Subscription & Payments
How long are your subscriptions?
Currently, we offer monthly and annual subscriptions. You can cancel in the app online at any time with no further obligations
What form of payment do you accept?
We support credit cards as payment method. We accept all major credit and debit cards like Visa, MasterCard, Discover and American Express
Where do you store credit card details?
We don't store or transmit any credit card details on our servers, we leave that up to payment processor called Stripe
Can I update my card details?
Yes. You can update your card details under the Manage Subscription section click Manage Subscription > Payment Methods > Edit Payment Method
Can I subscribe via AWS Marketplace?
Yes. You can subscribe via AWS Marketplace. This means that billing for your Cloudviz.io subscription will be handled by AWS - the same way as you would pay for your AWS usage
Can I cancel my subscription?
Yes. You can cancel in the app (Manage Subscription section) at any time. Just click Manage Subscription > click on your price plan > Cancel Subscription. Once the subscription is cancelled, you will not be charged next month. You will continue to have access to all the paid features until your current subscription expires
Can I try your service for free?
Yes, of course. Every new subscriber has 10-days free trial to ensure that this app works as expected
Why does subscription for your app cost less than similar apps out there?
Yes, we are similar but different. We have concentrated our efforts to build the app with focus on how to best generate AWS architecture diagrams and how to give our users flexibility to change the way diagrams are generated (see Generation Profiles section). Taking this into account for example we don't have yet a possibility to sync & generate diagrams from other public clouds like Azure or Google Cloud Platform. Thus by setting right priorities gives us opportunity to provide different price
Can I add additional users to my plan?
Every new subscriber has 10-days free trial. If our app works for you then after the trial you can easily add additional users at any time (available for credit card payments method). Just go to Manage Subscription section and click Manage Subscription > click on your price plan > Edit Subscription and change quantity for your price plan. You will be charged for the prorated time remaining in your current subscription period
Why I'm logged out of my current session?
Session per user can be 30 days long. After that you will be asked to enter your app login credentials again. The other reason could be that we support one active session per user. This means that if user logs in from other browser or device then previous session will be revoked.
Connecting Your Cloud
How can I connect my AWS environment to your app? Is it secure?
To connect your cloud environment to our app securely we use cross-account roles with unique external id generated by us for each subscriber. You have to create this role in your AWS IAM (Identity and Access Management) using our provided AWS account number and unique external id. We have made this process simple. In our app open Manage AWS Accounts > Add AWS Account and follow the steps.
If you are interested in more details about using cross-account roles with external id please read this comprehensive guide from AWS team
What permissions do I have to grant for this cross-account role?
The easy way is to use "ReadOnlyAccess" policy which will provide read-only access to your AWS services and resources. The other option is to create your own policy and decide which services your will grant read access to. We will only import and display resources our app has permission for.
Please see below for our suggested custom read-only policy (last updated: April 30, 2024) in order to use our app's sync functionality fully:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"dynamodb:ListTables",
"ses:List*",
"dynamodb:ListTagsOfResource",
"s3:List*",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"rds:Describe*",
"dynamodb:DescribeTable",
"glacier:List*",
"timestream:List*",
"timestream:Describe*",
"elasticache:List*",
"route53:List*",
"elasticloadbalancing:Describe*",
"apigateway:GET",
"ecs:List*",
"cloudfront:List*",
"ses:Get*",
"sqs:ListQueues",
"elasticfilesystem:Describe*",
"sns:GetTopicAttributes",
"lambda:List*",
"lambda:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"ecs:Describe*",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"elasticache:Describe*",
"sns:List*",
"ec2:Describe*",
"rds:ListTagsForResource",
"kafka:ListNodes",
"kafka:ListClusters",
"redshift:Describe*",
"workspaces:Describe*",
"es:Describe*",
"es:List*",
"eks:DescribeCluster",
"eks:ListClusters",
"kinesis:List*",
"kinesis:Describe*",
"wafv2:ListWebACLs",
"wafv2:ListResourcesForWebACL",
"wafv2:ListTagsForResource",
"ds:DescribeDirectories",
"eks:DescribeCluster",
"eks:ListClusters",
"appsync:ListGraphqlApis",
"appsync:ListDataSources"
],
"Resource": "*"
}
]
}
How many AWS accounts can I add?
