CloudStack Canvas (CSC) is a browser-based visual designer for AWS infrastructure. You drag services onto an infinite canvas, connect them, configure properties, and export production-ready Infrastructure as Code — no YAML hand-authoring required.

The canvas understands AWS architecture rules: it automatically places resources inside the correct containers (EC2 instances go inside Subnets, Subnets inside VPCs), generates the dependent resources you need (IAM roles, Security Groups), and validates placement before letting you drop.

1. 1

   Create a project

   From the Dashboard, click "+ New Project". Choose Simple mode to get auto-wiring or Advanced mode for full control.

2. 2

   Add resources from the palette

   The left panel lists all available AWS services grouped by category. Drag any service onto the canvas to place it.

3. 3

   Connect resources

   Hover over a node until you see the connection handle (a small circle on the edge). Click and drag to another node to draw an edge.

4. 4

   Configure properties

   Click any node to open the Properties panel on the right. Change the label, instance type, storage size, or any resource-specific setting.

5. 5

   Export your infrastructure

   Click "Export IaC" in the toolbar. Choose CloudFormation JSON, CloudFormation YAML, or Terraform. The file downloads immediately.

The canvas is an infinite, pannable workspace. All standard React Flow navigation gestures apply:

The left sidebar lists every supported AWS service, organized into categories: Compute, Storage, Database, Networking, Security, Messaging, and more. Use the search box at the top to filter by name or keyword.

Dropping a resource

Drag any service icon from the palette and drop it onto the canvas. CSC checks placement rules before adding the node:

• Resources that require a VPC (EC2, RDS, ECS, etc.) are automatically placed inside one. If no VPC exists yet, CSC creates one for you.
• Resources that require a Subnet are placed inside a Subnet inside the VPC.
• If a required container doesn't exist, CSC creates the full hierarchy automatically.

Auto-generated dependencies

Many services create companion resources automatically. For example, dropping an EC2 instance also generates:

• An EC2 Security Group (inside the Security Zone)
• An IAM Instance Role (inside the IAM Zone)

These auto-generated nodes are linked visually and included in all IaC exports. You can hide them with the layer toggles if they clutter the view.

Every project runs in one of two modes. You choose when creating the project, and can switch in Settings.

CSC uses container nodes to represent AWS grouping constructs. Child resources live visually inside their parent containers, and this hierarchy is reflected in the IaC output.

Resizing containers

Hover over the edge or corner of any container (VPC, Subnet, etc.) to reveal the resize handle. Drag to expand or contract. The canvas enforces a minimum size so children are never clipped. Resizing is undoable with Ctrl+Z.

Security Zone and IAM Zone

These two zone types are CSC-only organizational containers. They do not map to an AWS resource and are excluded from IaC exports. They exist solely to keep Security Groups and IAM Roles visually separated from your main architecture.

Edges represent relationships between resources (data flow, network access, IAM trust, etc.). In the exported IaC they become references or dependency declarations between resources.

1. 1

   Hover over a node

   A small circle (connection handle) appears on the edges of the node.

2. 2

   Click and drag the handle

   Pull to another node. A preview edge follows your cursor.

3. 3

   Release on the target node

   CSC resolves the relationship type automatically based on both resource types (e.g. EC2 → S3 generates a bucket policy reference).

Deleting an edge

Click an edge to select it (it turns highlighted), then press Delete or Backspace.

Click any node to open the Properties panel on the right side of the canvas. The panel shows fields specific to that resource type.

Common fields

• Label — the display name shown on the canvas node. Editable inline by double-clicking the node label.
• Logical ID — the CloudFormation logical resource ID. Auto-generated from the label, editable in Advanced mode.
• Resource-specific fields — instance type, engine version, storage class, memory size, etc.

Naming configuration

In Simple mode, all resource names follow the pattern [prefix]-[environment]-[project]-[resource]. Change the environment, project name, and prefix in the canvas toolbar's naming settings.

