Available For: Business, Enterprise, and Education plans
Miro’s AWS Cloud View app allows you to generate a diagram of your AWS infrastructure by importing the data from an AWS account.
There are two ways to generate this diagram:
-
Linking a Cross-account role: connect your AWS account with Miro using a cross-account role and automatically visualize the AWS account
-
Uploading a JSON file generated by running the script in your AWS CLI (Command Line Interface)
Linking a Cross-account role
Miro uses a cross-account role to securely access your AWS account. You need to create a ReadOnly role in your AWS account that is specifically created for Miro to access your account. Then you can use the ARN of that role to connect Miro with your AWS account.
Use the AWS Cloud View app by following these steps:
- Click the Tools, Media and Integrations (+) Icon at the bottom of the Miro toolbar and search for AWS Cloud View.
- Launch the app from the search results.
- From the modal dialog, choose the tab Link a cross-account role.
Linking a Cross-account role
- Follow the steps in the dialog to setup a new cross-account role in your AWS console.
- Once the role is created in AWS, enter the ARN for the role in the Role ARN field.
Where to find the ARN field in AWS
- Give a name to the new AWS account you are adding.
- Click Add and import.
- The recently added AWS account will be shown in the next step where accounts are listed.
Selecting your AWS account
-
Select the account you want to visualize and click Next.
-
Select the region(s) you want to visualize and click Visualize. Note that selecting multiple regions can make the visualization process slower.
Select regions to import
The diagram for the AWS Account will be generated.
Example of an AWS infrastructure diagram generated by the Cloud View app
Uploading a JSON file
You can run a script in your AWS CLI (Command Line Interface) that uses read-only permissions to securely save the data of your cloud resources into a JSON file.
Once you’ve used AWS Cloud View to visualize your AWS infrastructure in Miro, you can make edits to the diagram created, such as adding connections, adding additional shapes or objects like sticky notes, or use the AWS Cost Calculator app to see the costs the new design will incur.
Use the AWS Cloud View app with a JSON file by following these steps:
- Click the Tools, Media and Integrations (+) Icon at the bottom of the Miro toolbar and search for AWS Cloud View
- Launch the app.
- From the modal dialog, follow the instructions to set up the environment to run a script in AWS.
Uploading a JSON file
✏️ You’ll need Node.js on your machine and the AWS CLI (Command Line Interface) set up before proceeding.
- Select your AWS profile in your Terminal.
- Copy the command and run it in your Terminal.
Run the copied command in your Terminal
- A JSON file containing data about your AWS resources will be generated.
-
Upload the JSON file in the same modal dialog within Miro.
- Miro will generate a visualization of your AWS infrastructure.
Example of an AWS infrastructure diagram generated by the Cloud View app
Please note that the AWS Cloud View app, developed by Miro, is in beta release. We’re looking for customers to provide feedback that will inform future developments and improvements to this experience. Please share your feedback using this Typeform.
Frequently asked questions
Linking a Cross-account role
Does Miro offer API access for programmatic diagram creation and updates?
Not yet. Currently, Miro does not provide API access for programmatic diagram creation or updates.
Can I update an existing AWS account to fetch the most recent data?
No, the AWS Cloud View app currently does not allow for updating AWS account data. This functionality will be supported in future.
What's the maximum number of resources Miro can handle in a diagram?
There are no hard limits on the number of resources that can be visualized in a diagram. However, diagrams with a large number of resources may take longer to load and render.
Does Miro support versioning of diagrams to track infrastructure changes over time?
Not yet. All rendered diagrams are static. Users can create new diagrams after updating data and place them next to older versions for comparison.
Can Miro integrate with Infrastructure as Code tools like Terraform or CloudFormation to generate diagrams from code?
Not yet. Currently, Miro only supports importing data from AWS.
What resource types does Miro scan at this moment?
- Athena Named Queries
- Auto Scaling Groups
- CloudTrail Trails
- CloudWatch Metric Alarms
- CloudWatch Metric Streams
- DynamoDB Tables
- EC2 Instances
- EC2 VPCs
- EC2 VPC Endpoints
- EC2 Subnets
- EC2 Route Tables
- EC2 Internet Gateways
- EC2 NAT Gateways
- EC2 Transit Gateways
- EC2 Volumes
- EC2 Network ACLs
- EC2 VPN Gateways
- EC2 Network Interfaces
- ECS Resources
- EFS File Systems
- ElastiCache Clusters
- ELBv2 Load Balancers
- ELBv2 Target Groups
- ELBv1 Load Balancers
- EKS Clusters
- Lambda Functions
- Redshift Clusters
- RDS Instances
- RDS Clusters
- RDS Proxies
- Route 53 Hosted Zones
- S3 Buckets
- SNS Topics
- SQS Queues
How does Miro connect with my AWS account?