There is no limitation for number of AWS accounts you can add.
AWS Sync & Diagram Generation
Does this app initiates AWS data sync automatically?
We are not syncing or accessing your cloud environments without your request. You are the owner of the data refresh frequency and you can do this as often as you need the refreshed data. We have set small cooldown time between sync requests in order not get throttled by AWS but this shouldn't affect anyhow your work with our App
What type of data do you sync?
We are syncing and storing basic metadata around each resource (like configuration values, resource ids, arns, state/status values, tags etc.) with main purpose to generate useful cloud architecture diagrams and give our users overview of their cloud environment
Can I delete my synced data?
Yes, you can easily delete all your synced data (from all AWS regions) for specific AWS account by deleting that account from Manage AWS Accounts section
Why specific region sync fails?
Our back-end syncs data, that is necessary to generate diagram for your AWS account, using AWS API calls. Most of the time if you receive sync failure message this means that AWS API calls take too long for us to respond to you with synced data synchronously. The reason could be that AWS API access for specific services (like S3, Route53, etc.) are experiencing some temporary challenges. In most scenarios this shouldn’t happen but if you receive this error all the time then please contact us and we will sort this out.
Can I generate AWS diagram automatically when I press sync button?
Yes, you can. Check the Auto generate diagram checkbox and we will refresh diagram for you every time you press sync button
What type of resources can you visualize in architecture diagrams?
At the moment we visualize following resource types:
Networking & Content Delivery
Region, Virtual Private Cloud, Availability Zone, Subnet, NAT Gateway, VPC Endpoint Interface, Application Load Balancer, Network Load Balancer, Gateway Load Balancer, Internet Gateway, Transit Gateway, VPN Gateway, VPN Connection, Customer Gateway, Router, VPC Endpoint Gateway, VPC Peering Connection, EFS Mount Target, Cloud Front Distribution, Hosted Zone, API Gateway REST API, API Gateway HTTP API, API Gateway WebSocket API, Security Group *, Network ACL *, Network Interface, VPC Endpoint GWLB, Egress Only Internet Gateway
Compute
EC2 Instance, Lambda Function, Auto Scaling Group, Elastic IP
Storage
S3 Bucket, EFS File System, Glacier Vault, Volume
Database
RDS Instance, ElastiCache Node, DynamoDB Table, Timestream Table
Application Service
SQS Queue, SNS Topic, SES Identity
Containers
ECS Task, ECS Cluster *, ECS Service *, EKS Cluster
Front-end Web & Mobile
AppSync GraphQL API
Security, Identity, & Compliance
WAF Web ACL, Directory Service Directory
Analytics
Redshift Cluster *, Redshift Cluster Node, MSK Cluster *, MSK Broker Instance, Elasticsearch Domain, Kinesis Data Stream
End User Computing
WorkSpace
* These resources will not be visualized automatically in your diagrams. However these will be synced from your AWS account and available to be added manually from left side resource menu
Can I choose which resources to include in generated diagram?
You can easily check / uncheck resources that you want to include before generating actual diagram. Just press the generate diagram button. And you can do a whole lot more - you can set your own diagram generation settings and save these for later use as profiles. Please see Generation Profiles section for more details
Can I update diagram after it's generated?
You can update your generated diagrams by using toolbar in our app (activates when you click on specific resource). It provides all the basic functionality that you have in most of the drawing tools these days. We are constantly improving our editing tool so if you see something that behaves strangely please drop us a message
Do you support latest AWS icon set for generating the diagram?
We support both - new and previous version of AWS icons. We have created default generation profiles for new and previous icon versions. You can generate your AWS architecture diagrams by choosing one of these profiles. Additionally you can always drag & drop new icons to your diagram from Shapes section
Can I use any hotkeys in App?
