Local-first · Read-only · No telemetry

See everything.
Touch nothing.

An AWS operations console that runs on your machine, uses your own profiles, and cannot change a thing.

Signed and notarized. Nothing phones home.

The CloudEye timeline: metrics for a service, with deploys, alarms, changes, findings and errors on lanes beneath them, a draggable playhead, and a security posture card.

The read-only guarantee

The app cannot change your infrastructure. Not by mistake, not by prompt, not by bug.

Every AWS call goes through one function with a hard allowlist of read-only verbs: describe, get, list. There is no code path to a mutating API.

  • Your credentials, your machine. It uses the profiles already in ~/.aws.
  • Point it at production. The safety is structural, not a setting.
  • One exception. It can run aws sso login to renew a session, nothing more.
the allowlist
  • allowedecs describe-services
  • allowedcloudwatch get-metric-data
  • allowedlogs filter-log-events
  • allowedcloudtrail lookup-events
  • allowedguardduty list-findings
  • allowedec2 describe-security-groups
  • blockedecs update-service
  • blockediam create-access-key
  • blockeds3 rm
  • blockedlambda delete-function

Not a policy. The verbs are not in the program.

Incident timeline

Deploys, alarms, changes and errors on one axis.

Everything that happened to a service, drawn under its metrics on one axis.

  • Correlated lanes. A deploy with its commit, an alarm with its reason, a change with its actor.
  • A playhead that time-travels. Drag it, the account re-renders as it was then.
  • Select a window, get the story. The analyst reconstructs it and drafts the postmortem.
  • Grounded in events, not vibes. The draft cites every event behind it.
What lands on the axis
  • Deploysworkflow runs, commit, pull request
  • Alarmsstate transitions and their reasons
  • ChangesCloudTrail writes and who made them
  • FindingsGuardDuty and Security Hub
  • ErrorsLambda failures and log-group errors
  • Metricsmemory, CPU, latency, 5xx, per service

Every lane comes from the account itself.

Security posture

You cannot mark it fixed while AWS still says it is broken.

One sweep: GuardDuty, Security Hub, CloudTrail forensics, IAM hygiene, open security groups, S3, ECR and your logs. Scored 0 to 100, graded A to F.

  • Findings are tracked, not listed. Fingerprinted by substance, so a problem keeps its row.
  • Resolution is verified against AWS. Mark it resolved and the collector re-runs, live and uncached.
  • Regressions come back loudly. A finding that reappears is reopened, dated.
  • An outage never fakes a fix. A failed collector resolves nothing.
Verify against AWS
critical sg-04c1e allows 0.0.0.0/0 on port 5432 marked resolved
re-running ec2 describe-security-groups still present · status held at in progress
high S3 bucket assets-raw missing public access block marked resolved
re-running s3api get-public-access-block gone from AWS · resolved, verified 14:22

An AI analyst on your own key

Bedrock, Anthropic, OpenAI, Gemini or DeepSeek, called from your machine on your own key.

Architecture map, drawn from the account

Drawn from the account today, not a diagram from two years ago.

Deploy intelligence and drift

The commit running right now, next to the head of your default branch.

Live logs that behave

Level chips, JSON that expands where you click, one search across every log group.

Every account, fully isolated

One workspace per account, so metrics, logs, maps, runbooks and findings never cross.

One local account, no cloud sign-in

Your password is hashed into SQLite on your disk, never onto a server of ours.

How it works

  1. 1

    Download it

    A signed app. Its server binds to 127.0.0.1.

  2. 2

    Sign in locally

    Created on first launch, stored on your disk.

  3. 3

    Add an AWS profile

    Point a workspace at a profile you already have.

  4. 4

    It reads, never writes

    Every call is on the allowlist. Every byte stays on your machine.

Download

Running in a minute, reading your account in two.

Download for macOS Universal · Apple silicon and Intel

Signed and notarized by Apple.

Served in your browser at cloudeye.localhost:4630. Needs Node 22 or newer.

Requirements. macOS 13 or newer, an AWS profile, and your own provider key for the AI analyst.