cloudburn
CloudBurn is an open-source policy engine that catches wasteful AWS configurations before they're deployed and identifies cost issues in running accounts. It runs the same 75 cost rules against both Infrastructure-as-Code (Terraform, CloudFormation) and live AWS resources.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | towardsthecloud/cloudburn |
| Owner | towardsthecloud |
| Primary language | TypeScript |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.8k |
| Forks | 370 |
| Open issues | 1 |
| Latest release | @cloudburn/[email protected] (2026-04-09) |
| Last updated | 2026-04-09 |
| Source | https://github.com/towardsthecloud/cloudburn |
What cloudburn is
TypeScript-based CLI and SDK tool that performs static analysis on IaC files and queries live AWS Resource Explorer to detect cost-inefficient patterns. Supports both table and JSON output formats, integrates into CI/CD pipelines via CLI or programmatically via SDK, and requires specific AWS IAM permissions tied to enabled rules.
Get the cloudburn source
Clone the repository and explore it locally.
git clone https://github.com/towardsthecloud/cloudburn.gitcd cloudburn# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Node.js 24+ for CLI; Homebrew or npm installation options available. AWS Resource Explorer must be initialized before `discover` mode can function.
- IAM permissions required depend on which of the 75 rules are enabled; audit the full permission set against your security posture before granting broad access.
- Config file (`.cloudburn.yml` or `.cloudburn.yaml`) is optional but recommended to customize rule sets and output formats for different contexts (CI vs. local use).
- CLI defaults to implicit config discovery upward from current directory; in CI, explicit `--config <path>` is required to avoid ambiguity.
- Both IaC scan and live discovery output in table or JSON; JSON output is preferable for machine parsing and downstream policy enforcement.
When to avoid it — and what to weigh
- Multi-Region Discovery at Scale — CLI targets one region at a time; multi-region discovery is SDK-only. Not suitable for single-command compliance scans across large deployments without scripting.
- Non-AWS Cloud Environments — Designed exclusively for AWS. GCP, Azure, or hybrid-cloud deployments will require parallel tooling.
- Real-Time Cost Anomaly Detection — CloudBurn is policy-based and deterministic; it does not perform anomaly detection, forecasting, or time-series analysis of spending patterns.
- Minimal AWS Permissions Model — Requires Resource Explorer read/write access plus service-specific read permissions; not suitable for highly locked-down environments where IAM scope cannot be expanded.
License & commercial use
Licensed under Apache License 2.0 (OSI-approved permissive license). Permits commercial use, modification, and distribution with attribution and no warranty. Full license text available in repository.
Apache-2.0 explicitly permits commercial use without royalties or licensing restrictions. You may use CloudBurn in commercial products and modify the source code. Attribution required in documentation/notices. No commercial support, warranty, or liability guarantees from the licensor; community support via Discord and GitHub.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
CloudBurn requires AWS IAM permissions (Resource Explorer read/write, service-specific read permissions). Restrict IAM role to only rules you enable. No claims made about vulnerability scanning or threat detection; it is a cost/policy engine, not a security scanner. Audit rule set before deploying in sensitive environments. Community-driven project; security posture relies on peer review and community responsiveness to reported issues.
Alternatives to consider
AWS Trusted Advisor / AWS Cost Explorer
AWS-native cost and waste detection; no IaC scanning. Less flexible rules, but tightly integrated with AWS console and billing. Requires active AWS support plan for some features.
Infracost
Open-source IaC cost estimation for Terraform/CloudFormation. Focuses on cost prediction during planning, not policy enforcement or live discovery. Complementary, not a direct replacement.
Snyk Infrastructure-as-Code
Broader IaC scanning for security, compliance, and cost; commercial SaaS model. More comprehensive than CloudBurn but closed-source and not free at scale.
Build on cloudburn with DEV.co software developers
Deploy CloudBurn in your CI/CD pipeline or evaluate your running infrastructure with live discovery. Start with npm install --global cloudburn or brew install.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
cloudburn FAQ
What AWS services do the 75 rules cover?
Can I use CloudBurn without AWS Resource Explorer?
Does CloudBurn support Kubernetes, Helm, or other IaC formats?
Is commercial support available?
Software development & web development with DEV.co
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If cloudburn is part of your open-source devops roadmap, our team can implement, customize, migrate, and maintain it.
Ready to Optimize AWS Costs?
Deploy CloudBurn in your CI/CD pipeline or evaluate your running infrastructure with live discovery. Start with npm install --global cloudburn or brew install.