Node reference
Every resource type you can drop onto the canvas. Each node documents its configuration, its typed connection ports, and the Terraform it generates — all validated against the live AWS provider schema.
230 resources across 18 categories.
AI / ML 16
Bedrock Agent Action-taking LLM agent with tool calling and knowledge bases. Bedrock Guardrail Content filtering and topic-restriction policy for foundation models. Bedrock Invocation Logging Captures Bedrock model input/output to S3 and/or CloudWatch. Bedrock Knowledge Base Vector index over a data source (S3, web, Confluence, SharePoint, Salesforce). Kendra Index Enterprise search index over connected data sources. Lex V2 Bot Conversational interface (intents + slots + fulfilment Lambda). Rekognition Collection Face metadata collection for IndexFaces / SearchFaces. Rekognition Custom Labels Project Trains custom image-classification / object-detection models. SageMaker Endpoint Configuration Defines production variants (models + scaling) for an endpoint. SageMaker Feature Group Versioned feature store entity (online + offline). SageMaker Model Container + model artifact bundle used by endpoint configs. SageMaker Notebook Instance Managed Jupyter notebook instance. SageMaker Pipeline ML workflow (steps for processing, training, evaluation, registration). SageMaker Studio Domain Multi-user Studio workspace tying users to networking + storage. SageMaker User Profile Per-user workspace inside a Studio domain. Transcribe Custom Vocabulary Boosts recognition of domain-specific words / acronyms.
Analytics 6
Athena Workgroup Query group with isolation, cost limits, output settings. EMR Cluster Big data processing on Spark / Hive / Hadoop / Presto. Glue Crawler Schedule-driven schema discovery into Glue Data Catalog. Glue Job Serverless ETL job (Spark / Python shell / Ray). MSK Kafka Cluster Managed Streaming for Apache Kafka. OpenSearch Domain Managed Elasticsearch / OpenSearch cluster.
Compute 23
Amplify App Fullstack hosting for SPA / SSR frontends with git-based deploys. Amplify Branch Per-branch deployment configuration. Amplify Domain Association Custom domain binding for an Amplify app. App Runner Service Fully-managed container runtime for HTTP apps. Auto Scaling Group Manages a fleet of EC2 instances. AWS Batch Job Queue Batch job queue with compute environment ordering. EC2 Instance Virtual machine in the cloud. EC2 Launch Template Reusable EC2 launch configuration (AMI + instance type + user data). ECR Repository Private container image registry. ECS Capacity Provider EC2 capacity for an ECS cluster, backed by an Auto Scaling Group. ECS Cluster Container orchestration cluster. ECS Service (Fargate) Long-running container task on Fargate. ECS Task Definition Container task blueprint with CPU / memory / image specs. EKS Cluster Managed Kubernetes control plane. EKS Node Group Managed worker nodes attached to an EKS cluster. Lambda Alias Pointer to a Lambda version with optional traffic shifting. Lambda Code Signing Config Verifies function code with AWS Signer profiles. Lambda Event Source Mapping Stream / queue → Lambda invocation poller. Lambda Function Serverless function. Lambda Function URL Built-in HTTPS endpoint for a Lambda function. Lambda Layer Shared code / dependencies for Lambda functions. Lambda Permission Resource-based policy statement allowing a service to invoke a function. Lambda Provisioned Concurrency Reserved warm execution environments for a function/alias.
