v1.0 · Native macOS · Bring-your-own-AI audit

See your entire AWS account. In one diagram.

A native macOS app that scans 33+ AWS services, renders your infrastructure as an interactive architecture diagram, and runs an AI audit across security, cost, reliability, and performance — using your own OpenAI (or, soon, Claude) account. Everything runs on your Mac; credentials never leave your Keychain.

Help a Venezuelan dev
Apple Silicon macOS 14+ Free
Credentials stored in macOS Keychain.
Per-project. Encrypted by Apple.
Read-only AWS access.
Only Describe* / List* API calls.
100% local — no servers, no telemetry.
Your infrastructure stays on your laptop.
Coverage

Thirty-three-plus AWS services,
one architecture diagram.

AWSAnalyze calls the Describe/List APIs across every major category and stitches the results into a single graph — no gaps, no console tab-hopping. A complete visualization of your AWS account in under a minute.

33+
What it does

Everything the AWS console won't show you, in one view.

— Interactive map

Pan, zoom, and click any resource.

VPCs contain subnets contain instances — the hierarchy AWS never shows you, rendered as an actual graph.

  • Smooth pan and zoom across your account’s resources.
  • Service-type highlighting dims unrelated nodes to 30%.
  • Hierarchical VPC → Subnet → Resource containers.
  • Public vs. private subnet color coding.
VPC · 10.0.0.0/16 PUBLIC PRIVATE DATA ELB IGW EC2×3 λ×12 RDS DynamoDB Cache
— Filters

One-click filtering by service.

Eleven categories. Click DynamoDB, see only DynamoDB — the rest of the graph dims to 30% so you don’t lose spatial context.

  • Per-service counts shown inline in the sidebar.
  • Click the active row again (or “Show All”) to clear the filter.
  • The full graph stays visible — nothing is hidden, just dimmed.
Services · 327
EC242
DynamoDB12
Lambda64
S319
RDS8
SQS22
SNS11
Showing 12 of 327 · DynamoDB
— Resource inspector

Every property, parent, child, and association.

Click a node to open the inspector. See what VPC and subnet it lives in, which security groups attach to it, every tag, every property AWS returns.

  • Every ID, ARN, and CIDR is selectable — ⌘C to copy.
  • Parent (VPC / subnet) and child resources listed in the side panel.
  • Associated resources (security groups, target groups, …) shown next to the properties.

EC2 · api-worker-03

Instance IDi-07a3f1cb2d
Typet3.large
Staterunning
VPCvpc-0a9f3c
Subnetsubnet-2a3f
IAM roleapi-exec-role
Tags env=prodteam=apiowner=sre

Associations

Security groupsg-api-0f1 →
Inbound0.0.0.0/0:22
Attached EBSvol-0f3… vol-9a2…
Target grouptg-api-prod →
ELBalb-prod →
CW alarms3
Secretsdb-creds (used)
— Flagship: bring-your-own-AI audit

Security, Cost, Reliability, Performance — reviewed by the AI you pick.

Get a severity-ranked review of your account with prioritized remediation actions. Plug in your own OpenAI account today (OAuth, no API key round-trip); Claude and OpenAI API keys are on the roadmap. Either way, the request goes straight from your Mac to the provider — nothing touches our infrastructure, because there isn’t any.

  • Executive summary + four pillar reports: security, cost, reliability, performance.
  • Findings grouped by severity: critical · warning · info.
  • Ranked priority actions with impact statements.
  • Assessment cached on the project — run once, review later.
  • Zero vendor lock-in: switch providers without re-scanning.
Assessment · acme-production
Security Cost Reliability Perf
Security
C+
Cost
B
Reliability
A−
Performance
B+
CRIT
Port 22 open to 0.0.0.0/0 on sg-api-0f1
Attached to 3 EC2 instances in public subnet. Restrict to bastion or VPN CIDR.
WARN
RDS pg-prod has no automated backups
Enable PITR. Current backup retention: 0 days.
INFO
17 unused EBS volumes (≈ $38/mo wasted)
Detached from terminated instances. Snapshot and delete.
— Export

Ship your scan as code or a PDF.

