AWS Architecture Import and Diagram Creation

Lucidchart allows you to import your AWS infrastructure to easily create diagrams that represent your AWS architecture.

Please note: Starting March 3, 2020, we will begin the process of sunsetting our Lucidchart AWS Architecture Import feature. You will continue to have access to AWS Architecture Import in Lucidchart until April 1, 2021.

Based on continuous customer feedback, we have more heavily invested resources into bringing customers an automated cloud architecture experience with our newest add-on, Lucidchart Cloud Insights. See the below FAQs for more information on the AWS Architecture Import sunsetting and Lucidchart Cloud Insights.

Why is Lucidchart sunsetting AWS Architecture Import?
The AWS Architecture Import was a first step towards helping users visualize, understand, and optimize their cloud architecture. Lucidchart Cloud Insights is an exciting next step—we’ve launched new and advanced functionality that will help users truly optimize their cloud architecture and create accurate, up-to-date, and interactive diagrams that are consistent across their organization.

How is the Lucidchart Cloud Insights add-on different than AWS Architecture Import?
Lucidchart Cloud Insights includes more robust functionality than the original AWS Architecture Import. Along with supporting an improved AWS import experience, Lucidchart Cloud Insights will also include:
  • Multi-account and region support
  • Filtering and saved views to focus on the information that matters most
  • Data refresh to ensure accurate diagrams
  • Ability to easily visualize key cloud governance data
  • Support for Azure and GCP coming soon
When will I lose access to AWS Architecture Import?
As of April 1, 2021, the AWS Architecture Import feature will no longer be available.

We have many documents created using AWS Architecture Import. Will those diagrams be deleted on April 1, 2021?
No. Even after April 1, 2021, users will still be able to access any diagram they created with AWS Architecture Import, even the metadata attached to shapes. However, users will no longer be able to auto-create lines or access the left data panel that displays your imported resources.

Is Lucidchart Cloud Insights included with my Lucidchart license?
No, Lucidchart Cloud Insights is an add-on available to purchase. Contact our sales team if you're interested in learning more.

How can I learn more about Lucidchart Cloud Insights?
Visit our Cloud Insights page or request a demo to see it in action.

Will I still be able to create AWS diagrams using Lucidchart without the add-on?
Yes! We will still have shape libraries for AWS, as well as other cloud providers, to create diagrams.

Will Lucidchart Cloud Insights meet the same security requirements as the AWS Architecture Import?
Yes, see details around Lucidchart Cloud Insights security information.

Who do I contact with questions about the sunsetting of AWS Architecture Import?
For any questions or concerns, please contact our support team.

To import your AWS architecture into Lucidchart, click the “Import Data” button in the bottom left page of a blank Lucidchart document and select the “Legacy AWS Architecture” option.



To import your AWS infrastructure into Lucidchart via cross-account role, follow these steps:

    1. In Lucidchart's AWS import modal, select "Cross-Account Role," then click "+ Add AWS Account."


    2. In your AWS account, create a cross-account role with the stated policy.
    3. Back in Lucidchart, enter the ARN and external ID associated with your role. Give your account a name, then click "Add Account."

    4. Select the account and region you wish to use for the AWS import. Click "import."
Note: Lucidchart only supports the import of one region at a time. Additionally, Lucidchart does not currently support the import of all AWS regions.

To import your AWS infrastructure into Lucidchart via IAM credentials, follow these steps:

  1. Create an IAM user with the stated policy. We suggest creating a new user for your Lucidchart import credentials and adding an inline policy to that user. The inline policy will allow you to easily control or revoke access as needed. OR, if it is not possible to create an IAM user, you can use a command line script. Choose “AWS CLI Script.”

  2. Enter the IAM keys for the newly created user manually, OR upload a CSV or config file to enter the keys. Then select the region you wish to use for the AWS import. Currently, Lucidchart only supports the import of one region per document.

Note about security: Lucidchart does not save these credentials and only uses them once at the time of import. You’ll need to add your credentials again for every document you create. We hope this procedure reduces any security concerns.

  1. Import your AWS architecture.

To import your AWS infrastructure into Lucidchart via CLI, follow these steps:

  1. Open your "My Documents" page in Lucidchart.
  2. Click Import > Import AWS Architecture.
  3. Click "AWS CLI Script" and then click "Copy to Clipboard" to copy the script.
  4. SSH into an AWS machine with proper credentials.
  5. Type "python" then paste the copied script. Note: Make sure to change the region in the script to region that corresponds with your AWS profile.
  6. Enter "Ctrl+D" to exit python.
  7. There will now be a file in your directory called "aws.json." Download this file to your local machine.
  8. Return to your "My Documents" page in Lucidchart and click Import > Import AWS Architecture.
  9. Click "Choose File" and select "aws.json."
  10. Click "Import."
Note: these additional steps may be required to run Import via CLI on a Windows machine:
  1. Install the AWS CLI.
  2. Install Python
  3. Run "pip3 install botocore". This installs a pre-req needed by the script.
  4. Add these environment variables to your machine:
    • AWS_ACCESS_KEY_ID = Your access key
    • AWS_SECRET_ACCESS_KEY = Your secret key
    • AWS_DEFAULT_REGION = Your default region
  5. Run python.exe
  • To get started you will be prompted to either Auto Layout your diagram or manually create it. Both store your resources and connections, but if you choose Auto layout, each VPC and the resources it contains will be mapped on its own page. Connections are stored but not drawn.

