AWS Provider

The AWS provider syncs resources from Amazon Web Services into Ctrlplane’s inventory—EKS clusters, EC2 instances, RDS databases, and VPC networks.

Prerequisites

ctrlc CLI installed
AWS credentials configured (environment variables, ~/.aws/credentials, or IAM role)
Ctrlplane API key

Supported Resources

Command	Resource Type	Ctrlplane Kind
`aws eks`	EKS Clusters	`AWS/EKS`
`aws ec2`	EC2 Instances	`AWS/EC2`
`aws rds`	RDS Instances	`AWS/RDS`
`aws networks`	VPCs & Subnets	`AWS/VPC`, `AWS/Subnet`

Authentication

Configure AWS credentials using any standard method:

# Environment variables
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_REGION="us-east-1"

# Or use AWS CLI profile
export AWS_PROFILE="production"

# Or use IAM role (when running in AWS)
# Credentials are automatically retrieved

EKS Clusters

Sync Amazon Elastic Kubernetes Service clusters:

# Sync from a specific region
ctrlc sync aws eks --region us-east-1

# Sync from multiple regions
ctrlc sync aws eks --region us-east-1 --region us-west-2

# Sync from all regions
ctrlc sync aws eks

# Continuous sync
ctrlc sync aws eks --region us-east-1 --interval 5m

Options

Flag	Description	Required
`--region`	AWS region(s) to sync from	No (all regions if not specified)
`--provider`	Resource provider name	No
`--interval`	Sync interval (e.g., `5m`, `1h`)	No

Resource Metadata

EKS clusters include metadata from AWS tags:

identifier: arn:aws:eks:us-east-1:123456789:cluster/prod-cluster
name: prod-cluster
kind: AWS/EKS
metadata:
  region: us-east-1
  account: "123456789"
  environment: production  # from AWS tag
  team: platform           # from AWS tag
config:
  endpoint: https://XXXXX.eks.us-east-1.amazonaws.com
  version: "1.28"

EC2 Instances

Sync EC2 instances:

# Sync from a specific region
ctrlc sync aws ec2 --region us-east-1

# Continuous sync
ctrlc sync aws ec2 --region us-east-1 --interval 5m

Resource Metadata

identifier: i-0123456789abcdef0
name: web-server-1  # from Name tag
kind: AWS/EC2
metadata:
  region: us-east-1
  availability_zone: us-east-1a
  instance_type: t3.medium
  environment: production  # from AWS tag
config:
  private_ip: 10.0.1.100
  public_ip: 54.123.45.67
  vpc_id: vpc-12345

RDS Instances

Sync RDS database instances:

# Sync from a specific region
ctrlc sync aws rds --region us-east-1

# Continuous sync
ctrlc sync aws rds --region us-east-1 --interval 10m

Resource Metadata

identifier: arn:aws:rds:us-east-1:123456789:db:prod-db
name: prod-db
kind: AWS/RDS
metadata:
  region: us-east-1
  engine: postgres
  engine_version: "15.4"
  instance_class: db.r5.large
  environment: production  # from AWS tag
config:
  endpoint: prod-db.xxxxx.us-east-1.rds.amazonaws.com
  port: 5432

VPC Networks

Sync VPCs and subnets:

# Sync from a specific region
ctrlc sync aws networks --region us-east-1

Running in AWS

ECS Task

{
  "family": "ctrlplane-sync",
  "containerDefinitions": [
    {
      "name": "sync",
      "image": "ghcr.io/ctrlplanedev/cli:latest",
      "command": [
        "ctrlc", "sync", "aws", "eks",
        "--region", "us-east-1",
        "--interval", "5m"
      ],
      "environment": [
        {
          "name": "CTRLPLANE_API_KEY",
          "value": "your-api-key"
        },
        {
          "name": "CTRLPLANE_WORKSPACE",
          "value": "your-workspace-id"
        }
      ]
    }
  ],
  "taskRoleArn": "arn:aws:iam::123456789:role/ctrlplane-sync-role"
}

IAM Policy

The sync task needs read permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:ListClusters",
        "eks:DescribeCluster",
        "ec2:DescribeInstances",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "rds:DescribeDBInstances",
        "tag:GetResources"
      ],
      "Resource": "*"
    }
  ]
}

Lambda Function

Run sync periodically with Lambda:

import subprocess

def handler(event, context):
    subprocess.run([
        "ctrlc", "sync", "aws", "eks",
        "--region", "us-east-1"
    ], check=True)

Environment Targeting

Target AWS resources in environments:

# All production EKS clusters
type: Environment
name: Production EKS
resourceSelector: |
  resource.kind == "AWS/EKS" &&
  resource.metadata["environment"] == "production"

# US East resources only
type: Environment
name: US East
resourceSelector: |
  resource.metadata["region"] == "us-east-1"

# Production databases
type: Environment
name: Production Databases
resourceSelector: |
  resource.kind == "AWS/RDS" &&
  resource.metadata["environment"] == "production"

Best Practices

Tag Your Resources

Ensure AWS resources have meaningful tags:

aws ec2 create-tags --resources i-12345 --tags \
  Key=environment,Value=production \
  Key=team,Value=platform \
  Key=tier,Value=critical

Use Multiple Regions

Sync from all regions your infrastructure spans:

ctrlc sync aws eks \
  --region us-east-1 \
  --region us-west-2 \
  --region eu-west-1 \
  --interval 5m

Separate by Resource Type

Run separate sync processes for different resource types:

# EKS sync
ctrlc sync aws eks --interval 5m &

# EC2 sync
ctrlc sync aws ec2 --interval 5m &

# RDS sync (less frequent)
ctrlc sync aws rds --interval 15m &

Next Steps

Google Cloud

Sync GCP resources

Azure

Sync Azure resources

Selectors

Learn selector syntax

Environments

Create dynamic environments

Getting Started

Resource Providers

AWS Provider

Prerequisites

Supported Resources

Authentication

EKS Clusters

Options

Resource Metadata

EC2 Instances

Resource Metadata

RDS Instances

Resource Metadata

VPC Networks

Running in AWS

ECS Task

IAM Policy

Lambda Function

Environment Targeting

Best Practices

Tag Your Resources

Use Multiple Regions

Separate by Resource Type

Next Steps

Google Cloud

Azure

Selectors

Environments

Getting Started

Resource Providers

Documentation Index

​Prerequisites

​Supported Resources

​Authentication

​EKS Clusters

​Options

​Resource Metadata

​EC2 Instances

​Resource Metadata

​RDS Instances

​Resource Metadata

​VPC Networks

​Running in AWS

​ECS Task

​IAM Policy

​Lambda Function

​Environment Targeting

​Best Practices

​Tag Your Resources

​Use Multiple Regions

​Separate by Resource Type

​Next Steps

Google Cloud

Azure

Selectors

Environments

Prerequisites

Supported Resources

Authentication

EKS Clusters

Options

Resource Metadata

EC2 Instances

Resource Metadata

RDS Instances

Resource Metadata

VPC Networks

Running in AWS

ECS Task

IAM Policy

Lambda Function

Environment Targeting

Best Practices

Tag Your Resources

Use Multiple Regions

Separate by Resource Type

Next Steps