cloudwire 0.2.13

Scan and visualize your AWS infrastructure as an interactive graph

CloudWire

AWS infrastructure visualization tool — scan your account and explore service dependencies as an interactive graph, directly in your browser.

If CloudWire saves you time, a GitHub star helps others find it.

No data leaves your system. AWS credentials never leave your terminal. The graph is built locally using your existing credential chain (~/.aws/credentials, aws sso login, saml2aws, aws-vault — all work out of the box).

---

Quick start

# Install
pip install cloudwire

# Launch (opens http://localhost:8080 automatically)
cloudwire

# Target a specific profile and region
cloudwire --profile staging --region us-east-1

Tip: Prefer isolated installs? Use pipx install cloudwire instead.

Requirements: Python 3.9+ and valid AWS credentials configured locally.

On first load, select the services you want to scan from the top bar and click Scan. The graph populates in real time as resources are discovered.

---

Why CloudWire?

Tools like Rover, Terravision, and Inframap visualize infrastructure from Terraform state files. CloudWire takes a different approach:

• Live scanning, not plan-file parsing — CloudWire queries your AWS account directly via boto3, discovering resources and relationships in real time. No Terraform required. You can also import .tfstate/.tf files if you prefer.
• Relationship inference — edges aren't just "resource A references resource B." CloudWire resolves IAM policies, environment variable references, event triggers, and VPC containment to surface connections that don't appear in any state file.
• Runs entirely local — single Python process, no database, no cloud backend, no signup. Your AWS credentials never leave your machine.

---

Key features

• Interactive graph — dark-themed canvas with animated data flow, pan/zoom, and SVG export
• 24 AWS services with dedicated scanners, icons, colors, and relationship inference
• Real edges — API integrations, event triggers, IAM policy inference, env var references, VPC containment
• VPC topology — subnets, security groups, IGWs, NAT GWs, route tables with AZ grouping and internet exposure detection
• Tag-based scanning — discover and scan resources by AWS tags
• Terraform import — upload .tfstate or .tf files to visualize without AWS credentials
• Analysis tools — blast radius, shortest path, architecture summary, pattern detection
• Three layout modes — Circular, Flow, Swimlane — switchable from the toolbar
• Permission-aware — missing IAM policies surfaced clearly, never blocks the scan

---

Required IAM permissions

CloudWire is read-only. All operations use List*, Describe*, and Get* API actions only — no write access required.

A minimal IAM policy is documented in docs/USAGE.md. The recommended starting point:

arn:aws:iam::aws:policy/ReadOnlyAccess

If you use a more restrictive policy, CloudWire will scan what it can and clearly report which services were denied — it never fails silently.

---

Supported services

Service	Scanner
API Gateway	Dedicated — REST + HTTP APIs, multi-service integrations, Cognito authorizers
Lambda	Dedicated — functions, event source mappings, env var references, IAM policy inference
SQS	Dedicated — queues, attributes, dead letter queue edges
SNS	Dedicated — topics and subscriptions
EventBridge	Dedicated — rules and targets
DynamoDB	Dedicated — tables, streams, global table replicas
EC2	Dedicated — instances, VPC, subnet, security group, instance profile edges
ECS	Dedicated — clusters, services, task definitions, load balancer edges
S3	Dedicated — buckets and Lambda notification edges
RDS	Dedicated — DB instances and clusters
Step Functions	Dedicated
Kinesis	Dedicated
IAM	Dedicated — roles with full policy resolution
Cognito	Dedicated — user pools
CloudFront	Dedicated — distributions, S3/API GW/ELB origins, Lambda@Edge
Route 53	Dedicated — hosted zones, record sets, alias target edges
ElastiCache	Dedicated — cache clusters
Redshift	Dedicated — clusters
Glue	Dedicated — jobs, crawlers, triggers
AppSync	Dedicated — GraphQL APIs
Secrets Manager	Dedicated
KMS	Dedicated
VPC Network	Dedicated — VPCs, subnets, security groups, IGWs, NAT GWs, route tables
ELB	Discovered via CloudFront, Route 53, ECS edges
Everything else	Generic (tagged resources only)

---

How it works

CloudWire is a Python CLI (FastAPI backend) that serves a pre-compiled React frontend. The backend scans AWS via boto3 and builds a networkx graph. The frontend visualizes it using a custom SVG canvas engine. No database, no cloud dependency — everything runs in a single process on your machine.

---

Contributing

We welcome contributions! See CONTRIBUTING.md for setup instructions, project structure, code style, and PR guidelines.

git clone https://github.com/Himanshu-370/cloudwire
cd cloudwire
make dev   # starts backend + frontend in parallel

---

Links

• Architecture deep dive
• Full feature list
• Usage & setup guide
• Changelog
• Release guide for maintainers
• Security policy

License

MIT — see LICENSE.