Connect your AWS account with Cloudcraft

This article will walk you through the process of connecting your AWS account with Cloudcraft.

After connecting your AWS account, Cloudcraft allows you to visualize your infrastructure by reverse-engineering the live environment's service relationships into a system architecture diagram. In addition to automatically generating diagrams, a budget model will also be created and your imported components will display live status data directly in your diagrams.

Connecting your AWS account with Cloudcraft requires a Pro subscription. Check our pricing page for more information.

Security considerations

Cloudcraft makes use of cross-account roles, the secure way to access your AWS environment. Because of this, to use Cloudcraft connected with your AWS account you need to create a secure read-only role in your AWS account that is specific to Cloudcraft and can easily be revoked at any time.

If having a read-only role with access to all components is not possible or allowed by your company policies, you can also create a stricter minimal access policy, only giving read-only access to the components you want to use with Cloudcraft instead, further minimizing the amount of data the Cloudcraft role could theoretically access.

We also do not keep any of the live data from your AWS environment; we store ARNs instead, which are unique identifiers for resources in AWS and allow us to link the live data to components at runtime.

The data from your AWS environment is streamed in real-time to your browser via Cloudcraft's own AWS environment and the role-based access, and is stored client-side while you are using the application; When you close the application, the live data is gone.

While not having write access to your account prevents us from offering certain features — like deleting an EC2 instance on both the diagram and your account —, it is simply a more secure approach.

We implement rigorous security processes and controls as part our SOC2 compliance program. You can read more about Cloudcraft's security program and controls on our security page.

Add your AWS account

Head to User → AWS accounts inside Cloudcraft.

Manage AWS Accounts

Click the blue Add AWS Account button at the bottom of the window.

Add AWS Account

The next screen will provide step-by-step instructions and a link that configures the read-only IAM role for you. Click the blue Open the AWS IAM Console to the Create Role page link.

If you cannot access the Create Role page, you may lack AdministrativeAccess or sufficient IAM permissions to create a new IAM role. In this case, please have your AWS account's administrator follow this documentation.

Open IAM Console

The link will open the Create role page in AWS with a few details already filled, like Account ID and External ID. Leave Require MFA unchecked, and click the blue Next: Permissions button.

Require MFA must be disabled because it is not applicable for system-to-system access where there is no human involved. The access is instead protected by being limited to access from the Cloucraft AWS account.

Create IAM Role

On the next prompt you will be asked to attach the permissions policies, with ReadOnlyAccess being selected automatically for you.

ReadOnlyAccess Role

Leave everything else unchecked, and click the Next: Tags button to proceed to the next screen.

Here you can add tags to organize, track, or control access for this role. This step is optional and not used Cloudcraft, but feel free to read tagging best practices and use the feature.

Add Tags

Click the blue Next: Review button. On this new screen you can give the role a name, description, and review everything you did on the past steps to ensure everything is correct.

Review Role

If everything looks good to you, click the Create Role button, which will, you guessed it, create the role we just configured.

Click the cloudcraft role from the list of roles that will show up. If you left the default name in place, this link should take you to it.

Look for the Role ARN in the Summary page of your role, copy it, and head back to Cloudcraft.

Role Summary

Back in Cloudcraft, paste the Role ARN in the proper field, and give your account a name to be able to identity it later.

Role ARN

Before saving this account, you can optionally configure team access. Click on the blue button beneath Team access and select the teams to share access to the AWS account with.

Configure team access

Now click the blue Save Account link at the bottom of the screen and that is it, your AWS account has been added to Cloudcraft and is ready to be used within the application.

Account Added

If you have any questions or trouble with the process, get in touch with our support team, and we will be happy to help.

Common questions

Is there is a limit of AWS accounts you can add?

No, you can connect an unlimited number of AWS accounts to Cloudcraft.

If I use AWS Organizations, will Cloudcraft automatically add all my AWS accounts?

No, you would need to add the Cloudcraft role to each individual account under the organization. The AWS organization structure or existing cross-account roles does not help at this time.