Cloudburn

Open-source policy engine that blocks bad AWS spending patterns before they ship and remediates what's already burning.

Generate Convert Improve

Install / Use

/learn @towardsthecloud/Cloudburn

About this skill

Quality Score

0/100

README

<div align="center"> <p align="center"> Open-source policy engine that blocks bad AWS spending patterns before they ship and remediates what's already burning. <br /><br /> </p>

Changelog | Documentation | Discord

</div>

CloudBurn runs deterministic cost rules against your Terraform and CloudFormation with scan, then runs those same rules against your live AWS account with discover. Wire it into CI to catch waste before deploy. Point it at a running account to find what's still burning money.

Features

One rules engine, two modes. Same rules for IaC and live AWS. See the rule list.
Scan in CI. Checks Terraform and CloudFormation in pull requests, CI jobs, and release pipelines.
Discover in production. Inspects deployed resources and shows what needs fixing.
Programmable. The SDK lets you run CloudBurn inside your own tooling.
Machine and human friendly output. json and table formats.

See It Run

IaC scan

CloudBurn IaC scan demo

Live discovery

CloudBurn live discover demo

Installation

Homebrew (macOS/Linux)

brew install towardsthecloud/tap/cloudburn

This installs Node.js automatically if you don't have it.

npm

Requires Node.js 24+.

npm install --global cloudburn

Or run it without installing:

npx cloudburn scan ./main.tf

Getting Started

Config

Config is optional. By default, CloudBurn runs all checks for the mode you use.

Create a starter config:

cloudburn config --init

Inspect the current discovered config file:

cloudburn config --print

Inspect the starter template without writing a file:

cloudburn config --print-template

CloudBurn reads .cloudburn.yml or .cloudburn.yaml. By default it searches upward from the current directory until it finds a config file or reaches the git root. In CI, implicit config discovery is skipped entirely; use --config <path> on scan or discover to opt into an exact file instead.

iac:
  enabled-rules:
    - CLDBRN-AWS-EBS-1
    - CLDBRN-AWS-RDS-1
  disabled-rules:
    - CLDBRN-AWS-EC2-2
  format: table

discovery:
  enabled-rules:
    - CLDBRN-AWS-EBS-1
  disabled-rules:
    - CLDBRN-AWS-S3-1
  format: json

Use enabled-rules when you want a mode to run only a specific set of rules.
Use disabled-rules when you want to subtract a few rules from the active set.
Use stable public rule IDs like CLDBRN-AWS-EBS-1.
Use --config <path> if you want scan or discover to load a specific config file.

Scan

Point scan at your IaC files. It checks Terraform (.tf) and CloudFormation (.yaml, .json).

cloudburn scan ./main.tf
cloudburn scan ./template.yaml
cloudburn scan ./iac --exit-code
cloudburn --format json scan ./iac

Discover

discover runs the same rules against live AWS resources. Initialize AWS Resource Explorer first, then run against one region or all of them.

cloudburn discover init
cloudburn discover
cloudburn discover --region eu-central-1
cloudburn discover --region all
cloudburn discover --service ec2,s3

--region all requires an AWS Resource Explorer aggregator index.

Generate a starter config with cloudburn config --init. Full details in the config reference.

AWS Permissions

CloudBurn needs Resource Explorer read/write access plus read-only permissions for the services behind the rules you enable (EC2, EBS, RDS, S3, Lambda, CloudTrail, CloudWatch, etc.). Which permissions you need depends on which rules you're running.