Miro connects through a cross-account role that you or your AWS administrator creates. This role should point to Miro's AWS account and use a unique external ID that Miro provides. Miro safely stores and uses this external ID to assume the role and retrieve data. Miro then scans all the regions and resources it can access. This allows you to see your AWS setup as easy-to-understand diagrams.
How do I create the IAM role needed for establishing the connection between Miro and AWS?
The role can be created using a link within the Cloud Data Import app’s modal dialog that contains all the necessary information to create the role. Users can use this link to create a new role directly or share it with their administrator if they don't have the required permissions.
What policy is required for the IAM role?
Miro attaches the "ReadOnly - job function" policy to the role. For a more restrictive approach, you can attach a custom policy with specific permissions. Miro will then scan everything it has access to. Miro doesn’t need any form of write access.
Are there any costs associated with using the app?
Miro can scan your infrastructure without adding extra costs to your AWS account. Keep in mind that fetching data requires making requests to your services, which temporarily uses rate limit quotas. These quotas apply on a per-minute basis, so they return to normal once the discovery job is complete.
How can I view and delete the AWS accounts I added in Miro?
You can view and delete the links to your AWS account from the three dots (...) menu on the Select AWS account screen. Deleting the link doesn't affect your existing diagrams in Miro.
Can I share the AWS account I added to Miro with someone else?
It’s not possible to share the account via the user interface at this moment. But beware that all people within the same organization can add the same Role ARN to access the data if you share the Role ARN with them. Nobody outside your Miro organization can access the data via the Role ARN.
Can I share the diagram I generated using the app with my team?
When you generate a diagram on a board, it’s accessible to everybody who has access to that board. You can share the board to specific people.
I do not have access to create the cross-account role in my AWS account. What should I do?
It's common for not everyone in an AWS account to have permission to create a new IAM role. If this applies to you, ask your AWS administrator to open the AWS Data Import app modal dialog and set up an IAM role using the provided link. Your administrator may have already created a specific role with certain permissions and might only share the ARN of that role with you.
My company has set some alerts which are triggered when Miro starts scanning. Is that normal?
To scan your infrastructure Miro sends multiple requests to various services on your aws infrastructure and this is probably what is causing the alerts. Please let your security team know about this and ask them to configure the alert in a way that they expect such integration to exist.
When I share a visualized diagram with my colleagues, am I sharing only the visualization or other data as well?
When you visualize an AWS diagram on a board, you’re basically creating a static diagram representing your infrastructure. By sharing the board you’re not sharing any credentials or access information with others. Still, it’s important to be aware who you’re sharing the infrastructure visualization with.
JSON Upload
What do I need to install to use this feature?
You’ll need Node.js installed on your machine and the AWS CLI (Command Line Interface) set up.
What permissions does this script need?
The script requires “ReadOnly - job function” policy (arn:aws:iam::aws:policy/ReadOnlyAccess).
You can set a custom policy to the role and limit Miro to specific resources or regions if desired. Miro scans for the resources mentioned on this page by default. If you have set a custom policy the script will only scan within the scope it has access to.
Where can I review the script to understand how it works and what data it fetches?
The script is open source, so you can review the discovery mechanism, and even comment out resources you don’t need to employ.
Does Miro store the information in the JSON file that is uploaded?
No, for now Miro doesn’t store the information.
How will using the AWS Cloud View app affect my service quotas?
You can use AWS Cloud View app without incurring any additional costs.
Running the app against your infrastructure will use some of your service’s quota during the specific time when the app is scanning resources. Resource scanning happens when you link a new AWS account or when you run the script in your AWS CLI to generate JSON output. It’s usually better to scan the infrastructure when there are not already heavy loads on your infrastructure.
Alternatively, you can reduce the amount of requests we make per second to a lower number using when using the AWS CLI script using --call-rate-rps. For example, you may run the script with --call-rate-rps 1 which only makes one request per second to the services, which ensures fair usage rates.
The script is equipped with an exponential backoff strategy meaning that it retries failed requests with bigger and bigger delays in between, which is the standard suggested method by AWS.
Where can I suggest adding support for a specific service I need?
You can make suggestions about adding support for specific services on Github. Once there, click on "Request Cloud Resource/Service Support”.