Scan and visualize your AWS infrastructure as an interactive graph
Project description
CloudWire
AWS infrastructure visualization tool — scan your account and explore service dependencies as an interactive graph, directly in your browser.
If CloudWire saves you time, a GitHub star helps others find it.
No data leaves your system. AWS credentials never leave your terminal. The graph is built locally using your existing credential chain (~/.aws/credentials, aws sso login, saml2aws, aws-vault — all work out of the box).
Note: The screenshot above contains placeholder resource IDs. Replace
docs/cloudgraph.svgwith a sanitized screenshot from your own environment.
Quick start
# Install
pip install cloudwire
# Launch (opens http://localhost:8080 automatically)
cloudwire
# Target a specific profile and region
cloudwire --profile staging --region us-east-1
Tip: Prefer isolated installs? Use
pipx install cloudwireinstead.
Requirements: Python 3.9+ and valid AWS credentials configured locally.
On first load, select the services you want to scan from the top bar and click Scan. The graph populates in real time as resources are discovered.
Key features
- Interactive graph — dark-themed canvas with animated data flow, pan/zoom, and SVG export
- 24 AWS services with dedicated scanners, icons, colors, and relationship inference
- Real edges — API integrations, event triggers, IAM policy inference, env var references, VPC containment
- VPC topology — subnets, security groups, IGWs, NAT GWs, route tables with AZ grouping and internet exposure detection
- Tag-based scanning — discover and scan resources by AWS tags
- Terraform import — upload
.tfstateor.tffiles to visualize without AWS credentials - Analysis tools — blast radius, shortest path, architecture summary, pattern detection
- Four layout modes — Circular, Flow, Swimlane — switchable from the toolbar
- Permission-aware — missing IAM policies surfaced clearly, never blocks the scan
Required IAM permissions
CloudWire is read-only. All operations use List*, Describe*, and Get* API actions only — no write access required.
A minimal IAM policy is documented in docs/USAGE.md. The recommended starting point:
arn:aws:iam::aws:policy/ReadOnlyAccess
If you use a more restrictive policy, CloudWire will scan what it can and clearly report which services were denied — it never fails silently.
Supported services
| Service | Scanner |
|---|---|
| API Gateway | Dedicated — REST + HTTP APIs, multi-service integrations, Cognito authorizers |
| Lambda | Dedicated — functions, event source mappings, env var references, IAM policy inference |
| SQS | Dedicated — queues, attributes, dead letter queue edges |
| SNS | Dedicated — topics and subscriptions |
| EventBridge | Dedicated — rules and targets |
| DynamoDB | Dedicated — tables, streams, global table replicas |
| EC2 | Dedicated — instances, VPC, subnet, security group, instance profile edges |
| ECS | Dedicated — clusters, services, task definitions, load balancer edges |
| S3 | Dedicated — buckets and Lambda notification edges |
| RDS | Dedicated — DB instances and clusters |
| Step Functions | Dedicated |
| Kinesis | Dedicated |
| IAM | Dedicated — roles with full policy resolution |
| Cognito | Dedicated — user pools |
| CloudFront | Dedicated — distributions, S3/API GW/ELB origins, Lambda@Edge |
| Route 53 | Dedicated — hosted zones, record sets, alias target edges |
| ElastiCache | Dedicated — cache clusters |
| Redshift | Dedicated — clusters |
| Glue | Dedicated — jobs, crawlers, triggers |
| AppSync | Dedicated — GraphQL APIs |
| Secrets Manager | Dedicated |
| KMS | Dedicated |
| VPC Network | Dedicated — VPCs, subnets, security groups, IGWs, NAT GWs, route tables |
| ELB | Discovered via CloudFront, Route 53, ECS edges |
| Everything else | Generic (tagged resources only) |
How it works
CloudWire is a Python CLI (FastAPI backend) that serves a pre-compiled React frontend. The backend scans AWS via boto3 and builds a networkx graph. The frontend visualizes it using a custom SVG canvas engine. No database, no cloud dependency — everything runs in a single process on your machine.
Contributing
We welcome contributions! See CONTRIBUTING.md for setup instructions, project structure, code style, and PR guidelines.
git clone https://github.com/Himanshu-370/cloudwire
cd cloudwire
make dev # starts backend + frontend in parallel
Links
- Architecture deep dive
- Full feature list
- Usage & setup guide
- Changelog
- Release guide for maintainers
- Security policy
License
MIT — see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cloudwire-0.2.5.tar.gz.
File metadata
- Download URL: cloudwire-0.2.5.tar.gz
- Upload date:
- Size: 159.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c64f5b427f2a075fd53e6adceb62cd54d62b86a8fdb303dde56aa5ee853e36d0
|
|
| MD5 |
2d53f3b1482cda36520dd35dad1925f0
|
|
| BLAKE2b-256 |
c0c88060ce22639380b73b9c5993815a18f5584cfa82753a38aadd8a8fa8b878
|
File details
Details for the file cloudwire-0.2.5-py3-none-any.whl.
File metadata
- Download URL: cloudwire-0.2.5-py3-none-any.whl
- Upload date:
- Size: 178.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6c0e7d03a20c54530aa3793e739e013965aab17ef51b07bb529744a013f4e089
|
|
| MD5 |
0025dc778797a0ab7a9fb9713d870f83
|
|
| BLAKE2b-256 |
95f0157d1ce342546932a96c8706ad045447b5b1dbc1fe49e3bbe65a1f167990
|
