Skip to main content
← All posts
InfraMindAWSGetting Started

What InfraMind Actually Does to Your AWS Account

6 min read

Most AWS accounts grow the same way: someone spins up an EC2 instance for a deadline, a contractor adds an S3 bucket, a Lambda gets wired to a queue during an incident — and two years later nobody can say with confidence what's running, what it costs, or whether any of it would survive an audit.

InfraMind exists for exactly that account. Here's what actually happens when you connect it — step by step, no magic.

Step 1: Connect — without handing over credentials

InfraMind connects to AWS in one of two ways:

  • A cross-account IAM role — you create a read-only role in your account, InfraMind assumes it when it needs to scan. You can see exactly what the role allows, and you can revoke it at any time.
  • AWS IAM Identity Center (SSO) — if your organization already uses Identity Center, InfraMind plugs into the access you've already modeled.

Either way, credentials are resolved at runtime and never stored. There is no password vault on our side to leak, because there's nothing in it.

If your security team asks "what does it need?" — the honest answer is: read-only API access, scoped to describing resources. It doesn't create, modify, or delete anything in your account.

Step 2: Crawl — 55 services, 5 tiers, one snapshot

A crawl walks your account the way a meticulous new hire would, if they had a week and infinite patience. In practice it takes minutes. InfraMind maps up to 55 AWS services grouped into 5 tiers:

TierWhat's in itExamples
Core compute & networking19 servicesVPC, EC2, RDS, Lambda, EKS
Security & governance12 servicesIAM, KMS, GuardDuty, WAFv2, CloudTrail
Data & analytics10 servicesRedshift, Glue, OpenSearch, DynamoDB
Application & edge8 servicesCloudFront, Route 53, API Gateway
Ops & ML6 servicesSageMaker, Bedrock, CloudFormation

The result is a complete snapshot: every resource, its configuration, and — critically — the relationships between them. Which security groups guard which instances, which roles can touch which buckets, which functions talk to which queues.

That snapshot becomes interactive topology diagrams (VPC layout, service dependencies, security-group flows, IAM relationships, data flow) that stay in sync with your latest crawl — not a Visio file from 2023.

Step 3: Analyze — Claude reads your infrastructure

Raw inventory is useful; judgment is better. InfraMind sends your snapshot through Claude (running on AWS Bedrock, or via the Anthropic API — your choice) for analysis across four lenses:

  1. Security — public buckets, over-permissive IAM roles, open security groups, unencrypted volumes
  2. Cost — idle resources, oversized instances, unattached storage
  3. Architecture — single points of failure, missing redundancy, anti-patterns against AWS guidance
  4. General — the "walk me through what I have" review for accounts you've inherited

Every finding names the exact resource, the exact misconfiguration, and a concrete fix — not a citation number and a wish. Findings are filterable by service, account, or severity, so "3,000 issues" becomes "the 12 that matter this sprint."

Step 4: Score — compliance you can show an auditor

Each finding rolls up into a compliance score across 8 frameworks: CIS, PCI-DSS, HIPAA, SOC 2, ISO 27001, GDPR, NIST SP 800-53, and FedRAMP. For every framework you get passing, failing, and not-applicable controls, with remediation guidance on the failures.

Reports export as PDF or share as a live link — which means "are we SOC 2 ready?" stops being a two-week archaeology project and becomes a link you send.

The part developers care about: Terraform export

Here's the quiet superpower. InfraMind converts your live infrastructure into ready-to-use Terraform HCL — and every resource comes with a matching import block:

import {
  to = aws_s3_bucket.prod_assets
  id = "prod-assets"
}

resource "aws_s3_bucket" "prod_assets" {
  bucket = "prod-assets"
  # ... captured configuration
}

That means you can adopt Infrastructure-as-Code on an account that was never built with IaC — without recreating anything, and without the weeks of hand-written import statements that usually kill these migrations.

And then it keeps watching

Every new crawl is diffed against the previous snapshot. Added, modified, and removed resources surface as change events, filterable by service, account, or severity. When something appears in production that nobody remembers creating — you'll know.

What it costs to find out

The free plan connects your first AWS account with no credit card. If the first crawl doesn't teach you something about your own account that you didn't know, it cost you nothing but the two minutes the IAM role took to set up.

Start your first scan →

See your own AWS account this clearly

Free plan — connect your first account in under 2 minutes, no credit card.

Start your first scan