Open-source policy engine that blocks bad AWS spending patterns before they ship and remediates what's already burning.
Changelog | Documentation | Discord
CloudBurn runs deterministic cost rules against your Terraform and CloudFormation with scan, then runs those same rules against your live AWS account with discover. Wire it into CI to catch waste before deploy. Point it at a running account to find what's still burning money.
json and table formats.

brew install towardsthecloud/tap/cloudburn
This installs Node.js automatically if you don't have it.
Requires Node.js 24+.
npm install --global cloudburn
Or run it without installing:
npx cloudburn scan ./main.tf
Config is optional. By default, CloudBurn runs all checks for the mode you use.
Create a starter config:
cloudburn config --init
Inspect the current discovered config file:
cloudburn config --print
Inspect the starter template without writing a file:
cloudburn config --print-template
CloudBurn reads .cloudburn.yml or .cloudburn.yaml. By default it searches upward from the current directory until it finds a config file or reaches the git root. In CI, implicit config discovery is skipped entirely; use --config <path> on scan or discover to opt into an exact file instead.
iac:
enabled-rules:
- CLDBRN-AWS-EBS-1
- CLDBRN-AWS-RDS-1
disabled-rules:
- CLDBRN-AWS-EC2-2
format: table
discovery:
enabled-rules:
- CLDBRN-AWS-EBS-1
disabled-rules:
- CLDBRN-AWS-S3-1
format: json
enabled-rules when you want a mode to run only a specific set of rules.disabled-rules when you want to subtract a few rules from the active set.CLDBRN-AWS-EBS-1.--config <path> if you want scan or discover to load a specific config file.Point scan at your IaC files. It checks Terraform (.tf) and CloudFormation (.yaml, .json).
cloudburn scan ./main.tf
cloudburn scan ./template.yaml
cloudburn scan ./iac --exit-code
cloudburn --format json scan ./iac
discover runs the same rules against live AWS resources. Initialize AWS Resource Explorer first, then run against the current AWS region or one explicit region.
cloudburn discover init
cloudburn discover
cloudburn discover --region eu-central-1
cloudburn discover --service ec2,s3
cloudburn --debug discover --region eu-central-1
The CLI targets one region at a time. Multi-region discovery remains available through the SDK.
Use --debug to relay SDK and provider execution trace details to stderr while keeping normal command output on stdout.
Generate a starter config with cloudburn config --init. Full details in the config reference.
CloudBurn needs Resource Explorer read/write access plus read-only permissions for the services behind the rules you enable (EC2, EBS, RDS, S3, Lambda, CloudTrail, CloudWatch, etc.). Which permissions you need depends on which rules you're running.
Want to help? Start with CONTRIBUTING.md.
$ claude mcp add cloudburn \
-- python -m otcore.mcp_server <graph>