Yes. There are several hotkeys that you can use:
- Save diagram: ⌘+s Or ctrl+s
- Fit diagram: f
- Copy element: ⌘+c Or ctrl+c
- Paste element: ⌘+v Or ctrl+v
- Delete element: backspace Or del
- Undo change: ⌘+z Or ctrl+z
- Redo change: ⌘+y Or ctrl+y
- Move element to back: ⌘+shift+b Or ctrl+shift+b
- Move element to front: ⌘+shift+f Or ctrl+shift+f
- Focus diagram search: ⌘+f Or ctrl+f
- Open download view: ⌘+e Or ctrl+e
- Move element up: up
- Move element down: down
- Move element right: right
- Move element left: left
Quick Views
How does the quick view functionality help our users?
Quick view functionality gives our users fast track to generate different diagrams based on our pre-defined or custom diagram generation profiles. At the moment we have several default generation profiles defined like Full Account View, VPC View, Serverless View, etc.
What is the difference between quick views and generation profiles?
When user generates new diagram it uses generation profile that is selected in quick view. So quick view is just a way to select generation profile that will be used for diagram generation. When the diagram is saved then generation profile id is saved with the diagram and it's used when user opens it again. With this user can easily refresh (generate) the diagram with the same generation profile that was used when diagram was initially generated
Can I specify resource filters in quick views?
Yes, it's possible to specify resource filters in quick views. The most common filter types used by our users are VPC IDs and resource tags, which visualize only the resources that match the specified filters. It's good to know that quick view resource filters and generation profile filters don't override each other but instead they are used combined
View Synced AWS Data
Can I view data synced from my AWS account?
You can easily view your synced data. Just click on the element in the diagram or in the left side menu and we will show the synced data for that element
Is it possible to search my synced data?
Yes, it's possible. You can filter out specific elements from your synced AWS data and diagrams by using different key words like element types, properties etc
How often do you refresh data from my cloud environment?
As mentioned above we are not syncing or accessing your cloud environments without your request. If you have made some changes in your AWS environment and you would like to see those changes in our app - you should just press sync button for that particular AWS account and region and we will refresh synced data
Filter Expressions
What is filter expression and where can I use it?
Filter expressions let you visualize specific subset of your AWS account. You can use filter expressions in:
- App UI: while generating new diagrams via quick views functionality or while defining new generation profiles
- Developer API: as query string parameter "filter" in the request to visualize subset of your AWS environment
What is the syntax for filter expression?
You can use one or more of the following syntaxes in combination with operators to create complex filter expressions:
- vpcId=<id>: add everything in the VPC that matches VPC id. (ex.
vpcid=vpc-123
) - tag=<value>:<key>: add everything from specified tag (ex.
tag=stage:dev
) - <any-resource-parameter-name>=<value>: add everything that matches specified parameter (ex.
elementType="EC2 Instance"
,subnetId=subnet-123
,privateIpAddress=172.31.5.193
,runtime=nodejs18.x
etc.)
What operators can I use in filter expressions?
The expression syntax provides operators and modifiers to create complex filter expressions allowing users to define what exactly should be visualized in the diagram. Following operators and modifiers are supported:
- AND allows to specify multiple conditions that would limit or expand the results. For example:
vpcId=vpc-123 and tag=stage:dev
: this would return all the resources within VPCvpc-123
and contains tagstage:dev
vpcId=vpc-123 and elementType="EC2 Instance"
: this would return all the resources that are EC2 instances and are within VPCvpc-123
vpcId=vpc-123 and subnetId=subnet-123
: this would return all resources within VPCvpc-123
and subnetsubnet-123
- OR allows to specify multiple conditions that would limit or expand the results. For example:
vpcId=vpc-123 or vpcId=vpc-321
: this would return all the resources within VPCsvpc-123
orvpc-321
- != allows removal of resources matching specific conditions. For example:
vpcId=vpc-123 and instanceType!=t2.small
: this would return all the resources within VPCvpc-123
where instance type is nott2.small
vpcId=vpc-123 and state!=stopped
: this would return all the resources within VPCvpc-123
where state is notstopped
- * wildcard gives flexibility to specify filter value. For example:
vpcid=*
: this would return all the resources related to any VPCvpcid!=*
: this would return all the resources that are not related to any VPCtag=*:*
: this would return all the resources that have tagstag!=*:*
: this would return all the resources that don't have tagsvpcId=vpc-123 and privateIpAddress=10.*.5.*
: this would return all the resources within VPCvpc-123
where private ip address matches10.*.5.*
pattern
- ( ) brackets allow to group logical conditions together to create more complex filter expressions. For example:
vpcId=vpc-123 and (tag=stage:dev or tag=cost-center:billing)
: this would return all the resources within VPCvpc-123
with specified tagsstage:dev
orcost-center:billing
vpcId=vpc-123 and (elementType="EC2 Instance" or elementType=*Balancer)
: this would return all the EC2 instances or load balancers within VPCvpc-123
There are few things that you should know before you start to play with expression syntax:
- Parameter names (ex.