Database 28
Amazon MQ Broker Managed ActiveMQ / RabbitMQ broker. Aurora Cluster Distributed, MySQL/Postgres-compatible database. DocumentDB Cluster MongoDB-compatible document database. DocumentDB Elastic Cluster Shard-based, elastic-scale DocumentDB cluster. DocumentDB Parameter Group Cluster parameters applied to DocumentDB clusters. DynamoDB Table Serverless NoSQL key-value table. ElastiCache Cluster Managed Redis / Memcached. Keyspaces (Cassandra) Keyspace Managed Apache Cassandra-compatible keyspace. MemoryDB ACL Access control list of MemoryDB users. MemoryDB Cluster Durable, Redis-compatible in-memory database. MemoryDB Parameter Group Engine parameters applied to MemoryDB clusters. MemoryDB Subnet Group Subnet set MemoryDB places cluster nodes in. Neptune Cluster Managed graph database (Gremlin / SPARQL / openCypher). QLDB Ledger Immutable, cryptographically verifiable transaction log. RDS Cluster Parameter Group Cluster-level parameters for Aurora/Multi-AZ clusters. RDS Instance Managed relational database. RDS Option Group Engine-specific option list (e.g., MSSQL TDE, Oracle APEX). RDS Parameter Group Engine-level parameters applied to RDS instances. RDS Proxy Connection pooler in front of RDS / Aurora. RDS Read Replica Asynchronous read-only copy of a source RDS instance. RDS Subnet Group Subnet set RDS chooses when placing instances. Redshift Cluster Petabyte-scale columnar data warehouse. Redshift Parameter Group Engine parameters applied to Redshift clusters. Redshift Serverless Namespace Storage layer (database + IAM + KMS) for Redshift Serverless. Redshift Serverless Workgroup Compute layer (RPUs + endpoint) for Redshift Serverless. Redshift Subnet Group Subnet set Redshift places cluster nodes in. Timestream Database Serverless time-series database. Timestream Table Schema-on-write time-series table inside a Timestream database.
DevOps 3
Edge & API 11
API Gateway (HTTP) Lower-cost HTTP API for Lambda / VPC services. API Gateway (REST) Managed REST / WebSocket API endpoint. CloudFront Distribution Global CDN edge network. Internet Public internet / client — the entry point all ingress connects from. Shield Advanced Protection Enables AWS Shield Advanced on a resource (ALB / NLB / EIP / CloudFront). WAF IP Set Reusable IPv4/IPv6 list referenced by WAF rules. WAF Logging Configuration Streams matched request logs from a Web ACL to S3 / Firehose / CW Logs. WAF Regex Pattern Set Reusable list of regex patterns for WAF rule matching. WAF Rule Group Reusable group of WAF rules referenced by Web ACLs. WAF Web ACL L7 application firewall (rules, rate limits). WAF Web ACL Association Attaches a Web ACL to a load balancer / API GW / CloudFront.
Identity & access 25
ACM Certificate Validation Waits for the DNS / Email validation step to succeed. ACM PCA Certificate Issued certificate from an ACM Private CA. ACM Private CA Private certificate authority for issuing internal TLS certs. Cognito Identity Pool Federated identity → temporary AWS credentials. Cognito Identity Provider External federated IdP (Google, Facebook, OIDC, SAML) attached to a user pool. Cognito Resource Server OAuth resource server identifier exposing custom scopes. Cognito UI Customization Hosted UI branding customization (CSS / logo). Cognito User Pool Managed user directory with sign-up / sign-in. Cognito User Pool Client OAuth/OIDC application client registered against a user pool. Cognito User Pool Domain Hosted UI domain for the user pool. IAM Access Key Programmatic credential pair for an IAM user. IAM Group Collection of IAM users sharing policies. IAM Group Membership Adds users to an IAM group. IAM Group Policy Attachment Binds a managed policy to an IAM group. IAM Inline Role Policy Inline JSON policy embedded directly in a role. IAM Instance Profile Wraps an IAM role for EC2 / ECS-on-EC2 use. IAM OpenID Connect Provider Trusts an external IdP (GitHub Actions, EKS IRSA, Auth0, etc.). IAM Policy Customer-managed JSON policy, or a reference to an AWS-managed policy. IAM Role Assumable identity for AWS services. IAM Role Policy Attachment Binds a managed policy to an IAM role. IAM SAML Provider Trusts an external SAML IdP for federated access. IAM User Long-lived AWS identity (avoid for workloads; prefer roles). IAM User Policy Attachment Binds a managed policy to an IAM user. KMS Key Customer-managed encryption key. Secrets Manager Secret Encrypted secret with automatic rotation.
