DEV.co
Open-Source DevOps · towardsthecloud

cloudburn

CloudBurn is an open-source policy engine that catches wasteful AWS configurations before they're deployed and identifies cost issues in running accounts. It runs the same 75 cost rules against both Infrastructure-as-Code (Terraform, CloudFormation) and live AWS resources.

Source: GitHub — github.com/towardsthecloud/cloudburn
1.8k
GitHub stars
370
Forks
TypeScript
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorytowardsthecloud/cloudburn
Ownertowardsthecloud
Primary languageTypeScript
LicenseApache-2.0 — OSI-approved
Stars1.8k
Forks370
Open issues1
Latest release@cloudburn/[email protected] (2026-04-09)
Last updated2026-04-09
Sourcehttps://github.com/towardsthecloud/cloudburn

What cloudburn is

TypeScript-based CLI and SDK tool that performs static analysis on IaC files and queries live AWS Resource Explorer to detect cost-inefficient patterns. Supports both table and JSON output formats, integrates into CI/CD pipelines via CLI or programmatically via SDK, and requires specific AWS IAM permissions tied to enabled rules.

Quickstart

Get the cloudburn source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/towardsthecloud/cloudburn.gitcd cloudburn# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CI/CD Cost-Gate Integration

Wire CloudBurn into pull request checks or release pipelines to prevent cost-inefficient IaC patterns (over-provisioned instances, unoptimized storage, etc.) from reaching production.

Post-Deployment Remediation Discovery

Run `discover` against live AWS accounts to identify existing resources that violate cost policies, enabling targeted remediation and FinOps optimization work.

Programmable Cost Policy Automation

Use the SDK to embed CloudBurn rules into custom tooling, dashboards, or governance automation systems that need deterministic cost rule evaluation.

Implementation considerations

  • Requires Node.js 24+ for CLI; Homebrew or npm installation options available. AWS Resource Explorer must be initialized before `discover` mode can function.
  • IAM permissions required depend on which of the 75 rules are enabled; audit the full permission set against your security posture before granting broad access.
  • Config file (`.cloudburn.yml` or `.cloudburn.yaml`) is optional but recommended to customize rule sets and output formats for different contexts (CI vs. local use).
  • CLI defaults to implicit config discovery upward from current directory; in CI, explicit `--config <path>` is required to avoid ambiguity.
  • Both IaC scan and live discovery output in table or JSON; JSON output is preferable for machine parsing and downstream policy enforcement.

When to avoid it — and what to weigh

  • Multi-Region Discovery at Scale — CLI targets one region at a time; multi-region discovery is SDK-only. Not suitable for single-command compliance scans across large deployments without scripting.
  • Non-AWS Cloud Environments — Designed exclusively for AWS. GCP, Azure, or hybrid-cloud deployments will require parallel tooling.
  • Real-Time Cost Anomaly Detection — CloudBurn is policy-based and deterministic; it does not perform anomaly detection, forecasting, or time-series analysis of spending patterns.
  • Minimal AWS Permissions Model — Requires Resource Explorer read/write access plus service-specific read permissions; not suitable for highly locked-down environments where IAM scope cannot be expanded.

License & commercial use

Licensed under Apache License 2.0 (OSI-approved permissive license). Permits commercial use, modification, and distribution with attribution and no warranty. Full license text available in repository.

Apache-2.0 explicitly permits commercial use without royalties or licensing restrictions. You may use CloudBurn in commercial products and modify the source code. Attribution required in documentation/notices. No commercial support, warranty, or liability guarantees from the licensor; community support via Discord and GitHub.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

CloudBurn requires AWS IAM permissions (Resource Explorer read/write, service-specific read permissions). Restrict IAM role to only rules you enable. No claims made about vulnerability scanning or threat detection; it is a cost/policy engine, not a security scanner. Audit rule set before deploying in sensitive environments. Community-driven project; security posture relies on peer review and community responsiveness to reported issues.

Alternatives to consider

AWS Trusted Advisor / AWS Cost Explorer

AWS-native cost and waste detection; no IaC scanning. Less flexible rules, but tightly integrated with AWS console and billing. Requires active AWS support plan for some features.

Infracost

Open-source IaC cost estimation for Terraform/CloudFormation. Focuses on cost prediction during planning, not policy enforcement or live discovery. Complementary, not a direct replacement.

Snyk Infrastructure-as-Code

Broader IaC scanning for security, compliance, and cost; commercial SaaS model. More comprehensive than CloudBurn but closed-source and not free at scale.

Software development agency

Build on cloudburn with DEV.co software developers

Deploy CloudBurn in your CI/CD pipeline or evaluate your running infrastructure with live discovery. Start with npm install --global cloudburn or brew install.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cloudburn FAQ

What AWS services do the 75 rules cover?
Rules span EC2, EBS, RDS, S3, Lambda, CloudTrail, CloudWatch, and others. Exact coverage per service not itemized in provided data; see rule list at docs/reference/rule-ids.md for details.
Can I use CloudBurn without AWS Resource Explorer?
Not for live discovery (`discover` mode). IaC scanning (`scan` mode) works without it. Resource Explorer must be initialized if you plan to audit running AWS resources.
Does CloudBurn support Kubernetes, Helm, or other IaC formats?
No. CloudBurn currently scans Terraform (`.tf`) and CloudFormation (`.yaml`, `.json`) only. Other IaC formats are not supported.
Is commercial support available?
Not stated in provided data. Community support is available via Discord and GitHub. For vendor support, contact details not provided; check cloudburn.io.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If cloudburn is part of your open-source devops roadmap, our team can implement, customize, migrate, and maintain it.

Ready to Optimize AWS Costs?

Deploy CloudBurn in your CI/CD pipeline or evaluate your running infrastructure with live discovery. Start with npm install --global cloudburn or brew install.