vpcId=...
,elementType
) and search operators (AND
,OR
) are case-insensitive this means that you can specify name in any format that works for you and your team - Parameter values (ex.
....=vpc-123
,...=STAGE:dev
) are case-sensitive
Team Collaboration
User roles and permissions
Cloudviz.io users can have one of the following user roles:
- Owner
- Administrator
- User
Owner has access to everything in particular team (subscription) - including billing and subscription related settings. After subscribing to specific price plan user receives Owner role with following permissions:
- Manage subscription settings
- Manage team settings:
- Create new users / administrators
- Change user roles
- Delete team members (only user access to this team is removed)
- Create / update / delete / share / sync AWS accounts
- Create / update / delete automation profiles
- Create / update / delete API keys
- Enable / disable SAML SSO configuration
- Create / update / delete common team diagram generation profiles
- Generate / create / update / delete / share private diagrams
- Generate documentation
Administrator permissions:
- Create / update / delete / share / sync AWS accounts
- Create / update / delete automation profiles
- Create / update / delete API keys
- Create / update / delete common team diagram generation profiles
- Generate / create / update / delete / share private diagrams
- Generate documentation
User permissions:
- Sync shared AWS accounts
- Read automation profiles
- Create / update / delete common team diagram generation profiles
- Generate / create / update / delete / share private diagrams
- Generate documentation
It's good to know that:
- When the Administrator / Owner user creates new AWS account it's automatically available to other Administrators or Owner
- All the team created AWS accounts, diagram generation profiles and automation profiles are stored under the Owner account. This means that when user leaves the team and for example creates new subscription there will be no AWS accounts, diagram generation profiles and automation profiles available from previous team
- All the diagrams shared with the team by user are in read-only mode for other team members
- If the user shared the diagram with the team and then leaves the team - diagram will not be anymore available for the team. All the diagrams by default are private for all users
What happens when a user joins team?
User will have specific permissions and access to team resources based on role assigned to user
What happens when a user leaves / is removed from team?
User will not have access to any of the team related resources:
- AWS accounts
- Automation profiles
- Common diagram generation settings
- Team member shared diagrams
Can team members (User / Administrator) create their own teams?
One user at the same time can be part only of one team (for now). In order to create new team - users should first leave the current team and then subscribe to "Cloudviz Team" price plan which has already ten users included
Diagram Export
In what formats can I export my generated diagrams?
Currently you can export your diagrams in PNG, SVG, PDF, JSON and Draw.io / Diagrams.net formats
Can I export diagram properties (synced data)?
Yes, you can. You will find checkbox "Diagram Properties" under JSON export section
Can I set size when exporting diagram?
Yes. Change Zoom parameter in order to change size when exporting diagram to PNG or SVG formats. We will always export diagrams in the way to fit all your elements that resides in your diagrams
Generate Documentation
What is documentation generation?
You can use our tool to automatically generate word document (docx) which will contain diagrams and detailed resource information of your AWS cloud environment (for specific region). This gives you and your team possibility to have always up-to-date documentation of your AWS environment without having a need to create read-only roles for AWS console access
When can I generate documentation of my AWS cloud environment?
You can easily generate documentation of your cloud environment after you have synced your account for specific AWS region
Can I choose which resources to include in documentation?
