Find cloud cost and security gaps, in the graph.
Infratrix reads your AWS account as a connected graph, studies how your infrastructure actually relates, and surfaces cost and security gaps a per-resource tool would miss, each proposed as a Terraform change your team can read, reverse, and own.
From a NAT line item to a Terraform plan, in one hop.
When Infratrix sees traffic leaving your private subnet through NAT to reach a bucket in the same region, it reads the path, workload, route table, IAM, endpoints, flow logs, as a single graph in your account.
The deliverable is not a chart. It is a Terraform plan adding the missing gateway endpoint, the route table and IAM changes that make it safe, an explicit dollar baseline, and the inverse the actor will run if a watcher trips.
Engineering work, scoped to your stack, handed back as a PR your team merges on its own terms.
Worked example · NAT egress → VPC endpoint · in-stack, reversible
From terraform apply to a reviewed, reversible change in production.
Five stages. Your cloud never leaves your account, every change is reviewed before it lands, and an inverse is attached so it can be reversed. Hover to pause. Click a stage to step through.
Onboard
One module, under 200 lines. It provisions a least-privilege collector, a scoped actor, and an audit destination in your own account.
module "infratrix" {
source = "aithrex/infratrix/aws"
version = "~> 1.0"
organization = "acme"
trust_tier = "review"
}
$ terraform applyThree systems. One reasoning loop.
Infratrix is built around three coordinated layers: a collector that reads your account, a brain that reasons about it as a graph, and an actor that proposes safe, reviewable change.
Collector
Brain
Actor
Same-region S3 traffic egresses through the NAT gateway. Propose an S3 VPC gateway endpoint to keep it on the AWS backbone.
The app IAM role grants s3:* across the account. Propose scoping the policy to the buckets actually in use.
Designed to land as a Terraform diff your team reviews.
Speed without safety is how outages happen. Infratrix’s execution model is review-first by construction: a plan you can read, an apply you can scope, and an inverse you can run.
resource "aws_vpc_endpoint" "s3" {+ vpc_id = aws_vpc.main.id+ service_name = "com.amazonaws.${var.region}.s3"+ route_table_ids = [aws_route_table.private.id]+ vpc_endpoint_type = "Gateway" } resource "aws_nat_gateway" "main" {- # egress for app-svc → s3 (in-region) # remains for non-S3 egress only }- 01
Plan is rendered as a unified diff and reviewed by your team, no apply without explicit approval.
- 02
Apply runs under a time-bounded, action-scoped IAM role you own and can revoke at any time.
- 03
Every applied change writes an audit entry to your own log destination, Aithrex never keeps a side ledger.
- 04
Each change carries its inverse, rollback is a known, tested operation, not a forensic exercise.
We start at AWS. The reasoning generalizes.
Infratrix begins where most architecture lives today, AWS. The collector / actor / review-first pattern is provider-agnostic by construction, so the same surface extends to Azure, GCP, Oracle and Alibaba. Multi-cloud reasoning is the destination, not the launch.
The provider plug-in is what changes per cloud. The reasoning surface, the review-first execution, and the verified-savings billing stay the same.
Every cloud we add inherits the same boundary contract: live state stays in your account, only signed deltas cross. The kill switch is a single IAM role per provider.
We refuse to ship a logo grid we can’t back with reasoning. When Azure, GCP, Oracle and Alibaba ship, each will land as a real optimisation surface, not a marketing wrapper.
Built so the customer always holds the kill switch.
Trust is an engineering property, not a marketing claim. Every layer of Infratrix is designed so the safe path is the default, and the unsafe path is the explicit, reviewed exception.
In-account by default
Scoped IAM, least privilege
Customer-held kill switch
Audit trail, no surprises
Engineering teams responsible for non-trivial cloud spend.
Infratrix is built for AWS platform engineers, SREs, FinOps partners working alongside engineering, and the infrastructure leaders who sign off on production change. Teams running real architecture, not demo accounts.
You should not need to integrate a new monitoring product, change your IaC, or hand over write access on day one. The expected starting point is a read-only conversation about your account, followed by review-ready proposals on the paths that matter.
See Infratrix against your own AWS environment.
We're onboarding early teams. If you're running a non-trivial AWS bill and want a serious second opinion on your architecture, we'd like to talk.