Templates give you a pre-wired starting point for common architectures. Access them via the Templates button in the canvas toolbar.

CSC maintains a 50-step history for every canvas change: adding/removing resources, connecting nodes, moving nodes, resizing containers, editing labels, and changing properties.

Each logical action is one undo step. Dragging a node across the canvas is one step, not one step per pixel. Dropping a resource that auto-creates dependencies (VPC + Subnet + SG + IAM role) is also a single undo step.

The toolbar contains three layer toggles that let you hide categories of nodes without removing them from the canvas. Hidden nodes are still included in all IaC exports.

All shortcuts work when focus is on the canvas (not inside a text input).

The bottom-right corner of the canvas shows the minimap — a scaled overview of all nodes. Click anywhere on the minimap to jump the viewport to that location. Colored squares on the minimap match the primary color of each resource node.

The Controls panel (bottom-left) provides three buttons:

• Zoom In — increase zoom level
• Zoom Out — decrease zoom level
• Fit View — zoom and pan to show all nodes

Both the minimap and controls can be toggled in the canvas toolbar's View menu if you prefer a cleaner workspace.

CloudFormation export is available on all plans. CSC generates a complete, deployable CloudFormation template from your canvas.

1. 1

   Click "Export IaC" in the toolbar

   The export dialog opens showing available formats for your plan.

2. 2

   Choose JSON or YAML

   Both formats are identical in content. JSON is the default; YAML is more human-readable for version control.

3. 3

   Download

   The file downloads as cloudformation.json or cloudformation.yaml. Deploy it with the AWS Console, CLI, or CDK.

What gets exported

• All resource nodes on the canvas (including hidden layer nodes)
• All edges as DependsOn or reference properties
• Resource properties set in the Properties panel
• Naming config (prefix, environment, project)

What is excluded

• Security Zone and IAM Zone containers (CSC-only organizational nodes)
• Canvas metadata (positions, colors, labels used only for display)

Deploying with the AWS CLI

Terraform HCL export is available on Pro and Enterprise plans. CSC generates a singlemain.tffile with all resources and their relationships expressed as Terraform references.

1. 1

   Click "Export IaC" → "Terraform"

   Downloads main.tf with the AWS provider configured for the resources on your canvas.

2. 2

   Initialize and plan

   Run terraform init && terraform plan in the same directory to preview the deployment.

3. 3

   Apply

   Run terraform apply to create the infrastructure in your AWS account.

Export quotas are enforced per calendar month and reset on the 1st of each month.

If you deployed a CSC-generated template as a CloudFormation stack, tearing it down is a single command. CloudFormation tracks every physical resource it created — VPC IDs, subnet IDs, ARNs — and deletes them in the correct reverse-dependency order automatically.

Via the AWS CLI

Via the AWS Console

1. 1

   Open CloudFormation

   Go to the AWS Console → CloudFormation → Stacks. Find the stack you deployed (it uses the stack name you provided at deploy time).

2. 2

   Select the stack

   Click the stack name to open its detail view.

3. 3

   Click Delete

   Click the "Delete" button at the top right. Confirm the prompt. CloudFormation will delete all resources in dependency order — subnets before VPCs, instances before security groups, etc.

4. 4

   Monitor progress

   The Events tab shows deletion progress in real time. The stack disappears from the list once all resources are removed.

For Terraform exports

Partial teardown

If you want to remove specific resources without deleting the entire stack, update the template — remove those nodes in CSC, re-export, and redeploy. CloudFormation will delete only the resources that were removed from the template.

Every resource CloudStack Canvas generates — EC2 instances, Lambda functions, S3 buckets, RDS databases, IAM roles, NAT Gateways, VPCs, and every other CloudFormation resource in your exported template — is automatically tagged with:

This tag is present on every single resource in every template — including auto-generated sub-resources like Internet Gateways, NAT Gateways, route tables, CloudWatch log groups, SQS dead-letter queues, and IAM roles. If CSC generated it, it has the tag.

