Atlas Docs

Atlas is a native Windows desktop platform for cloud infrastructure management. Explore your AWS resources visually, detect infrastructure drift between Terraform and what's actually deployed, and manage Infrastructure as Code — all in one place. It is built with WPF and .NET 9 — no browser, no Electron, no slowness. Azure support is coming soon.

When you open Atlas for the first time you will see the Dashboard with an empty state. The next step is to add your AWS account.

• Click Settings in the left sidebar, or click the Go to Settings link in the Dashboard empty state.
• Fill in your AWS credentials (see Add Account).
• Click Validate & Add Account. Atlas calls sts:GetCallerIdentity to verify the keys.
• Once validated, navigate to any page — the data will load automatically.

Open the Settings page and fill in the form:

Click Validate & Add Account. Atlas calls sts:GetCallerIdentity — if the credentials are valid the account is saved. If not, an inline error explains what went wrong.

Atlas only calls read actions plus the specific write actions required for the features you use. Attach the policy below to your IAM user to enable all features. Remove any sections for services you don't use.

You can add unlimited AWS accounts (each with its own access keys and default region) and switch between them instantly.

• Add each account in Settings using the same form as the first account.
• The Active account is shown in the top bar at all times.
• Click the account name in the top bar to open the account switcher dropdown.
• Switching accounts immediately invalidates all cached data and reloads the current page.
• Each account has its own default region — you can change it in Settings at any time.
• To remove an account, click Remove next to it in Settings. The next account in the list becomes active automatically.

Cloud consoles show what is deployed; Infrastructure as Code (IaC) shows the desired state. Atlas connects both worlds. It integrates with Terraform so you can import existing AWS resources into code, generate HCL, run init/plan/apply, and detect drift — without leaving the app.

• Stacks — group projects, run the full import → plan pipeline, and view live streaming output per run.
• Import to Terraform — discover live resources across 35+ types and generate import blocks and HCL.
• Drift detection — run a plan to see what changed outside of code.

A stack is a Terraform project that Atlas manages for you. Each stack tracks its runs (Init, Import, Plan, Apply) with status, duration and full logs.

• Click Create new stack, give it a name and pick a destination folder.
• Atlas provisions an S3 remote-state backend (atlas-tfstate-<accountId>) with versioning, public-access block and SSE encryption — or falls back to local state if permissions are insufficient.
• Runs stream their output in real time. Logs auto-expand and auto-scroll; use Copy to grab the full output.
• Use the per-stack Actions menu to run Init, Import or Apply, or to remove the stack (your .tf files on disk are preserved).

Atlas discovers what already exists in your AWS account and brings it under Infrastructure as Code — no hand-written import blocks required.

• Discovery scans across 35+ resource types — Compute (EC2, ASG, Launch Templates), Networking (VPC, Subnet, SG, Route Tables, Gateways, Load Balancers), Database (RDS, DynamoDB, ElastiCache), Serverless (Lambda, API Gateway), Containers (ECS, EKS, ECR), Messaging (SQS, SNS), IAM, Security (KMS, Secrets Manager, ACM), DNS (Route53) and Monitoring (CloudWatch).
• A selection screen groups discovered resources by category so you choose exactly what to manage.
• Atlas writes Terraform 1.5+ import { } blocks and generates clean HCL definitions, wrapped in ATLAS-MANAGED markers so you can regenerate safely without touching hand-written code.
• Default discovery skips AWS-managed and default resources (default VPC/SG, service-linked roles) unless you opt in.

Infrastructure drift is the gap between what your Terraform declares and what is actually deployed. Atlas runs terraform plan against your live environment and surfaces the difference as a readable diff.

• + to add — declared in code but not yet deployed.
• ~ to change — deployed configuration drifted from code.
• - to destroy — exists in code but removed in the cloud, or scheduled for removal.

Review the plan, then choose Apply to reconcile reality with your Infrastructure as Code. Re-run plan anytime to confirm there is no remaining drift.

The Dashboard gives you an instant overview of your AWS infrastructure health and costs.

• Account ID is shown below the KPI cards.
• Last-refreshed timestamp updates after every reload.
• The Refresh button forces a full reload regardless of cache.
• All four API calls run in parallel — a missing permission on one call (e.g. no CloudWatch access) does not prevent the others from loading.
• Cost overview panel shows current-month spend and a 30-day forecast (requires ce:GetCostAndUsage).

