Deutsch Español Français 日本語 한국어(대한민국) Polski (Polska) Português do Brasil

Articles in this section

See more

AWS Cloud View (BETA)

  • Updated

Available For: Business, Enterprise, and Education plans

Miro’s AWS Cloud View app allows you to generate a diagram of your AWS infrastructure by importing the data from an AWS account. 

There are two ways to generate this diagram:

  1. Linking a Cross-account role: connect your AWS account with Miro using a cross-account role and automatically visualize the AWS account
  2. Uploading a JSON file generated by running the script in your AWS CLI (Command Line Interface)

Linking a Cross-account role

Miro uses a cross-account role to securely access your AWS account. You need to create a ReadOnly role in your AWS account that is specifically created for Miro to access your account. Then you can use the ARN of that role to connect Miro with your AWS account.

Use the AWS Cloud View app by following these steps:

  1. Click the Tools, Media and Integrations (+) Icon at the bottom of the Miro toolbar and search for AWS Cloud View
  2. Launch the app from the search results.
  3. From the modal dialog, choose the tab Link a cross-account role.
    aws-cross-account.png
    Linking a Cross-account role
  4. Follow the steps in the dialog to setup a new cross-account role in your AWS console.
  5. Once the role is created in AWS, enter the ARN for the role in the Role ARN field.
    Where to find the ARN field in AWS
    Where to find the ARN field in AWS
  6. Give a name to the new AWS account you are adding.
  7. Click Add and import.
  8. The recently added AWS account will be shown in the next step where accounts are listed.
    aws-select-accounts.png
    Selecting your AWS account
  9. Select the account you want to visualize and click Next.
  10. Select the region(s) you want to visualize. Note that selecting multiple regions can make the visualization process slower.
    aws-select-regions.png
    Select regions to import

  11. On the next screen, apply any filters to your diagram that are needed, using either the type of resource or tags. (Note that filters can be applied or edited after the diagram has been created via the context menu.)

    💡 It's highly recommended to use filters to reduce the size of the diagram. A smaller diagram is faster to generate and easier to use.

    You can apply two different types of filters at this step:

    1. Resources: For example, select “EC2 Instances” to only view EC2 instances in that AWS account.
    2. Tags: If your AWS resources are tagged, you may use the Tags (key and value pair) filter in addition to the Resources filter. For example, search for tag key “Owner” and choose a value, say “CheckoutStream”.
  12. Click Visualize to create your diagram

The diagram for the AWS Account will be generated.

Example of an AWS infrastructure diagram generated by the Cloud View app

Example of an AWS infrastructure diagram generated by the Cloud View app

Uploading a JSON file

You can run a script in your AWS CLI (Command Line Interface) that uses read-only permissions to securely save the data of your cloud resources into a JSON file. 

Once you’ve used AWS Cloud View to visualize your AWS infrastructure in Miro, you can make edits to the diagram created, such as adding connections, adding additional shapes or objects like sticky notes, or use the AWS Cost Calculator app to see the costs the new design will incur.

Use the AWS Cloud View app with a JSON file by following these steps:

  1. Click the Tools, Media and Integrations (+) Icon at the bottom of the Miro toolbar and search for AWS Cloud View
  2. Launch the app.
  3. From the modal dialog, follow the instructions to set up the environment to run a script in AWS.
    AWS-JSON-adding.png
    Uploading a JSON file

✏️ You’ll need Node.js on your machine and the AWS CLI (Command Line Interface) set up before proceeding.

  1. Select your AWS profile in your Terminal.
  2. Copy the command and run it in your Terminal.
    Modal showing where to copy the command for your Terminal
    Run the copied command in your Terminal
  3. A JSON file containing data about your AWS resources will be generated.
  4. Upload the JSON file in the same modal dialog within Miro.
  5. Miro will generate a visualization of your AWS infrastructure.

aws-example.png

Example of an AWS infrastructure diagram generated by the Cloud View app

Please note that the AWS Cloud View app, developed by Miro, is in beta release. We’re looking for customers to provide feedback that will inform future developments and improvements to this experience. Please share your feedback using this Typeform.

Frequently asked questions

Security

How does Miro keep access safe in Cloud View?