Yes. You can include / exclude specific resources in documentation. Just click the specific resource checkbox in the Diagram Settings view. Documentation and diagram settings are related. This means that if you change some diagram generation properties (for specific profile) and then generate documentation - all the visual changes that you made will be reflected in the documentation too
Can I use my own documentation template?
You can choose one of our provided templates or specify your own template to generate documentation which covers your organizations style & content requirements. Contact us for more details if you are interested to create your own template.
Can I generate documentation for specific VPC?
Yes. We have developed resource filter feature which allows you to specify which resources you want to include in documentation / diagram. To visualize and generate documentation of specific VPC it's necessary to add VPC id in resource filter field. After that just click the generate button
Generation Profiles
What exactly is diagram generation profile?
We know that there can be different visualization needs for different cloud architectures. That's why we have developed diagram generation profiles. Besides of our default generation profiles you can easily set your own diagram generation settings and save these for later use as profiles
When should I create my own diagram generation profile?
You can create your own diagram generation profile whenever you see that our default profiles doesn't really work for your AWS cloud architecture. We are constantly improving our default generation profiles to cover different AWS cloud architectures. That's why we suggest if you have found that one of our default profiles work for you - please clone the default profile settings and save these as your profile for later use
What can I change in diagram generation profile?
First you can choose which resources / resource groups should be included in generated diagrams. After that you can set different kind of settings for each of the resources that we visualize. You can specify Element Settings like default width / height, fill / border colors, name length / color, different placement properties in the diagram etc. You can specify Connection Settings for that resource for example for Elastic Load Balancer you can set either to show connection lines with target EC2 instances or not. You can even set the line style / color / width / start / end arrows.
These are just a few of many different settings that you can change when creating your custom generation profiles
Do you plan to introduce new settings for generation profiles?
We are constantly improving existing ones that are currently available and of course we are listening to our users and introducing new settings that has been mostly requested. If you see that something is missing and could improve diagram generation flexibility you are welcome to drop us a message
Automation Profiles
What is automation profile?
You can schedule autogeneration of your diagrams and documentation for your AWS environments by creating automation profiles. Our app will do all the hard work so you don't have to spend time on refreshing and maintaining actual diagram of your AWS infrastructure.
The cool thing is that you can set specific visualization settings for your AWS environment as generation settings profile and create automation profile to use these settings when generating the diagrams
Where autogenerated files will be stored?
Our app will store generated files on S3 bucket located in your AWS account which is used for diagram and documentation generation. We suggest to create new S3 bucket fully dedicated for our tool to store the generated files. This means that you will have to update your existing cross-account role to give our tool access to this bucket. Here is our suggested policy template:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::companyname-cloudviz/*"
}
]
}
Do you store autogenerated files on your servers?
Our app doesn't store autogenerated files anywhere else except your provided S3 bucket.
All the files (diagrams & documentation) are generated in memory and no data is stored on disk. This makes our tool really useful for companies or individuals who need to have more control of where the generated data is stored and who is accessing it.
As files are stored in your S3 bucket you have all the control what to do next by using different AWS services. Like configure SNS to send notifications to you and your team when new diagram or documentation is generated and give read access to your team members. Embed the generated diagrams into your Confluence, wiki or different dashboards - so you and your team will always have an updated diagram of your AWS environment
What file formats can I set for autogenerated diagrams / documentation?
Currently you can autogenerate your diagrams in PNG, SVG, PDF, WORD and JSON formats. You can opt in to store snapshot of your current AWS environment in JSON format.
How often files will be autogenerated?
You can choose the generation frequency which best works for you - starting from once every 3 hours till once every month
Version History
What is diagram version history?
Version history in Cloudviz.io allows you to track and compare (visually and as JSON diff) changes in your cloud infrastructure over time. With this feature, you can revisit how your architecture looked yesterday, last week, or even months ago. It highlights differences between versions—such as added, modified, or removed resources—using clear, color-coded highlights, making it easy to troubleshoot issues, audit changes, or pinpoint the source of unexpected behaviors.