Manage all EC2 instances in your active account and region from a single table.

• Columns: State badge, Name, Instance ID, Type, Public IP, Private IP, Launch Time.
• Real-time search by name, instance ID, or IP address — results filter as you type.
• Status filter dropdown: All / running / stopped / pending / terminated.
• Color-coded state badges: â–  running, â–  stopped, â–  pending/stopping, â–  shutting-down, â–  terminated.

• Select instances via row checkboxes. The header checkbox selects/deselects all visible rows. Use Ctrl+A to select all.
• A slide-in action bar appears at the bottom when at least one row is selected, showing a count pill and action buttons.
• Available actions: Start, Stop, Reboot, Terminate.
• Every action opens a confirmation dialog listing the target instances. Terminate uses a red danger variant with an explicit "this cannot be undone" warning.
• After an action completes the list auto-reloads to reflect the new state.

Selecting exactly one instance opens a detail panel on the right side. It shows:

• Summary — ID, state, type, vCPUs, public/private/IPv6 IPs, region, DNS names, VPC, Subnet, IAM role, Auto Scaling Group, IMDSv2 status, ARN.
• Details — AMI ID, monitoring, platform, key pair, launch time, virtualization type, lifecycle, boot mode, credit specification.
• Placement — Tenancy, Host ID, affinity, placement group, partition, reservation.
• Capacity Reservation — Reservation ID and setting.

Copy buttons () are available next to Instance ID, ARN, and AMI ID. The panel closes when you clear the selection or select multiple rows.

Browse S3 buckets and objects, upload files, and download objects — all from a split-pane browser.

• Left panel lists all buckets with name and creation date. Click a bucket to open it.
• Right panel shows the objects inside the selected bucket.
• Object columns: Key/Name, Size (auto-formatted as B / KB / MB / GB), Storage Class, Last Modified.
• Objects are browsed with prefix-based navigation, similar to a folder hierarchy.

• Click Upload to open a file picker.
• A real-time progress bar and percentage are shown during the upload.
• The object list refreshes automatically when the upload completes.

• Select an object and click Download.
• A save dialog lets you choose the destination.
• A real-time progress bar and percentage are shown during the download.

Monitor the state of all your CloudWatch alarms in one place without navigating through the AWS Console.

• KPI cards show counts per alarm state: ALARM, OK, INSUFFICIENT_DATA.
• Filter chips at the top let you show only alarms in a specific state.
• Real-time search filters alarms by name as you type.
• Each row shows alarm name, state badge, metric name, threshold, and last update time.

Review all active GuardDuty security findings sorted and filtered by severity.

• KPI cards show finding counts per severity: HIGH, MEDIUM, LOW.
• Severity filter chips at the top narrow down the list.
• Real-time search filters findings by title or description.
• Each finding row shows title, severity badge, finding type, region, and last seen time.

Audit IAM users, roles, groups, and policies across your AWS account.

• List all IAM users with username, creation date, last activity, and attached policies.
• List all IAM roles with role name, creation date, and trust policy summary.
• List IAM groups and their membership counts.
• List managed policies with their attachment counts.
• Real-time search across all IAM entities.

Track your AWS spend with Cost Explorer data pulled directly from the AWS API.

• Current-month cost breakdown by service.
• Month-over-month spend comparison.
• 30-day cost forecast based on current usage trends.
• Displayed on the Dashboard summary panel as well as the dedicated Billing page.

• AWS access keys are encrypted with Windows DPAPI (user-scoped) before being written to the local SQLite database.
• Credentials are decrypted in memory only at the moment an AWS SDK call is made, then discarded.
• No plaintext credentials are ever written to disk.
• The SQLite database is stored at %LocalAppData%\Atlas\atlas.db and is readable only by the Windows user account that created it.

• Atlas has no backend server. All AWS API calls go directly from your machine to the AWS SDK endpoints.
• No telemetry data containing your AWS resource names or account IDs is ever transmitted anywhere.
• The only external connections are: AWS SDK endpoints, optional auto-update checks (Velopack/GitHub), and anonymous usage analytics (page views only, via Google Analytics).

• Unhandled errors are written to atlas-errors.txt in the application directory.
• Log entries are prepended (newest first) and include timestamp, level, message, and stack trace.
• Log format: [YYYY-MM-DD HH:mm:ss] [LEVEL] message
• Logs never contain credential values.