Quadzig is a AWS Infrastructure visualization & discovery platform. It lets you visualize & navigate complex multi account AWS Infrastructure in a structured manner. Quadzig discovers your AWS Infrastructure with a minimal set of Read-Only IAM Permissions.
Adding an AWS Account
You can add AWS Account(s) by navigating to the Add Accounts Screen in the Quadzig app. You have an option of either adding a single AWS Account through a single Cloudformation Stack or multiple AWS Accounts through a Cloudformation Stackset.
If you have a large number of AWS Accounts and you have the ability to launch Cloudformation Stackset instances, we recommend that you use Cloudformation Stackset to add the AWS Accounts. Note that you can delete individual AWS Accounts from Quadzig after adding them through a cloudformation Stackset.
Adding a single AWS Account
Adding an AWS Account on Quadzig requires you to provision a limited Cross Account Read-Only IAM Role in your AWS Account. For your convenience, we provide a Cloudformation template that you can use to provision the IAM Role easily. This role is provisioned in the us-east-1 (N. Virginia) region by default. You can change the region to any of the 16 Supported Regions during Cloudformation Stack creation. If you do not have the permissions to launch the Cloudformation stack, you can copy the link available in the Quadzig Console and share it with a person who has appropriate access.
You can view the Cloudformation template here. Note that the browser may prompt you to download the file when you click on the link.
Please note that once you have launched the Cloudformation stack, it takes 2 to 3 minutes for the AWS Account to show up in the Accounts List
Adding Multiple AWS Accounts
Navigate to the Add Accounts Screen and select the Add Multiple AWS Accounts with Cloudformation Stacksets tab. You can change the Stackset region to your preference. Please note that the region you select in the Quadzig console is the region where the Stackset is deployed. You will have to select the region where cloudformation stacks are deployed in the AWS Console. This region has to be one of the 16 Supported Regions
Quadzig uses cross account IAM Role to discover your AWS infrastructure. To make it easy for you to manage the lifecycle of the IAM Role, a cloudformation stack is created in your account which in turn, creates the IAM Role. We only provision the minimal set of permissions required for visualizing your infrastructure.
Quadzig will NEVER request WRITE permissions to you AWS Account.
The following permissions are currently needed for Quadzig to discover resources within your AWS Account.
cloudwatch:GetMetricData ec2:DescribeAddresses ec2:DescribeClientVpnConnections ec2:DescribeClientVpnEndpoints ec2:DescribeClientVpnRoutes ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSpotFleetInstances ec2:DescribeSpotFleetRequests ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGateways ec2:DescribeTransitGatewayVpcAttachments ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeVpnGateways ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeServices ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTagsForResource elasticache:DescribeCacheClusters elasticache:DescribeCacheSecurityGroups elasticache:DescribeCacheSubnetGroups elasticache:DescribeGlobalReplicationGroups elasticache:DescribeReplicationGroups elasticache:ListTagsForResource elasticloadbalancing:DescribeInstanceHealth elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancerPolicyTypes elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeDBSubnetGroups rds:ListTagsForResource
Quadzig may request additional permissions in the future when more resources are supported.
Quadzig supports visualizing the following AWS Resources. Support for more is on the way. If you would like us to add support for a specific AWS Resource/Service, please let us know.
|VPC Peering Connections|
|Transit Gateway Attachments|
|RDS Aurora Instances|
Note: Only Postgres & Mysql resources are supported
|Application Load Balancers|
|Network Load Balancers|
|Classic Load Balancers|
|Auto Scaling Groups|
If you would like Quadzig to skip discovering & visualizing certain resources, you can add the Resource ID to the block list in the Block Lists section. Resource IDs are AWS provided unique ID for your resources. For example, vpc-08f356d717d61bc6f is a Resource ID.
We only support VPC blocking as of now. If you would like to block more Resource Types, please let us know.
You also have an option to ignore default VPCs in all regions in the settings section.
Note: Blocking a VPC will also stop Quadzig from discovering & visualizing other resources like Subnets, EC2 Instances, RDS Instances in the VPC.
Note: You do NOT have to add full ARN to the block list. Just adding the Resource ID is enough to stop Quadzig from visualizing your resource.
Quadzig supports visualizing infrastructure in the following 16 AWS Regions.
|Region Code||Region Name|
When you add a AWS Account, Quadzig discovers resources in all 16 supported regions by default. You can change the region list for each AWS Account individually through 'Edit AWS Account' screen.
Quadzig fetches the latest changes from your AWS Infrastructure only in 2 cases.
- When you add a new AWS Account, Quadzig runs a one time discovery of your AWS infrastructure.
- When you click on the 'Sync' button in the visualization/omnisearch screens, Quadzig runs a discovery to fetch the latest changes from your AWS Accounts.
Apart from the 2 scenarios described above, Quadzig NEVER proactively scans/discovers resources in your AWS Account.
We may provide an opt-in option for periodic discovery of your AWS resources in the future.
Deleting an AWS Account
You can delete an added AWS Account through the Accounts screen.
Deleting an AWS Account does not automatically delete the provisioned Cross Account IAM Role. To delete this role, please destroy the Cloudformation Stack associated with the account manually.
Deleting the Cloudformation Stack
If the Cloudformation stack associated with an AWS Account is manually deleted by you, Quadzig will no longer be able to discover resources from your AWS Account. In this case, an error is displayed in the Accounts screen indicating that the associated Cloudformation Template has been deleted.
You will have to delete the AWS Account from Quadzig and re-add it for visualization to start working again.
See FAQ section.