CloudCorrect is an open-source engine for continuously validating cloud architecture correctness using executable invariants.
CloudCorrect helps platform and architecture teams maintain the integrity of their AWS environments by monitoring "Invariants"—architectural rules that must always be true. Whether it's ensuring an EC2 instance is running, a critical S3 bucket is NOT public, or an ECS cluster maintains its desired capacity, CloudCorrect provides real-time visibility and historical proofs of your architectural state.
Isn’t this just monitoring? 🤔
Not exactly. Monitoring tells you when something is noisy. CloudCorrect tells you when an architectural assumption is broken. That distinction is exactly why we open-sourced it.
- Multi-Service Invariants: Out-of-the-box support for EC2, ALB, S3, Route53, IAM, RDS, and ECS. More integrations are in the works.
- Continuous Auditing: Define resource groups and schedule automated, periodic health audits.
- Dynamic Assertions: Use aliases to create dependencies between checks (e.g., "DNS record must point to this EC2's Public IP").
- Pause/Resume Control: Granular monitoring control for individual groups.
- Evidence-Based History: Every audit run captures observed technical evidence and technical "reasons" for compliance audits.
- Fail-Fast Notifications: Automated email alerts whenever an evaluation fails, sent to a configurable list of recipients.
- Multi-Tenant & Cross-Account: Support for managing multiple AWS accounts using secure IAM Cross-Account Roles and External IDs.
How is this different from AWS Config, Trusted Advisor, or traditional monitoring?
- Intent vs. Observation: Traditional monitoring tells you if a service is "up." CloudCorrect tells you if your intent is still true. (e.g., "This DNS record should ALWAYS point to this specific Load Balancer.")
- Dynamic Assertions (Aliases): Unlike static config tools, CloudCorrect allows you to bridge resources. You can capture a Public IP from an EC2 instance and automatically assert that a Route 53 record or a Security Group rule matches it.
- Architectural Invariants: While tools like AWS Config focus on compliance (e.g., "Is encryption enabled?"), CloudCorrect focuses on architectural topology and connectivity.
- Audit-Ready Evidence: Every evaluation captures and persists raw technical evidence, providing a historical paper trail for compliance and troubleshooting that goes beyond simple logs.
- Developer-Centric: Built for teams that move fast and need to ensure that manual changes or automation drifts don't break the intended architectural design.
Every check type captures a set of Properties that can be referenced by subsequent checks in the same group using the {{alias.property}} syntax.
| Service | Check Type | Description | Referenceable Properties |
|---|---|---|---|
| EC2 | INSTANCE_RUNNING |
Instance state is 'running' | instanceId, publicIp, privateIp, state, stateReason, name, instanceType, az, vpcId, subnetId, securityGroups |
HAS_PUBLIC_IP |
Instance has a public IP assigned | ||
IN_SECURITY_GROUP |
Instance is member of specific SG | ||
IN_SUBNET |
Instance is in specific Subnet | ||
| ALB | TARGET_GROUP_HEALTHY |
TG has >=1 healthy target | healthyCount, totalCount, targetIds, targetGroupArn, listenerPort, protocol |
ALB_LISTENER_EXISTS |
Listener exists on LB & Port | ||
| Route53 | DNS_POINTS_TO |
Record matches expected value | recordName, type, values, aliasValue, ttl, hostedZoneId |
RECORD_EXISTS |
DNS record exists in zone | ||
TTL_EQUALS |
Record TTL matches expected | ||
| IAM | ROLE_EXISTS |
IAM Role exists | roleName, arn, path, createDate |
ROLE_HAS_POLICY |
Role has specific policy attached | policyArn, roleName, attachedPolicies |
|
| S3 | S3_BUCKET_EXISTS |
S3 bucket exists | bucketName, region, policy, config, rulesCount, objectKey, size, lastModified |
S3_BUCKET_POLICY_PRESENT |
Bucket has a policy attached | ||
S3_BUCKET_PUBLIC_ACCESS_BLOCKED |
Public Access Block fully enabled | ||
S3_LIFECYCLE_CONFIGURED |
Bucket has lifecycle rules | ||
S3_OBJECT_EXISTS |
Specific object key exists | ||
| RDS | RDS_INSTANCE_AVAILABLE |
RDS state is 'available' | dbInstanceIdentifier, state, publicAccess, encrypted, engine, instanceClass, subnetGroup |
RDS_IN_SUBNET_GROUP |
Instance is in specific Subnet Group | ||
RDS_PUBLIC_ACCESS_DISABLED |
PubliclyAccessible is false | ||
RDS_ENCRYPTION_ENABLED |
Storage is encrypted | ||
| ECS | ECS_CLUSTER_ACTIVE |
Cluster state is 'ACTIVE' | clusterName, status, services, tasks |
ECS_SERVICE_RUNNING |
Running >= Desired tasks | serviceName, running, desired, status, taskDef, loadBalancers |
|
ECS_SERVICE_RUNNING_COUNT_EQUALS_DESIRED |
Exact task count match | ||
ECS_TASK_DEFINITION_REVISION_ACTIVE |
Specific revision is active | ||
ECS_SERVICE_ATTACHED_TO_ALB |
Service is associated with ALB | ||
| NETWORK | PING |
ICMP Echo response received | target, latency |
HTTP_200 |
URL returns status 200 OK | url, status, latency, contentType, server |
|
HTTP_RESPONSE_CONTAINS |
Response contains substring |
- Frontend: Next.js 15 (App Router), Tailwind CSS, Shadcn UI, Lucide Icons.
- Backend: Node.js, Express, Sequelize ORM (PostgreSQL).
- AWS Integration: AWS SDK v3 for all service interactions.
- Infrastructure: Docker Compose for local database spin-up.
- Node.js (v18+) - Required for local development
- Docker & Docker Compose - Required for database & production run
Use this for active development and debugging.
docker-compose up -d dbcd backend
npm install
npm run devCreate a .env in backend/ with DATABASE_URL=postgres://cloudcorrect:cloudcorrect_pass@localhost:5437/cloudcorrect
cd frontend
npm install
npm run devFrontend runs on http://localhost:8800
Use this to run the entire stack (Frontend, Backend, and DB) in production mode.
docker-compose up --build -d- Frontend: http://localhost:8800
- Backend: http://localhost:5001
- Database: PostgreSQL on port 5437
Note: In production mode, ensure your environmental variables are correctly set in the docker-compose.yml. Key variables include:
SES_SENDER_EMAIL: The verified sender email or domain in AWS SES.APP_URL: The public URL of the frontend (used for email notification links).
While CloudCorrect is fully open-source and free to self-host, we offer commercial options for teams and businesses that need additional support:
- Managed Infrastructure — We handle deployment, scaling, and maintenance so you can focus on your business.
- Automatic Updates — Always run the latest version with security patches and new features.
- High Availability — Enterprise-grade uptime with redundant infrastructure.
- Additional Checks: We can help you add additional checks suitable for your infrastructure.
- Custom Integrations: We can help you integrate CloudCorrect with your existing tools and workflows.
- Advanced Analytics: We can help you analyze your data and provide insights into your infrastructure.
- Priority Support: We offer priority support for our customers.
- SLA Guarantees: We offer SLA guarantees for our customers.
For cloud hosting, enterprise features, or custom development inquiries:
📧 Email: dhaval@appgambit.com
This project is licensed under the MIT License - see the LICENSE file for details.