Emit CloudFormation or Terraform for the core networking + compute layer, or save the map as a PDF you can hand to an auditor this afternoon.

  • CloudFormation / Terraform cover the core resources: VPC, subnets, security groups, EC2, RDS, Lambda, S3, ELB, NAT, IGW.
  • Output is sorted deterministically — friendly to git diffs.
  • PDF captures the rendered map, ready to print or attach.
.yaml
CloudFormation
Template covering the core resource types.
.tf
Terraform
HCL for the same core resource types.
.pdf
Map export
The infrastructure map, rendered to a printable PDF.
— Workspaces

Multiple accounts. Vaulted separately.

One app, every environment. Each project is scoped to a single region and gets its own Keychain entry — staging can’t read production. Scan another region by spinning up a second project.

A
acme-production
123456789012 · 327 resources
us-east-1
S
acme-staging
210987654321 · 184 resources
us-east-1
D
acme-data-lake
445566778899 · 91 resources
us-west-2
+
Add project
Connect new AWS account
+ new
Security

Your AWS keys never leave your Mac.

AWSAnalyze is architected so there is nothing for us to leak. No account, no backend, no telemetry pipeline — the server simply doesn't exist.

Keychain-vaulted credentials

Stored per-project using Apple's Security framework. Unlocks require device authentication.

Read-only scans

The app only invokes Describe* and List* APIs. No writes, ever. Bring a policy-scoped IAM user.

No backend, no account

AWSAnalyze runs entirely on your machine. There is no server, no user database, no analytics pipeline.

How it works

Three steps. No account required.

01

Install

Run brew install --cask itsfreddyrb/awsanalyze/awsanalyze in your terminal. Homebrew downloads, verifies the signature, installs to Applications, and opens cleanly on first launch — no Gatekeeper dance.

02

Enter AWS credentials

Paste an access key ID and secret. A read-only IAM user is recommended — ViewOnlyAccess is a good baseline. Credentials are stored in your Keychain.

03

Scan and explore

Pick a region, hit scan. Resources populate the graph when the scan completes. Each project scans one region — create another for a different region.

Requirements & FAQ

The practical details.

OS
macOS 14+
Arch
Apple Silicon
AWS access
Read-only keys
Price
Free
What IAM permissions do I need?+
The AWS-managed policy ViewOnlyAccess is sufficient. AWSAnalyze only calls Describe* and List* APIs — no writes.
Does it store my AWS credentials anywhere?+
Only in the macOS Keychain, on your machine, encrypted by the OS. Each project has its own Keychain entry. AWSAnalyze has no server, so there is nowhere else for credentials to go.
Which AI providers can I use for the audit?+
Today: OpenAI via OAuth (Codex / ChatGPT account) — click Sign In in Settings, pick a model (gpt-5.3-codex, gpt-5.4, gpt-5.4-mini, or gpt-5.2), and the audit runs against the model you chose. Coming: OpenAI API key and Claude API key, for users who want to bring their own key instead of OAuth. Zero vendor lock-in: switch providers without re-scanning the graph.
Does the AI feature send my infrastructure to OpenAI?+
Yes — but directly from your Mac to OpenAI under your account. The request never touches our infrastructure (we don’t have any). Your serialized infrastructure goes out in a single Codex Responses API call; the model’s structured JSON reply comes back over the same stream.
Is there a Windows or Linux version?+
Not today. AWSAnalyze is written in Swift on top of AppKit/SwiftUI to feel native on macOS. A cross-platform rewrite is not currently planned.
Can I use SSO or AWS profiles?+
Not yet. The current release only accepts an access key ID + secret pasted into the wizard. Support for named profiles, ~/.aws/credentials, and SSO is on the roadmap.
Contact

Question didn’t make the FAQ?

Email hello@awsanalyze.app — it goes straight to the one person who makes this. Usually a reply within a day. Bug reports with a screenshot get bumped to the front of the line.

Email us

Stop clicking through the AWS console. Install AWSAnalyze.