bluearch.io

What it is

BlueArch is a FinOps and cloud governance control plane for AWS, positioned as a “self-hosted inside your VPC” BPaaS/AWS Control Plane. It consists of a web dashboard, BlueArch CLI, Tag Manager, and InfraGPT, aiming to connect AWS resources, logs, pricing, tags, revenue, and engineering efficiency metrics so that architecture decisions can be evaluated for cost, latency, risk, and runbooks before going live.

Core capabilities

From a developer tooling perspective, BlueArch’s strengths are its CLI and governance model. BlueArch CLI can scan AWS resources and misconfigurations, then prioritize alerts based on revenue tags, customer tiers, and regional exposure. Tag Manager turns labels such as TTL, owner, environment, and exception into lifecycle workflows for detecting orphaned resources, expired resources, and over-provisioning. InfraGPT uses CloudTrail, CloudWatch, real-time AWS pricing, and simulated user sessions to model architecture scenarios. Remediation suggestions cover Terraform, CDK, and AWS CLI, with support for dry runs, approvals, and PR-style workflows.

Deployment, integrations, and pricing

The product emphasizes “self-hosted by default”: the control plane and CLI run inside the customer’s VPC or local environment. It supports Helm, Docker, AMI, Homebrew, and GitHub Actions, with read-only IAM by default and separate authorization required for write operations. Its ecosystem is mainly centered on AWS, while it can also ingest Security Hub findings and connect to Slack, PagerDuty, JIRA, Snowflake, BigQuery, Redshift, Salesforce, Stripe, HubSpot, and more. AI endpoints can be Bedrock, Anthropic API, or a customer’s own LLM. For pricing, the Personal SRE plan is free but limited to 1 account and 1k resources; the Team plan starts at $1,200/month per AWS Organization.

Pros and cons

The advantages are that data does not leave the VPC, engineers can work from the terminal, and management can see ARR/revenue-related metrics, making it suitable for connecting FinOps, SRE, and platform engineering. It also publicly mentions a misconfiguration database public repo and a YAML tag schema, which reduces some lock-in risk. The limitations are that almost all public materials focus on AWS, with limited multi-cloud capabilities; it is unclear whether the core product is open source; SOC 2 Type II appears to still be in progress; and many impact metrics need to be validated through real-world pilots.

Who it’s for and access from China

BlueArch is better suited to mid-sized and large enterprises with significant AWS spend, existing SRE/platform teams, and a need for board-level cloud efficiency metrics or EDP/PPA risk management. It is less suitable for small teams or multi-cloud-first teams. Access and payment information for mainland China has not been disclosed. If it depends on external services such as AWS, Anthropic, Bedrock, GitHub, or Slack, actual usage may be affected by network and compliance conditions. Comparable options include AWS Security Hub, Wiz, Prowler, Cloudability, Vantage, and Infracost.