FAQ
MilkStraw AI connects using a secure, read-only cross-account IAM role that you deploy in your AWS management account or across your organization via CloudFormation. The role includes a unique external ID for verification.
The role has read-only permissions to monitor usage and savings coverage across various AWS services. It cannot modify any of your resources or infrastructure.
No, you continue to pay AWS directly for your cloud usage as normal. The MilkStraw AI service fee is separate and based on the savings achieved.
MilkStraw AI adds milkboxes when we find savings opportunities and removes them when they’re underutilized.
No, MilkStraw AI operates with a zero-access architecture to your workloads, VPCs, or data. The connection is for billing and usage monitoring only, using a read-only role.
When a milkbox is removed, it undergoes a “factory reset” where all residual configuration and metadata are deleted before the account can be potentially reused for another customer. This ensures data isolation.
Your AWS usage and cost data are monitored hourly by MilkStraw AI.
You can check the covered services page for the full list.
For a single account, the read-only role is deployed directly via a CloudFormation stack. For an AWS Organization, a CloudFormation StackSet wrapper is used to deploy the same read-only role to all member accounts in the organization via StackSets.
Our fee is calculated only from the incremental savings delivered by the MilkBoxes we provide, separate from your existing commitments.