  • A list of custom shapes that represents everything in your environment will appear on a separate left-hand panel below your shape library menu. Use the “Search” feature to search by component name and/or tag. You can also filter the list to display specific types of components. Our standard AWS shapes will be available to you by clicking “M” on your keyboard and checking the box next to the desired shape library.
  • To change how the connections are handled, you can select the "gear" icon that appears both when you select a shape and in the list of resources on the right-hand side of the editor. (Note: These connection option changes only apply to shapes added after adjusting these settings. If you would like them to apply to connections already drawn you will have to delete the connection and redraw using the red “+”)
  • View any metadata attached to the shape by selecting the shape and then clicking the “Data” icon in the bottom right-hand corner.
  • To add connections you can select the red "+" that appears when you hover over a shape. From here you can either add an individual connection between resources, or if you select "Connect to Resources on Page", all connections coming from that object will be auto-drawn.

Secure, Limited Access for IAM Users

We request limited, “describe”-level permission for the IAM user you create. An IAM user created with these permissions cannot change settings in your AWS architecture or read data in your databases. We only use the IAM user to read the structural metadata of your AWS infrastructure. Please check out this article for information on how to create an IAM user.

CLI Script Alternative

If you wish to review and control the actions we take during our AWS infrastructure scan, you can download and use our provided Python script instead of creating an IAM user. In this scenario, your IAM credentials will never be passed to Lucidchart, and you can review both the code that will run in your environment and the resulting metadata before uploading the metadata to Lucidchart.

Safe Storage of Documents

Lucidchart stores the AWS imported documents and metadata using industry standard protections for confidential data. Imported AWS data is embedded as part of the Lucidchart document, so you can control access to the imported data using Lucidchart’s standard sharing permissions. For additional information regarding how we protect your documents, please refer to our Content Security page or contact our sales team.

No Storage of Access Keys

Lucidchart will not store your AWS IAM credentials after performing the initial scan of your AWS infrastructure. Your credentials will be transferred to our servers using standard encryption methods. Clients may negotiate encryption protocols up to AES-256.

Why is there a connection between two items I didn’t expect to be connected?

Lucidchart’s AWS import draws connections based on security groups and subnets, and it looks for ports to be open on both sides of a connection. If you see connections you don’t expect between items, it’s likely that the items have open ports between them. For example, one item may have a port open to send traffic to all IPs, and the other item may have the same port open to receive traffic from all IPs.

Why don’t you make the diagram completely automatic?

Trust us—we’ve thought this one through. The first version of Lucidchart’s AWS import tool built diagrams automatically, but customer feedback showed that our users didn’t find it helpful to create such large, complex diagrams. The current iteration of the tool provides all the resources for users to choose from, including the correct icons, names, tags, and all other metadata. This version allows users to quickly create diagrams for their specific use cases without any of the tedious work of typing out names or copying and pasting information from the AWS console.

Why are some of my instances not showing up?

Lucidchart represents instances within autoscaling groups with the autoscaling group itself, rather than show each individual instance, as they would all have the same connections. You can still see the instance IDs for those instances in the “Shape Data” panel.

How do I give Lucidchart access to my AWS architecture?

In order for Lucidchart to access your AWS infrastructure, you’ll need to give Lucidchart the credentials for a new IAM user with an inline policy. For an overview of how to create an IAM user with an inline policy, check out this article.

Can I export my AWS diagram?

Yes! Click File > Download As. You can now download your diagram as a CSV file. Choose “CSV for Shape Data” and a CSV will be exported with a row for every shape, page and layer.

Which resources do you support? 

Auto-scaling Groups, EC2 Instances, Cloudfront Distributions, Application Load Balancers, Elastic Load Balancers, RDS Instances, S3 Buckets, SNS Topics, SQS Queues, VPC, Availability Zone, Subnet, and Security Groups.

What AWS regions does Lucidchart import support?
Lucidchart currently supports the following AWS regions:
  • ap-northeast-1
  • ap-northeast-2
  • ap-southeast-1
  • ap-southeast-2
  • eu-central-1
  • eu-west-1
  • sa-east-1
  • us-east-1
  • us-gov-west
  • us-west-1
  • us-west-2