Finding your deployed resources

You can use ManagedBy = CloudStackCanvas as a filter in any AWS service that supports tag-based filtering.

AWS Resource Groups

Create a tag-based Resource Group to see everything CSC has deployed in one place:

AWS Cost Explorer

Filter or group your AWS bill by ManagedBy to see exactly what CSC-deployed infrastructure costs vs resources you created manually or with other tools.

AWS CLI — find all tagged resources

AWS Config

Use AWS Config rules or conformance packs to audit CSC-deployed resources. For example, require that all resources tagged ManagedBy=CloudStackCanvas have encryption enabled or Multi-AZ turned on.

IAM — restrict who can modify CSC resources

Add a tag-based condition to IAM policies to prevent engineers from manually modifying resources that should only be changed through CloudStack Canvas:

Overriding the tag

If your organization uses a different tagging standard (for example managed-by instead of ManagedBy), you can add your own tag with the same key in the canvas Tags panel — user-set tags always override the CSC defaults. The CSC default tag will be replaced by your version.

You can also add additional identifying tags (team name, project, cost centre) per resource in the Tags panel in Advanced mode, or globally via the Naming Config section.

What is not tagged

A small number of AWS resource types do not support tags at all — notablyAWS::ApiGateway::Deployment,AWS::ApiGateway::Stage method settings, and some networking entries. These are edge cases in the AWS tagging API — the parent resources (the API Gateway itself, the VPC) are always tagged.

The AWS CLI (Command Line Interface) is a program you install on your computer that lets you control AWS directly from your terminal — deploying templates, checking resource status, and more. You need it to follow the CLI paths in the per-template deployment guides. The Console path works without it.

macOS

Recommended: download the installer — no extra tools required.

If you already use Homebrew (a Mac package manager), you can also run: brew install awscli

Windows

Download the installer file (.msi = a standard Windows installer, like .exe) and double-click to run it.

After installing, open a new PowerShell or Command Prompt window before continuing.

Linux

Verify the installation worked

Open a new terminal window and run:

The AWS CLI needs credentials to make API calls on your behalf. The recommended approach is to create a dedicated IAM user with programmatic access, then run aws configure.

Console — create access keys

1. 1

   Open IAM in the AWS Console

   Navigate to IAM → Users → select your user (or create one — see IAM Permissions section below).

2. 2

   Create access key

   Click Security credentials → Create access key → choose "Command Line Interface (CLI)" → Next → Create.

3. 3

   Download credentials

   Copy the Access Key ID and Secret Access Key. You cannot retrieve the secret again after closing this dialog.

Configure the CLI

Run aws configure in your terminal. It will ask you four questions — paste or type your answers:

Your credentials are saved automatically in a file on your computer. You will not need to run this again unless you create new keys.

Verify credentials are working

Using named profiles (optional)

If you manage multiple AWS accounts, use named profiles instead of the default:

Your IAM user needs specific permissions to deploy CloudFormation templates and the AWS resources inside them. The safest approach is to create a dedicated deployment user with a scoped policy.

Minimum permissions for CSC templates

Console — steps to create a deployment IAM user

1. 1

   Go to IAM → Users → Create user

   Enter a name like "csc-deploy". Do not enable Console access — this user only needs programmatic (CLI) access.

2. 2

   Attach permissions

   Choose "Attach policies directly". Search for and attach PowerUserAccess + IAMFullAccess, or create a custom policy scoped to the services your templates use.

3. 3

   Create access keys

   After creating the user, go to Security credentials → Create access key → CLI → create. Copy the keys and run aws configure.

When a CloudFormation deployment fails, the stack enters ROLLBACK_COMPLETE or CREATE_FAILED state and automatically undoes any resources it created. Here is how to diagnose and fix failures.

