How to Create AWS Architecture Diagrams in 2026: A Complete Guide

Architecture diagrams are one of those things every team needs but nobody wants to maintain. You spend an hour in draw.io moving boxes around, and by the time you share it, someone has already changed the infrastructure.

After 9 years of building cloud infrastructure, I've tried every method — from whiteboards to $500/month enterprise tools. Here's a practical breakdown of every approach available in 2026, with honest pros and cons for each.

Why architecture diagrams matter

Before diving into tools, it's worth understanding why diagrams are worth the effort. They serve three critical purposes in any engineering team.

First, they accelerate onboarding. A new team member looking at 50 Terraform files has no idea how things connect. A diagram gives them the mental model in 30 seconds that would otherwise take days of reading code.

Second, they improve incident response. When something breaks at 3 AM, you need to quickly understand which services are affected. A clear architecture diagram shows blast radius instantly — which services talk to the broken database, which load balancer routes to the failing service.

Third, they enable architecture reviews. Whether you're pitching a migration to your CTO or doing a well-architected review, diagrams make the conversation concrete rather than abstract.

Method 1: Manual drawing tools

The traditional approach. Open a tool, drag boxes, draw arrows, label everything by hand.

Draw.io (diagrams.net) — Free

Draw.io is the most popular free option and for good reason. It has built-in AWS icon libraries, works in the browser, exports to PNG/SVG/PDF, and integrates with Confluence and Google Drive. For one-off diagrams that don't need frequent updates, it's hard to beat.

The downside is entirely about maintenance. The moment your infrastructure changes — a new subnet, a renamed service, an additional database — your diagram is out of date. Someone has to manually update it, and that someone is usually nobody.

Lucidchart — $7.95+/month

Lucidchart adds real-time collaboration on top of Draw.io's feature set. Multiple people can edit the same diagram simultaneously, which is useful for architecture review sessions. It also has better auto-layout and alignment tools.

The problem is the same as Draw.io — it's still manual. You're paying $8-15/month per user for a tool that produces diagrams that go stale immediately.

When to use manual tools

Manual tools work well for conceptual or aspirational diagrams — showing what you plan to build, not what currently exists. They're also good for presentations where you need a specific visual style or narrative flow that automated tools can't produce.

Method 2: Live cloud scanners

These tools connect to your actual AWS/Azure/GCP account and generate diagrams from live infrastructure.

Cloudcraft — $49+/month

Cloudcraft (now owned by Datadog) scans your AWS account and generates both 2D and 3D architecture diagrams. The 3D isometric view looks impressive in presentations. It also includes cost estimation — hover over any resource to see its monthly cost.

The catch: you need to give it read access to your cloud account. For many organizations, this is a non-starter — security teams don't want a third-party service scanning production infrastructure. It's also expensive at $49/month for individual use and more for teams.

Hava.io — $49+/month

Hava takes a similar approach but adds change tracking — it records every infrastructure change and lets you view historical diagrams. This is genuinely useful for debugging "what changed?" during an incident. It supports AWS, Azure, and GCP.

AWS Workload Discovery — Free (self-hosted)

Amazon's own solution, deployed as a CloudFormation stack in your account. It scans your resources and generates interactive diagrams. Being first-party, it avoids the credential-sharing concern. However, it only works for AWS (no multi-cloud), requires significant setup, and the diagrams aren't as polished as commercial tools.

When to use cloud scanners

Cloud scanners are ideal for large organizations with complex, frequently changing infrastructure where manual diagramming is impossible. They're also useful for cloud cost audits and compliance documentation. But they're overkill for small teams or individual developers.

Method 3: Diagram-as-code

Write code that generates diagrams. The diagram lives alongside your infrastructure code and can be version-controlled.

Python Diagrams library

The diagrams Python library lets you define architecture diagrams in Python code. It uses the official AWS/GCP/Azure icons and generates clean PNG output.

from diagrams import Diagram, Cluster
from diagrams.aws.compute import EKS
from diagrams.aws.database import RDS
from diagrams.aws.network import ELB

with Diagram("Production", show=False):
    lb = ELB("ALB")
    with Cluster("EKS Cluster"):
        svc = EKS("app")
    db = RDS("postgres")
    lb >> svc >> db

This approach is popular because diagrams can be committed to Git, reviewed in PRs, and updated alongside infrastructure changes. The downside is that you're still manually defining the diagram — it doesn't read your Terraform code automatically.

Mermaid.js

Mermaid uses a markdown-like syntax to define diagrams. It's built into GitHub (renders in README files), Notion, and many documentation tools. It's great for simple flowcharts and sequence diagrams, but it doesn't support AWS icons natively and the layout engine can produce awkward results for complex architectures.

When to use diagram-as-code

Diagram-as-code works well for teams that want version-controlled diagrams that evolve with the codebase. It's a good middle ground between manual tools and automated scanners. The trade-off is that someone still needs to write and maintain the diagram code.

Method 4: Generate from IaC (Infrastructure as Code)

This is the newest approach — tools that read your existing Terraform, CloudFormation, or Docker Compose files and automatically generate architecture diagrams. No manual drawing, no cloud credentials, no separate diagram code to maintain.

InfraSketch — Free, open source

Full disclosure: I built InfraSketch. It takes a different approach from all the tools above — you paste your Terraform HCL or Docker Compose YAML, and it generates an architecture diagram instantly in your browser. No signup, no cloud credentials, no server-side processing.

It parses 25+ AWS resource types, detects relationships between them, groups resources by category (networking, compute, database, storage, load balancing), and renders diagrams with official AWS architecture icons. You can export as PNG or SVG.

The advantage is simplicity and privacy. Your code never leaves your browser. The limitation is that it currently only supports AWS resources and the parser may not catch every edge case in complex Terraform configurations.

terraform graph

Terraform has a built-in terraform graph command that outputs a dependency graph in DOT format. You can pipe it through Graphviz to generate a visual diagram. It's technically accurate but produces overwhelming, unreadable graphs for any real-world infrastructure. It shows every single resource and dependency, including internal Terraform resources that aren't meaningful to humans.

Comparison summary

My recommendation

There's no single best tool — it depends on your situation. If you're a solo developer or small team, start with InfraSketch for quick diagrams from your existing Terraform code, and use Draw.io when you need a custom presentation-ready diagram. If you're at a large organization with complex multi-account infrastructure, a cloud scanner like Cloudcraft or Hava pays for itself in time saved.

The key insight is this: the best diagram is one that actually exists. A rough, auto-generated diagram that's always up-to-date is infinitely more valuable than a beautiful hand-drawn diagram from six months ago that no longer matches reality.