Integration 7
AppSync Data Source Connects an AppSync API to DynamoDB, Lambda, or HTTP backends. AppSync GraphQL API Managed GraphQL with real-time subscriptions. EventBridge Pipe Point-to-point integration source → enrichment → target. MWAA (Managed Airflow) Managed Apache Airflow environment. SageMaker Endpoint HTTPS endpoint serving an ML model for real-time inference. SES Identity Verified email domain / address for Simple Email Service. Step Functions State Machine Visual orchestrator for distributed workflows.
IoT 6
IoT Certificate X.509 client certificate used to authenticate IoT devices. IoT Custom Authorizer Custom Lambda-backed authorizer for IoT connections. IoT Policy IoT-specific permissions attached to certificates / Cognito IDs. IoT Thing Logical device representation in AWS IoT registry. IoT Thing Type Schema for a class of things. IoT Topic Rule SQL filter on MQTT topic data routing messages to downstream actions.
Load balancing 5
Management 6
ACM Certificate Public TLS certificate for ALB / CloudFront / API Gateway. AWS Config Rule Configuration compliance check (managed or custom). Backup Plan Scheduled AWS Backup rule with lifecycle and resource selection. Backup Vault Encrypted destination for AWS Backup recovery points. CloudTrail Trail Captures account activity as audit events. SSM Parameter Hierarchical config / secret value (Parameter Store).
Media 6
IVS Channel Interactive Video Service low-latency live channel. MediaConvert Queue Job queue for on-demand video transcoding. MediaLive Channel Live video encoder / packager pipeline. MediaLive Input Live video input (RTMP / HLS / Elemental Link / SDI). MediaPackage Channel Origin packager for live streaming (HLS / DASH / CMAF / Smooth). MediaStore Container Low-latency media object storage.
Messaging 16
EventBridge Bus Event bus for cross-service rules. EventBridge Rule Pattern- or schedule-driven rule on an event bus. EventBridge Scheduler One-time or recurring schedule (replaces CloudWatch Events scheduled rule). EventBridge Target Recipient (Lambda, SQS, ECS, SF, Kinesis, etc.) attached to a rule. Kinesis Data Stream Real-time streaming data ingestion. Kinesis Firehose Delivery stream from sources to S3 / Redshift / OpenSearch. SES Configuration Set Named bundle of event publishing, IP pool, reputation, and TLS rules. SES Domain Identity Verifies a domain for sending email via SES (also publishes DKIM). SES Event Destination Publishes engagement events (delivery / bounce / complaint / open / click) to a destination. SES Receipt Rule Inbound email rule with actions (S3, Lambda, SNS, bounce). SES Receipt Rule Set Container for inbound email receipt rules. SNS Subscription Binds an SNS topic to a delivery endpoint (Lambda / SQS / HTTPS / email / mobile). SNS Topic Pub/sub fan-out topic. SNS Topic Policy Resource-based access policy attached to an SNS topic. SQS Queue Managed message queue. SQS Queue Policy Resource-based access policy attached to an SQS queue.