When creating a new AWS role to grant access to Miro, you use the link provided in the Cloud View modal. This link contains both an Account ID and an External ID. The External ID is derived from an internal ID and a Miro-managed secret key in a one-way cryptographic scheme. It ensures that each Miro organization has its own distinct External ID, and makes it impossible for anyone outside of your organization to claim your ID to access your AWS infrastructure.

The External ID is a hash generated using a mechanism managed by AWS and it guarantees that connections are exclusive to your Miro organization.

Assigning Role ARNs

In addition to the External ID, users need to assign the Role ARN of the created role to connect to the AWS environment and scan resources. Assigning the Role ARN is entirely the customer’s responsibility and is managed by their AWS administrator. The administrator decides who to assign the Role ARN to, allowing them to control access to the role. The same Role ARN can be assigned to multiple Miro users, and anyone assigned to both the Role ARN and the corresponding Miro organization can connect to the AWS environment. However, this access remains strictly restricted to that specific Miro organization by  validating the External ID during each authentication process.

Customer Security Responsibilities

To maintain the security of your AWS resources when using Cloud View, please be aware of the following responsibilities:

  • Limit Organization Membership: When giving wider access, it's advisable to create a dedicated Miro organization in your account specifically for cloud visualization. By limiting the number of organization members, you can ensure that only specific authorized users have access to your sensitive cloud information.
  • Careful Assignment of Role ARN: When granting access to larger Miro organizations, be careful about how you assign the created role’s ARN. Only assign the ARN to those who need the access. This decision is up to you, as you may want to provide broader access to a small Miro organization while limited access for a test AWS account with larger Miro organizations.

By following these practices and leveraging Miro's secure access framework, you can confidently use Cloud View to manage your AWS resources.

Who will have access to my connected infrastructure information?
When you connect Miro to your AWS environment using a Role ARN, only you can view, visualize and manage data through that specific connection. Others in your Miro organization can add the same Role ARN to establish their own connections, if needed.
Where can I find more information about how Miro handles my data?
You can view details about our commitment to data privacy and security (including the specific controls and policies implemented by our teams) in Miro’s Trust Center. For more detailed questions, please reach out to your account team or raise a support ticket.