Step 1 — Find the root cause

Console: In the AWS Console, go to CloudFormation (search for it in the top bar). Click on your stack name in the list. At the top of the stack detail page, click the Events tab. The list shows newest events at the top — scroll to the bottom to find the oldest (first) failure. Red rows are failures. Read the Status reason column — that is your error message.

CLI:

Common errors and fixes

Step 2 — Delete a failed stack before redeploying

Step 3 — Fix the issue in CloudStack Canvas

Most failures come from one of: a missing required property, a name collision, or a missing IAM permission. Fix the root cause in the CSC property panel, re-export the template, then redeploy. Do not try to deploy the same template twice without fixing the issue — CloudFormation will reject it.

CloudFormation Console walkthrough (for all templates)

1. 1

   Open CloudFormation in the AWS Console

   Navigate to CloudFormation using the search bar. Make sure your region (top-right) matches where you want to deploy — most CSC templates use us-east-1.

2. 2

   Create stack

   Click "Create stack" → "With new resources (standard)". Under "Specify template", choose "Upload a template file". Click "Choose file" and select the JSON or YAML file exported from CloudStack Canvas.

3. 3

   Name the stack

   Enter a stack name (e.g. csc-static-site). Names must be unique per region. Click Next.

4. 4

   Fill in parameters

   If the template has parameters (visible in the Parameters section of the export modal), fill them in here. Leave environment as "dev" unless you are deploying to staging or production.

5. 5

   Configure stack options

   Leave defaults. Optionally add tags. Click Next.

6. 6

   Review and acknowledge IAM

   At the bottom of the review page, check the box: "I acknowledge that AWS CloudFormation might create IAM resources with custom names." Click Submit.

7. 7

   Monitor the Events tab

   Watch the Events tab as resources are created. Green = success, red = failure. If any resource fails, read the Status reason — this is your error message.

8. 8

   Check Outputs after completion

   When the stack status changes to CREATE_COMPLETE (shown in green), click the Outputs tab. This is a list of key information about your deployed resources — URLs, connection strings, resource names — that CloudFormation surfaces so you don't have to go hunting. You will need these values to configure your application.

Organizations let Pro and Enterprise teams share projects under a single workspace. All members of an organization can see and open org projects from their dashboard.

1. 1

   Open Settings → Organization

   Navigate to Settings and select the Organization tab, or follow the Set up Org prompt on your dashboard if you're on a Pro or Enterprise plan with no organization yet.

2. 2

   Create an Organization

   Click Create Organization. Enter a unique name — this becomes your org's display name and slug used in the system.

3. 3

   Invite Members

   Once created, use the Invite member field under your org to add teammates by email. Invited users must already have a CloudStack Canvas account.

4. 4

   Share Projects

   Create new projects inside the org from your dashboard (the + New Org Project card), or move an existing personal project into the org using the Move to Org button (double-arrow icon) on any personal project card.

Every org member has one of four roles. Roles are ranked — higher ranks can only be assigned by someone of equal or higher rank.

An Owner cannot leave an organization unless they first transfer ownership or delete the org. Admins can invite members, change roles below their own rank, and remove editors/viewers.

Org projects are visible to all members of the organization regardless of who created them.

• Create — click + New Org Project on the dashboard (editors and above).
• Move — transfer a personal project into an org via the double-arrow icon on any personal project card.
• Open — any org member can open and view an org project.
• Edit — editors, admins, and owners can make and save changes.
• Delete — owners and admins can delete org projects from the dashboard (the trash icon appears for eligible roles only).

Pro and Enterprise plans support real-time collaboration on saved projects (not the unsaved /canvas/new sandbox). Multiple team members can work on the same project simultaneously.

Collaboration uses a Server-Sent Events (SSE) stream from the server to each connected client, plus lightweight REST calls from clients to the server. No WebSocket server is required.

