch metrics are available)
• RDS database instances (all engines: MySQL, PostgreSQL, Aurora, etc.)

Additional resource types (ElastiCache, ECS, EKS node groups) are on the roadmap.

Yes. Go to Nubex → Idle Resources → Settings:

• CPU threshold: Default 10% — lower for more aggressive detection, raise to reduce false positives
• Detection window: Default 14 days — increase for higher confidence
• Exclusion list: Add resource IDs or tag filters to exclude from detection

Common false positive reasons:

• Scheduled workloads: A resource that runs an intensive job weekly may average <10% CPU over 14 days. Increase the CPU threshold or add it to your exclusion list.
• Genuinely low CPU: Your workload runs at low CPU — Nubex may be correct. Evaluate if the resource is right-sized.
• Recent launch: Nubex may have incomplete historical data for newly launched resources.

Nubex pulls spend data from AWS Cost Explorer and compares it against your historical baseline. When spend exceeds your configured threshold — either as an absolute value (e.g., $500/day) or as a percentage deviation from your rolling average (e.g., +30%) — Nubex fires an alert.

Detection latency: AWS Cost Explorer has a 24-hour data lag. Nubex can alert you to anomalies that occurred up to 24 hours ago.

1. Below threshold: The spike didn't exceed your configured threshold — review your settings
2. AWS data lag: The spike occurred within the last 24 hours and hasn't appeared in Cost Explorer yet
3. Alert engine issue: If the spike clearly exceeded your threshold and it's been >24 hours, contact support immediately

1. In Slack: Apps → Incoming Webhooks → Add to Slack
2. Choose the target channel and copy the Webhook URL
3. In Nubex: Settings → Notifications → Slack → Add Webhook
4. Paste the URL and click "Test" — you'll see a test message in Slack
5. Assign the webhook to your alert rules: Alerts → Edit → Delivery → Slack

You can configure multiple webhooks (one per channel) and route different alert types to different channels.

The cost dashboard visualizes your AWS spend across all connected accounts, broken down by service (EC2, RDS, S3, Lambda, Data Transfer, and more), region, and time period. It pulls data from AWS Cost Explorer and updates daily.

After initial connection, cost history loads within 30 minutes.

After initial connection, it takes up to 30 minutes for cost history to load and up to 24 hours for idle resource data. If the dashboard is still blank after 24 hours and the connection shows as healthy, contact support.

No. Nubex never stores AWS access keys, secret keys, or root credentials. The only credential stored is your IAM role ARN — a non-sensitive identifier.

Access is delegated via sts:AssumeRole, which generates temporary, short-lived credentials that expire automatically.

• Cost data: Daily spend aggregated by service, region, and account
• Resource metadata: EC2/RDS inventory (instance IDs, types, states, tags, regions)
• Utilization metrics: Aggregated CPU averages for idle detection

Nubex stores processed/aggregated data — not raw CloudWatch metric streams or detailed billing line items. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

When you cancel your subscription, your personal data and cloud credentials are deleted within 30 days. Historical cost data is retained for 30 days post-cancellation, then permanently deleted. To request immediate deletion, contact support.

Nubex offers Free and Pro plans. Pricing is based on the number of connected AWS accounts. There are no per-alert or per-resource fees within your plan limits. See nubex.app/pricing for current tiers.

Upgrade: Immediate, prorated for the remainder of your billing cycle. Go to Settings → Billing → Change Plan.

Cancel: Anytime via Settings → Billing → Cancel. Access continues through the end of your paid period. Nubex is flat-rate — savings realized are entirely yours.

Currently AWS only. GCP and Azure support are on the roadmap. Sign up for product updates in your account settings to be notified when additional providers launch.

If a specific provider is a priority for your team, contact support — customer demand drives roadmap prioritization.

1. Is the alert rule configured to deliver to Slack? (Alerts → Edit → Delivery Channels)
2. Has the alert actually triggered? (Check alert history in Nubex → Alerts → History)
3. Did the Slack webhook get revoked? (Check in Slack: Apps → Incoming Webhooks)
4. Was the Slack channel renamed or deleted? Recreate the webhook if so.

Test the webhook directly: curl -X POST -H 'Content-type: application/json' --data '{"text":"test"}' YOUR_WEBHOOK_URL

If curl succeeds but Nubex doesn't deliver, contact support — it's a Nubex-side delivery issue.

IAM role session credentials are temporary and periodically refreshed. If they fail to refresh, possible causes:

• IAM role was modified or deleted in your AWS account
• Trust policy was changed
• External ID was rotated

Go to Settings → AWS Accounts → Reconnect and test the connection. If the IAM role was deleted, recreate it and reconnect.

In the alert or resource flagged as incorrect, click "Report Issue" or contact support with:

• Resource ID or alert ID
• Why you believe the result is incorrect
• Your current threshold configuration

We use this feedback to improve detection accuracy.