Linking a Cross-account role

Does Miro offer API access for programmatic diagram creation and updates?
Not yet. Currently, Miro does not provide API access for programmatic diagram creation or updates.
Can I update an existing AWS account to fetch the most recent data?
No, the AWS Cloud View app currently does not allow for updating AWS account data. This functionality will be supported in future.
What's the maximum number of resources Miro can handle in a diagram?
There are no hard limits on the number of resources that can be visualized in a diagram. However, diagrams with a large number of resources may take longer to load and render.
What are the policies Miro follows to ensure the security of data and content?
We care about data privacy and security and strive to keep our security practices on par with industry leaders. Read our most frequently asked questions about data privacy and security.
Does Miro support versioning of diagrams to track infrastructure changes over time?
Not yet. All rendered diagrams are static. Users can create new diagrams after updating data and place them next to older versions for comparison.
Can Miro integrate with Infrastructure as Code tools like Terraform or CloudFormation to generate diagrams from code?
Not yet. Currently, Miro only supports importing data from AWS.
What resource types does Miro scan at this moment?
  1. Athena Named Queries
  2. Auto Scaling Groups
  3. CloudTrail Trails
  4. CloudWatch Metric Alarms
  5. CloudWatch Metric Streams
  6. DynamoDB Tables
  7. EC2 Instances
  8. EC2 VPCs
  9. EC2 VPC Endpoints
  10. EC2 Subnets
  11. EC2 Route Tables
  12. EC2 Internet Gateways
  13. EC2 NAT Gateways
  14. EC2 Transit Gateways
  15. EC2 Volumes
  16. EC2 Network ACLs
  17. EC2 VPN Gateways
  18. EC2 Network Interfaces
  19. ECS Resources
  20. EFS File Systems
  21. ElastiCache Clusters
  22. ELBv2 Load Balancers
  23. ELBv2 Target Groups
  24. ELBv1 Load Balancers
  25. EKS Clusters
  26. Lambda Functions
  27. Redshift Clusters
  28. RDS Instances
  29. RDS Clusters
  30. RDS Proxies
  31. Route 53 Hosted Zones
  32. S3 Buckets
  33. SNS Topics
  34. SQS Queues
How does Miro connect with my AWS account?
Miro connects through a cross-account role that you or your AWS administrator creates. This role should point to Miro's AWS account and use a unique external ID that Miro provides. Miro safely stores and uses this external ID to assume the role and retrieve data. Miro then scans all the regions and resources it can access. This allows you to see your AWS setup as easy-to-understand diagrams.
How do I create the IAM role needed for establishing the connection between Miro and AWS?
The role can be created using a link within the Cloud Data Import app’s modal dialog that contains all the necessary information to create the role. Users can use this link to create a new role directly or share it with their administrator if they don't have the required permissions.
What policy is required for the IAM role?
Miro attaches the "ReadOnly - job function" policy to the role. For a more restrictive approach, you can attach a custom policy with specific permissions. Miro will then scan everything it has access to. Miro doesn’t need any form of write access.
Are there any costs associated with using the app?
Miro can scan your infrastructure without adding extra costs to your AWS account. Keep in mind that fetching data requires making requests to your services, which temporarily uses rate limit quotas. These quotas apply on a per-minute basis, so they return to normal once the discovery job is complete.
How can I view and delete the AWS accounts I added in Miro?
You can view and delete the links to your AWS account from the three dots (...) menu on the Select AWS account screen. Deleting the link doesn't affect your existing diagrams in Miro.
Can I share the AWS account I added to Miro with someone else?
It’s not possible to share the account via the user interface at this moment. But beware that all people within the same organization can add the same Role ARN to access the data if you share the Role ARN with them. Nobody outside your Miro organization can access the data via the Role ARN.
Can I share the diagram I generated using the app with my team?
When you generate a diagram on a board, it’s accessible to everybody who has access to that board. You can share the board to specific people.
I do not have access to create the cross-account role in my AWS account. What should I do?
It's common for not everyone in an AWS account to have permission to create a new IAM role. If this applies to you, ask your AWS administrator to open the AWS Data Import app modal dialog and set up an IAM role using the provided link. Your administrator may have already created a specific role with certain permissions and might only share the ARN of that role with you.
My company has set some alerts which are triggered when Miro starts scanning. Is that normal?
To scan your infrastructure Miro sends multiple requests to various services on your aws infrastructure and this is probably what is causing the alerts. Please let your security team know about this and ask them to configure the alert in a way that they expect such integration to exist.
When I share a visualized diagram with my colleagues, am I sharing only the visualization or other data as well?
When you visualize an AWS diagram on a board, you’re basically creating a static diagram representing your infrastructure. By sharing the board you’re not sharing any credentials or access information with others. Still, it’s important to be aware who you’re sharing the infrastructure visualization with.

JSON Upload

What do I need to install to use this feature?
You’ll need Node.js installed on your machine and the AWS CLI (Command Line Interface) set up.
What permissions does this script need?
The script requires “ReadOnly - job function” policy (arn:aws:iam::aws:policy/ReadOnlyAccess).

You can set a custom policy to the role and limit Miro to specific resources or regions if desired. Miro scans for the resources mentioned on this page by default. If you have set a custom policy the script will only scan within the scope it has access to.
Where can I review the script to understand how it works and what data it fetches?
The script is open source, so you can review the discovery mechanism, and even comment out resources you don’t need to employ.
Does Miro store the information in the JSON file that is uploaded?
No, for now Miro doesn’t store the information.
How will using the AWS Cloud View app affect my service quotas?
You can use AWS Cloud View app without incurring any additional costs.

Running the app against your infrastructure will use some of your service’s quota during the specific time when the app is scanning resources. Resource scanning happens when you link a new AWS account or when you run the script in your AWS CLI to generate JSON output. It’s usually better to scan the infrastructure when there are not already heavy loads on your infrastructure.

Alternatively, you can reduce the amount of requests we make per second to a lower number using when using the AWS CLI script using --call-rate-rps. For example, you may run the script with --call-rate-rps 1 which only makes one request per second to the services, which ensures fair usage rates.

The script is equipped with an exponential backoff strategy meaning that it retries failed requests with bigger and bigger delays in between, which is the standard suggested method by AWS.
Where can I suggest adding support for a specific service I need?
You can make suggestions about adding support for specific services on Github. Once there, click on "Request Cloud Resource/Service Support”.
Was this article helpful?
Yes, thanks Not really
Sorry about that! Why wasn't the article helpful?
If you would like to get a reply from the Miro Support team, please create a ticket here
Thank you for your feedback!
Error! Please try later...
Return to top

Related articles