AWS Architecture Import and Diagram Creation

Lucidchart now allows you to import your AWS infrastructure to easily create diagrams that represent your AWS architecture.

To import your AWS architecture into Lucidchart, click the “Import” button on the Documents page and select the “AWS Architecture” option.

Import Drop Down

To import your AWS infrastructure into Lucidchart via API, follow these steps:

  1. Create an IAM user with the stated policy. We suggest creating a new user for your Lucidchart import credentials and adding an inline policy to that user. The inline policy will allow you to easily control or revoke access as needed. OR, if it is not possible to create an IAM user, you can use a command line script. Choose “AWS CLI Script.”

    Lucidchart AWS CLI Script
  2. Enter the IAM keys for the newly created user manually, OR upload a CSV or config file to enter the keys. Then select the region you wish to use for the AWS import. Currently, Lucidchart only supports the import of one region per document.

Note about security: Lucidchart does not save these credentials and only uses them once at the time of import. You’ll need to add your credentials again for every document you create. We hope this procedure reduces any security concerns.

  1. Import your AWS architecture.

To import your AWS infrastructure into Lucidchart via CLI, follow these steps:

  1. Open your "My Documents" page in Lucidchart.
  2. Click Import > Import AWS Architecture.
  3. Click "AWS CLI Script" and then click "Copy to Clipboard" to copy the script.
  4. SSH into an AWS machine with proper credentials.
  5. Type "python" then paste the copied script.
  6. Enter "Ctrl+D" to exit python.
  7. There will now be a file in your directory called "aws.json." Download this file to your local machine.
  8. Return to your "My Documents" page in Lucidchart and click Import > Import AWS Architecture.
  9. Click "Choose File" and select "aws.json."
  10. Click "Import."
  • Lucidchart will automatically lay out each VPC and its contents on separate pages. If you select the auto layout option.
  • You can still manually layout your diagrams. Lucidchart will still import your connections and suggest them to you upon creation of the diagram.
  • Upon Import each VPC will be listed on a separate page accessible by the page tabs below the editor.
  • Connection lines are not shown automatically, but by clicking on a component you can access all incoming and outgoing traffic.
  • By clicking the "Connect to Resources on Page" button, all connections incoming and outgoing from that component are drawn automatically. This feature allows you to build your diagram systematically and reduces clutter on your diagram.
  • Enabling Line labels will show the text labels on all of your connections.

Once you have imported your AWS architecture, you can create your diagram using the imported objects. To create your diagram, follow these steps:

  1. Once you have imported your AWS architecture, a list of custom shapes that represent everything in your environment will appear on a separate left-hand panel below your shape library menu. Use the “Search” feature to search by component name and/or tag. You can also filter the list to display specific types of components. You can access the standard AWS shapes by clicking “M” on your keyboard and checking the box next to the desired shape library.

    Lucidchart AWS ShapesLucidchart AWS Shape Filter
  2. Drag and drop components from the list to create your diagram.
  3. Notice that a line is automatically created, based on networking rules, between shapes as new shapes are added to the canvas.

  4. View any metadata attached to the shape by selecting the shape and then clicking the “Data” icon in the bottom right-hand corner.AWS Shape Meta Data
  5. Click the “+T” symbol to add shape data to the shape.
  6. Looking back at the canvas, you can also click the “+” sign to examine the shape’s connected components. You can filter the list in terms of how traffic flows from that shape: “Incoming” lists all components that send traffic inbound to the selected component, and “Outgoing” lists all components that receive traffic from the selected component.


Secure, Limited Access for IAM Users

We request limited, “describe”-level permission for the IAM user you create. An IAM user created with these permissions cannot change settings in your AWS architecture or read data in your databases. We only use the IAM user to read the structural metadata of your AWS infrastructure. Please check out this article for information on how to create an IAM user.

CLI Script Alternative

If you wish to review and control the actions Lucidchart takes during the AWS infrastructure scan, you can download and use the provided Python script instead of creating an IAM user. In this scenario, your IAM credentials will never be passed to Lucidchart, and you can review both the code that will run in your environment and the resulting metadata before uploading the metadata to Lucidchart.

Safe Storage of Documents

Lucidchart stores the AWS imported documents and metadata using industry standard protections for confidential data. Imported AWS data is embedded as part of the Lucidchart document, so you can control access to the imported data using Lucidchart’s standard sharing permissions. For additional information regarding how Lucidchart protects your documents, please refer to the Content Security page and Lucidchart's Security Whitepaper.

No Storage of Access Keys

Lucidchart will not store your AWS IAM credentials after performing the initial scan of your AWS infrastructure. Your credentials will be transferred to the Lucidchart servers using standard encryption methods. Clients may negotiate encryption protocols up to AES-256.

Why is there a connection between two items I didn’t expect to be connected?

Lucidchart’s AWS import draws connections based on security groups and subnets, and it looks for ports to be open on both sides of a connection. If you see connections you don’t expect between items, it’s likely that the items have open ports between them. For example, one item may have a port open to send traffic to all IPs, and the other item may have the same port open to receive traffic from all IPs.

Why don’t you make the diagram completely automatic?

Trust us—we’ve thought this one through. The first version of Lucidchart’s AWS import tool built diagrams automatically, but customer feedback showed that our users didn’t find it helpful to create such large, complex diagrams. The current iteration of the tool provides all the resources for users to choose from, including the correct icons, names, tags, and all other metadata. This version allows users to quickly create diagrams for their specific use cases without any of the tedious work of typing out names or copying and pasting information from the AWS console.

Why are some of my instances not showing up?

Lucidchart represents instances within autoscaling groups with the autoscaling group itself, rather than show each individual instance, as they would all have the same connections. You can still see the instance IDs for those instances in the “Shape Data” panel.

How do I give Lucidchart access to my AWS architecture?

In order for Lucidchart to access your AWS infrastructure, you’ll need to give Lucidchart the credentials for a new IAM user with an inline policy. For an overview of how to create an IAM user with an inline policy, check out this article.

Can I export my AWS diagram?

Yes! Click File > Download As. You can now download your diagram as a CSV file. Choose “CSV for Shape Data” and a CSV will be exported with a row for every shape, page and layer.