Infra Ops
Estate inventory, resource topology, configuration drift detection, and tagging compliance across AWS and Azure.
What it covers
| Skill | What it detects | Output |
|---|---|---|
| Estate inventory | Full resource count and distribution by account, region, service | Report |
| Topology analysis | Resource relationships — VPC structure, subnet layout, dependency graph | Report |
| Drift detection | Resources added, removed, or modified since the last EstateView snapshot | Finding |
| Tagging compliance | Resources missing required tags (Name, Environment, Owner, CostCenter) | Finding |
| Environment classification | Resources in prod vs staging vs dev, inferred from tags and naming | Report |
| Cross-account analysis | Inventory aggregated across all enabled profiles | Report |
Example prompts
What changed in my estate since yesterday?
Which EC2 instances are missing a CostCenter tag?
Show me the VPC topology for account 123456789012
How many resources do I have across all accounts?
What resources were provisioned in the last 7 days?
Which production resources don't have an Owner tag?Drift detection
Escher compares the current EstateView snapshot against a previous one to surface changes:
Estate drift since v11 → v12 (last 24h):
Added: 8 resources
EC2: 3 instances (us-east-1)
Lambda: 2 functions (us-east-1)
S3: 1 bucket (us-east-1)
IAM role: 1
Security group: 1
Removed: 1 resource
EC2: 1 instance (us-west-2) — i-0abc456def
Modified: 6 resources
Security groups: 2 (ingress rule changes)
IAM policies: 1 (policy document updated)
S3 buckets: 2 (ACL and logging changes)
Lambda: 1 (runtime version update)Required permissions
All ec2:Describe*, s3:List*, rds:Describe*, lambda:List* — covered by the base AWS Connection policy.
Next steps
- AWS Connection — Connect your estate
- Core Concepts — Understanding EstateView and snapshots
- FinOps — Cost analysis of your estate