Network 38
AWS Network Firewall Stateful managed firewall for VPC traffic inspection. Client VPN Endpoint OpenVPN-compatible client VPN backed by AWS. Customer Gateway Represents the on-premises peer in a Site-to-Site VPN. DHCP Options Set DHCP configuration associated with a VPC. Direct Connect Connection Physical dedicated network connection at an AWS DX location. Direct Connect Gateway Hub for connecting multiple VPCs across regions to on-prem via DX. EIP Association Binds an Elastic IP to an instance or network interface. Elastic IP Static IPv4 reserved in your AWS account. GA Endpoint Group Regional endpoint group behind a Global Accelerator listener. GA Listener Global Accelerator listener for a client port range. Global Accelerator Anycast IP service routing traffic to AWS endpoints. Internet Gateway VPC entry point to the public internet. NAT Gateway Egress-only translation for private subnets. Network ACL Stateless subnet-level firewall. Network Firewall Policy Stateful + stateless rule groups attached to a firewall. Network Interface (ENI) Virtual NIC attachable to EC2 / Lambda / containers. Route Individual route entry in a route table. Route Table Routes for a VPC associating subnets to gateways. Route Table Association Associates a subnet (or gateway) with a route table. Route53 DNSSEC Enables DNSSEC signing for a hosted zone. Route53 Health Check Liveness probe for DNS failover / record routing decisions. Route53 Record DNS record set under a Route53 hosted zone. Route53 Resolver Endpoint Inbound or outbound DNS endpoint bridging VPC and on-prem resolvers. Route53 Resolver Query Log Logs VPC DNS queries to CloudWatch / S3 / Firehose. Route53 Resolver Rule Forwards DNS queries for specific domains to target IPs. Route53 Zone DNS hosted zone. Security Group Stateful instance-level firewall. SG Egress Rule Outbound firewall rule attached to a security group. SG Ingress Rule Inbound firewall rule attached to a security group. Site-to-Site VPN Connection IPsec tunnel between a VPN gateway and a customer gateway. Subnet Subdivision of a VPC. Transit Gateway Hub-and-spoke network for multiple VPCs / on-premises. VPC Virtual private cloud. VPC Endpoint Private connection from VPC to AWS services. VPC Endpoint Service Expose a service via PrivateLink to other VPCs/accounts. VPC Flow Log Captures IP traffic to/from network interfaces in a VPC. VPC Peering Connection Network link between two VPCs. VPN Gateway Virtual private gateway on the AWS side of a Site-to-Site VPN.
Observability 10
CloudWatch Alarm Threshold-based metric alarm. CloudWatch Composite Alarm Logical (AND/OR) combination of underlying alarms. CloudWatch Dashboard Customizable metric / log dashboard. CloudWatch Evidently Project A/B testing and feature-flag experiment workspace. CloudWatch Insights Query Saved Logs Insights query. CloudWatch Log Group Container for application log streams. CloudWatch Metric Filter Extracts a numeric metric from log events. CloudWatch Subscription Filter Streams matching log events to Lambda / Kinesis / Firehose. CloudWatch Synthetics Canary Headless browser / API probe that runs on a schedule. X-Ray Group Filter expression to slice distributed traces.
Security 8
Detective Graph Behavior graph linking GuardDuty findings for investigation. GuardDuty Detector Threat detection across CloudTrail, VPC flow logs, DNS, S3, EKS, RDS, Lambda. GuardDuty Filter Reusable finding filter (suppress / classify). IAM Access Analyzer Identifies resources shared with external entities. Inspector v2 Continuous vulnerability scanning for EC2 / ECR images / Lambda. Macie Account Sensitive-data discovery for S3 buckets. Security Hub Centralized aggregation of GuardDuty, Inspector, Macie, Config findings. Security Lake Centralized security data lake (OCSF format on S3).
Storage 10
EBS Volume Block storage attached to EC2. EFS File System Elastic shared file storage. FSx File System Managed shared file storage (Lustre, Windows, ONTAP, OpenZFS). S3 Access Point Named, policy-isolated endpoint for accessing a bucket. S3 Bucket Object storage. S3 Bucket Notification Routes bucket events to Lambda / SQS / SNS / EventBridge. S3 Intelligent Tiering Auto-tiering configuration for cost optimization. S3 Inventory Daily/weekly inventory listing of bucket objects. S3 Object Lambda Access Point Transforms object content via Lambda on GET requests. S3 Replication Configuration Cross-region / same-region replication rules.
Transfer 6
DataSync Location (EFS) EFS endpoint for DataSync. DataSync Location (S3) S3 endpoint usable as a DataSync source or destination. DataSync Task Source → destination data transfer job (one-time or scheduled). Storage Gateway Hybrid on-prem cache → AWS storage (file / volume / tape). Transfer Family Server Managed SFTP / FTPS / FTP endpoint backed by S3 or EFS. Transfer Family User SFTP / FTPS user attached to a server.