AWS Architecture Import and Diagram Creation

Lucidchart now allows you to import your AWS infrastructure to easily create diagrams that represent your AWS architecture.

To import your AWS architecture into Lucidchart, click the “Import” button on the Documents page and select the “AWS Architecture” option.

Import Drop Down

To import your AWS infrastructure into Lucidchart via cross-account role, follow these steps:

    1. In Lucidchart's AWS import modal, select "Cross-Account Role," then click "+ Add AWS Account."

      AWS_1_-_select_cross-account_role_in_modal.png

      AWS_2_-_add_new_aws_account_in_modal.png

    2. In your AWS account, create a cross-account role with the stated policy.
    3. Back in Lucidchart, enter the ARN and external ID associated with your role. Give your account a name, then click "Add Account."

      AWS_3_-_enter_ARN_and_ID_to_Lucidchart_modal.png

    4. Select the account and region you wish to use for the AWS import. Click "import."
Note: Lucidchart only supports the import of one region at a time. Additionally, Lucidchart does not currently support the import of all AWS regions.

To import your AWS infrastructure into Lucidchart via IAM credentials, follow these steps:

  1. Create an IAM user with the stated policy. We suggest creating a new user for your Lucidchart import credentials and adding an inline policy to that user. The inline policy will allow you to easily control or revoke access as needed. OR, if it is not possible to create an IAM user, you can use a command line script. Choose “AWS CLI Script.”

    import_via_iam_credentials_modal.png
  2. Enter the IAM keys for the newly created user manually, OR upload a CSV or config file to enter the keys. Then select the region you wish to use for the AWS import. Currently, Lucidchart only supports the import of one region per document.

Note about security: Lucidchart does not save these credentials and only uses them once at the time of import. You’ll need to add your credentials again for every document you create. We hope this procedure reduces any security concerns.

  1. Import your AWS architecture.

To import your AWS infrastructure into Lucidchart via CLI, follow these steps:

  1. Open your "My Documents" page in Lucidchart.
  2. Click Import > Import AWS Architecture.
  3. Click "AWS CLI Script" and then click "Copy to Clipboard" to copy the script.
  4. SSH into an AWS machine with proper credentials.
  5. Type "python" then paste the copied script.
  6. Enter "Ctrl+D" to exit python.
  7. There will now be a file in your directory called "aws.json." Download this file to your local machine.
  8. Return to your "My Documents" page in Lucidchart and click Import > Import AWS Architecture.
  9. Click "Choose File" and select "aws.json."
  10. Click "Import."
  • To get started you will be prompted to either Auto Layout your diagram or manually create it. Both store your resources and connections, but if you choose Auto layout, each VPC and the resources it contains will be mapped on its own page. Connections are stored but not drawn.
    AWSAutoLayout.png
    AWS_Single_VPC_Import.png
  • A list of custom shapes that represents everything in your environment will appear on a separate left-hand panel below your shape library menu. Use the “Search” feature to search by component name and/or tag. You can also filter the list to display specific types of components. Our standard AWS shapes will be available to you by clicking “M” on your keyboard and checking the box next to the desired shape library.
    AWS_Instance_Filter.png
  • To change how the connections are handled, you can select the "gear" icon that appears both when you select a shape and in the list of resources on the right-hand side of the editor. (Note: These connection option changes only apply to shapes added after adjusting these settings. If you would like them to apply to connections already drawn you will have to delete the connection and redraw using the red “+”)
    AWS_Connection_Options.png
  • View any metadata attached to the shape by selecting the shape and then clicking the “Data” icon in the bottom right-hand corner.
    AWS_Shape_Meta_Data.png
  • To add connections you can select the red "+" that appears when you hover over a shape. From here you can either add an individual connection between resources, or if you select "Connect to Resources on Page", all connections coming from that object will be auto-drawn.
    AWS_Connect_to_Resources_on_the_page

Secure, Limited Access for IAM Users

We request limited, “describe”-level permission for the IAM user you create. An IAM user created with these permissions cannot change settings in your AWS architecture or read data in your databases. We only use the IAM user to read the structural metadata of your AWS infrastructure. Please check out this article for information on how to create an IAM user.

CLI Script Alternative

If you wish to review and control the actions we take during our AWS infrastructure scan, you can download and use our provided Python script instead of creating an IAM user. In this scenario, your IAM credentials will never be passed to Lucidchart, and you can review both the code that will run in your environment and the resulting metadata before uploading the metadata to Lucidchart.

Safe Storage of Documents

Lucidchart stores the AWS imported documents and metadata using industry standard protections for confidential data. Imported AWS data is embedded as part of the Lucidchart document, so you can control access to the imported data using Lucidchart’s standard sharing permissions. For additional information regarding how we protect your documents, please refer to our Content Security page or contact our sales team.

No Storage of Access Keys

Lucidchart will not store your AWS IAM credentials after performing the initial scan of your AWS infrastructure. Your credentials will be transferred to our servers using standard encryption methods. Clients may negotiate encryption protocols up to AES-256.

Why is there a connection between two items I didn’t expect to be connected?

Lucidchart’s AWS import draws connections based on security groups and subnets, and it looks for ports to be open on both sides of a connection. If you see connections you don’t expect between items, it’s likely that the items have open ports between them. For example, one item may have a port open to send traffic to all IPs, and the other item may have the same port open to receive traffic from all IPs.

Why don’t you make the diagram completely automatic?

Trust us—we’ve thought this one through. The first version of Lucidchart’s AWS import tool built diagrams automatically, but customer feedback showed that our users didn’t find it helpful to create such large, complex diagrams. The current iteration of the tool provides all the resources for users to choose from, including the correct icons, names, tags, and all other metadata. This version allows users to quickly create diagrams for their specific use cases without any of the tedious work of typing out names or copying and pasting information from the AWS console.

Why are some of my instances not showing up?

Lucidchart represents instances within autoscaling groups with the autoscaling group itself, rather than show each individual instance, as they would all have the same connections. You can still see the instance IDs for those instances in the “Shape Data” panel.

How do I give Lucidchart access to my AWS architecture?

In order for Lucidchart to access your AWS infrastructure, you’ll need to give Lucidchart the credentials for a new IAM user with an inline policy. For an overview of how to create an IAM user with an inline policy, check out this article.

Can I export my AWS diagram?

Yes! Click File > Download As. You can now download your diagram as a CSV file. Choose “CSV for Shape Data” and a CSV will be exported with a row for every shape, page and layer.

Which resources do you support? 

Auto-scaling Groups, EC2 Instances, Cloudfront Distributions, Application Load Balancers, Elastic Load Balancers, RDS Instances, S3 Buckets, SNS Topics, SQS Queues, VPC, Availability Zone, Subnet, and Security Groups.