Cloud Infrastructure Visibility at Scale: Automated Resource Discovery and Interactive Topology Mapping

This research was created in collaboration with:
Hogeschool Utrecht SUE Logo
Back to overview

Download research

* required

By downloading you indicate that you have taken note of our privacy Statement.

In collaboration with Hogeschool Utrecht

Over the course of this research, we investigated the automated identification and visualization of cloud resources and their interconnections in AWS environments, addressing a critical operational challenge where complex infrastructure often outpaces organizational documentation capabilities. As cloud adoption accelerates and infrastructure complexity intensifies, organizations face blind spots in understanding resource relationships, creating friction in troubleshooting, security auditing, and cost optimization workflows. This study explores how combining SQL-based cloud querying with interactive graph visualization can enable organizations to gain intuitive, real-time insight into their cloud topology without vendor lock-in constraints.​

Research Question and Methodology

The primary research question addressed is: “How can a functionality be developed that generates a visual representation of cloud infrastructure, so that the user has a clear overview of their infrastructure and how its components are connected to each other?” This question is particularly urgent given that many organizations operate with underdocumented environments or infrastructure absent from Infrastructure as Code systems, making manual visibility nearly impossible at scale.

Research Design and Techniques

The study follows a three-phase methodology grounded in practical feasibility assessment and business-driven requirements. First, semi-structured interviews with three internal stakeholders—including the Product Owner, Business Supervisor, and Lead Platform Engineer—established critical information priorities using the MoSCoW method. Stakeholders emphasized that demonstrating technical feasibility and identifying areas requiring further development took precedence over polished user interfaces, reflecting the research-focused nature of the project. Second, systematic technology evaluation examined five candidate tools—CloudMapper, Steampipe, AWS Resource Explorer, InfraMap, and CloudQuery—against criteria including active maintenance, open-source status, multi-cloud support, and hierarchical grouping capabilities. Based on this analysis, Steampipe was selected as the data collection engine for its cloud-agnostic architecture, fully open-source plugin ecosystem, and cost-effective operation with native AWS Resource Explorer integration. Third, Cytoscape.js was chosen as the visualization library for its specialized graph-rendering capabilities, native support for compound nodes enabling hierarchical representations, and existing organizational expertise within the development team.​

Findings: Automated Discovery vs. Resource Heterogeneity Trade-offs

The proof-of-concept successfully demonstrated technical viability for core infrastructure visualization use cases. Steampipe’s SQL-based query abstraction proved effective at identifying diverse AWS resources—Virtual Private Clouds, subnets, EC2 instances, and S3 buckets—across multiple geographic regions and availability zones. Security group relationships enabled precise mapping of authorized network communication between compute instances through a comprehensive SQL query that parsed ingress rules and identified cross-referenced security group relationships. Cytoscape.js rendered these connections intuitively through interactive, hierarchical graph layouts augmented with the cola.js force-directed algorithm to prevent node overlap and maintain readability across complex topologies.​

However, critical limitations emerged when attempting to generalize resource identification beyond virtual machines. The researchers explored querying network interfaces (ENIs) as a universal discovery primitive, theorizing that all resources residing in subnets expose ENIs that could be linked to parent resources. While this approach worked for EC2 instances where the [attachedinstanceid] field provides direct parent linkage, it proved problematic for other resource types. EFS and Lambda resources expose identifiers only in description fields requiring fragile regex extraction patterns, while RDS instances lack any identifier in either field, making parent linkage impossible. This discovery revealed that AWS resource metadata lacks consistent patterns across resource types, fundamentally constraining generic resource discovery approaches.​

Critical Implications and Architectural Trade-offs

The research demonstrates that cloud infrastructure visualization requires balancing three competing objectives: automated resource discovery, hierarchical semantic representation, and tool-user alignment. This reflects the reality that architectural decisions made during infrastructure introspection directly determine what downstream visualization becomes possible.​

Path Forward: Multi-Cloud Strategy and Resource Abstraction

The research reveals that successful multi-cloud resource visualization depends on identifying generic abstraction primitives—VPCs/VNETs, subnets, firewall rules, compute instances, and storage services—that map consistently across provider boundaries. Steampipe’s plugin architecture for AWS, Azure and GCP provides a foundation for cross-provider expansion, as these platforms expose analogous resources: Azure Network Security Groups and GCP VPC Firewall rules mirror AWS security groups, enabling similar connection-discovery approaches. The study recommends maintaining open-source and cloud-agnostic tooling as guiding principles to control vendor lock-in, costs, and architectural complexity.​

Future work should prioritize three areas: developing alternative resource discovery strategies for problematic resource types like RDS, implementing visualization solutions for availability zones that accommodate multi-parent relationships, and leveraging VPC Flow Logs to augment security-group-based connection mapping with actual observed network traffic patterns. Our research concludes that infrastructure visualization maturity lies not in chasing feature completeness but in accepting architectural constraints while building layered abstractions that gracefully degrade when perfect semantic representation becomes impossible.

Share this:
Table of contents

Related resources

In collaboration with University of Amsterdam

Analysis of the Security Posture of eBPF

An exciting, new feature of the Linux kernel is eBPF. It allows users to to hook programs to many places in the Linux kernel at run-time. In order to evaluate this program suite, we created a framework that executes the emulated malware programs while the eBPF programs are hooked in the system.
Expertise: Cloud Security
Read more
In collaboration with Tilburg University

The Impact of Copilot on Quality and Security in Open-Source Software

This research explores the impact of artificial intelligence code development, specifically focusing on GitHub Copilot, on the quality and security of open-source software (OSS). A Collaboration with Tilburg University.
Expertise: Application Modernization, Data & AI
Read more
In collaboration with Fontys University

Generative AI for Infrastructure-as-Code Configurations in Response to Drift Detection

To integrate a minor manual change in a given IaC code can be a labor-intensive and error-prone task. The paper presents an overview of LLMs and techniques to solve drift.
Expertise: Application Modernization, Data & AI, Platform Engineering
Read more
Privacy Overview
This website uses cookies. We use cookies to ensure the proper functioning of our website and services, to analyze how visitors interact with us, and to improve our products and marketing strategies. For more information, please consult our privacy- en cookiebeleid.