When is a new diagram version created?
A new diagram version is created whenever you generate and save a new diagram. Cloudviz.io automatically checks for changes, including structural updates or property modifications, and saves a new version if differences are detected
Can I generate documentation for specific diagram version?
Yes, you can generate full documentation for any diagram version. This feature is especially useful when you need to document a specific state of your cloud infrastructure for audit requests. You can generate documentation for any diagram version by selecting the desired version from the version history and clicking the "Generate Documentation" button (right top corner).
What happens with the versions when I delete a diagram?
When you delete a diagram, all its versions are also deleted. This action is irreversible, so make sure you no longer need the diagram or its versions before proceeding.
Can I add a name for diagram version?
Yes, you can add a name to a diagram version to help you identify it more easily. This feature is especially useful when you want to mark a specific version as a milestone, such as a major update or a significant change. Additionally, when you add a name for the specific version this will stay in the version history for that diagram permanently until you delete the diagram or the version itself.
How long are versions stored?
- Base plan subscribers: Diagram versions are stored for 30 days. After this period, versions are automatically deleted unless manually removed earlier.
- Team plan subscribers: Diagram versions are retained for 90 days.
If you need to store versions for a longer duration, such as for audits, debugging, or compliance needs, you can upgrade your Team plan by contacting us: support@cloudviz.io
Single Sign-On (SSO)
What SSO methods are supported?
We support SSO authentication via the Security Assertion Markup Language 2.0 (SAML 2.0). Setting up SAML for your Cloudviz account allows you and your team to log in using the credentials stored in your organization's Active Directory, LDAP, or other identity store connected to a SAML Identity Provider.
How to enable SAML SSO for your Cloudviz account?
To enable SAML SSO for your Cloudviz account, you need to be an owner of the account with an active Cloudviz Team subscription. You can enable SAML SSO by following these steps:
- Go to Settings > Security & SSO
- Create Cloudviz as a new application in your Identity Provider (IdP) by using following Cloudviz service provider details (from the Security & SSO section):
- Assertion Consumer Service URL
- Service Provider Entity ID
- NameId Format
- Map
email
attribute in your IdP SAML configuration. This attribute should be mapped in the SAML response as<saml:Attribute Name="email" ...>...
- After creating application go back to Cloudviz and upload the metadata file from your identity provider.
- If the SAML SSO configuration is successful, you will see sign "SAML is enabled" and the "Single Sign-On URL". Give it a few seconds for "Single Sign-On URL" to be fully operational.
What additional features of SAML SSO are supported?
We support the following features for SAML SSO:
- SAML Strict Mode. With SAML Strict Mode enabled, all organization users (except subscription owner) must use SAML SSO to sign in to Cloudviz account. Any existing Cloudviz sign-in credentials are not valid. Subscription owner does retain access to alternative sign-in mode for troubleshooting purposes.
- IdP Initiated Login. This is a process in Single Sign-On where the login procedure is initiated by the Identity Provider rather than the Service Provider.
- Just-in-Time User Provisioning. When you enable this setting, Cloudviz automatically provisions and adds user account to the team (with "User" role assigned) when users sign in over SSO for the first time. This saves time for admins, who then don't need to manually invite users to Cloudviz.
- Restricted Domains. You can restrict SSO authentication so that only users with email addresses from these domains are allowed.
How to disable SAML SSO for your Cloudviz account?
You can delete your SAML configuration by going to Settings > Security & SSO and clicking the "Delete configuration" button. This will disable access for all organization users who use Single Sign-On (SSO) as their only authentication method to log in to their Cloudviz accounts.
How does user deletion in SAML work?
Due to SAML limitations, Cloudviz does not receive notifications when a user's access is revoked in the IdP. After their current session expires, if users attempt to log in again via SSO, Cloudviz will deny access. For immediate effect, remove the user from the Cloudviz team (in the Cloudviz app). We recommend that you regularly review your team members and remove any users who no longer require access to Cloudviz.
Cloudviz API
Where can I find Cloudviz API documentation and examples?
All the Cloudviz developer API related documentation and examples can be found in our API Docs page