What syncs in real time

• Cursor positions (throttled to 20 updates/second per user)
• Node selection (which node each user has clicked)
• Node moves (when a user finishes dragging a node)

What does not sync automatically

• Adding or removing resources — these appear after the next auto-save cycle
• Property changes — same, reflected after auto-save

When collaborators are on the same canvas, their cursors appear as colored SVG pointers with their name. Each user gets a unique color assigned automatically.

Selected nodes show a colored ring matching the collaborator's color, so you can see what each person is working on at a glance.

The cost estimation engine computes a projected monthly AWS bill for the resources on your canvas based on AWS public pricing. Estimates are updated each time you open the cost panel or add/remove resources.

Costs use the following default assumptions:

• Region: us-east-1 (prices vary by region)
• On-Demand pricing (no Reserved or Savings Plan discounts)
• 730 hours / month for compute resources
• Data transfer within the same region is free
• Managed service overhead (EKS control plane, etc.) is included where applicable

Click the $ Cost button in the canvas toolbar to open the cost panel. It slides in from the right alongside the Properties panel.

Panel layout

• Total monthly estimate — sum of all nodes in large text at the top
• Per-resource breakdown — each node with its estimated monthly cost and a line-item breakdown (compute, storage, etc.)
• Computed at — timestamp of the last estimate run

Resources with no pricing data (IAM Roles, Security Groups, VPCs) show $0.00 since they have no direct cost.

The Billing Alarm template (Pro and Enterprise) deploys four CloudWatch alarms that notify you when your AWS spend crosses configurable thresholds — protecting you from unexpected charges.

What gets deployed

All thresholds are editable in the property panel before you export. Click any alarm node and change the Alarm Threshold field.

Before you deploy

• Enable billing alerts in your AWS account — go to Billing → Billing Preferences → Receive Billing Alerts and save. Without this, CloudWatch never receives billing data and all alarms stay in INSUFFICIENT_DATA.
• Deploy in us-east-1 — AWS billing metrics are only published to us-east-1 regardless of where your other resources live.
• Enter a notification email on the SNS node in the property panel before exporting. CloudFormation creates the subscription automatically and AWS sends a confirmation link to that address.

Email subscription

Select the Billing Alerts SNS node on the canvas and enter your email in the Notification Email field. When you deploy the exported template, CloudFormation creates an AWS::SNS::Subscription resource that triggers AWS to send a confirmation email. Check your inbox — the email comes from no-reply@sns.amazonaws.com with subject "AWS Notification - Subscription Confirmation".

How the Daily Spend alarm works

AWS publishes your total month-to-date spend to CloudWatch once every 24 hours. By itself that number grows throughout the month, so a simple threshold alarm would fire every day once your monthly total crosses it — not useful.

The Daily Spend alarm solves this by calculating how much your bill grew since yesterday. For example: if your month-to-date total was $12 yesterday and is $19 today, the daily spend is $7. If your threshold is $5, the alarm fires. If the bill grew by only $3 today, the alarm stays quiet. This catches sudden spikes — like a runaway process or an accidental large resource — that the monthly alarms would not catch until later in the month.

The Free plan is permanent — no credit card required, no trial expiry.

Pro unlocks the full canvas experience for individual developers and small teams. Billed monthly or annually (annual saves 20%).

• Up to 20 projects with 200 nodes each
• Unlimited CloudFormation and Terraform exports
• Organization collaboration — up to 2 users simultaneously on a single Org project
• Cost estimation panel
• Pro-tier AWS services in the palette (EKS, SageMaker, Redshift, etc.)
• API access for CI/CD integrations

Enterprise removes all limits and adds SSO, audit logs, and a dedicated support SLA.

• Unlimited projects and nodes
• Unlimited subscribed members in a shared Organization, with role-based access
• SAML/SSO integration
• Audit log of all canvas changes
• Dedicated Slack support channel
• Custom SLA and uptime commitments
• Private cloud deployment option