Your AWS, as a filesystem.
This:
grep -l "AdministratorAccess" iam/users/*/policies.jsonInstead of this:
aws iam list-users --query 'Users[].UserName' --output text | \
xargs -I{} sh -c 'aws iam list-attached-user-policies --user-name {} --query "AttachedPolicies[].PolicyArn" --output text' | \
grep AdministratorAccess- What is this?
- Install
- Quick Start
- The Good Stuff
- Options
- What's Supported
- How CloudWatch Logs Streaming Works
- Integrated Logs
- ECS Explorer
- CloudFront Explorer
- S3 Bucket Metadata
- EC2 Connect, Console & Remote Filesystem
- Tools That Pair Well
- Ask AI About Your Infrastructure
- Real-World Debugging Example
- Tips
sisu mounts AWS resources as a local filesystem. Use the tools you already know - grep, cat, diff, vim - instead of wrestling with JSON and the AWS CLI.
AI-friendly by design: AI tools can't SSH into servers or run interactive AWS CLI sessions. But with sisu, your entire AWS infrastructure becomes simple file paths that any AI can read. Remote EC2 filesystems are accessible at ec2/<instance>/fs/ - letting AI browse /var/log, /etc, and any file on your instances without SSH.
Currently supports S3, SSM, IAM, VPC, Lambda, EC2, ECS, CloudFront, Secrets Manager, Route 53, and CloudWatch Logs.
go install github.com/semonte/sisu@latestRequires FUSE:
sudo apt install fuse # Ubuntu/Debian
sudo yum install fuse # RHEL/CentOSsisuYou're in. Your AWS is now at your fingertips:
~/.sisu/mnt/
├── default/ # AWS profile
│ ├── global/ # IAM, S3, Route 53 (region-independent)
│ │ ├── iam/
│ │ ├── route53/
│ │ └── s3/
│ ├── us-east-1/ # Regional services
│ │ ├── cloudfront/
│ │ ├── ec2/
│ │ ├── ecs/
│ │ ├── lambda/
│ │ ├── logs/
│ │ ├── secrets/
│ │ ├── ssm/
│ │ └── vpc/
│ └── eu-west-1/
│ └── ...
├── prod/ # Other profiles from ~/.aws/credentials
└── staging/
Type exit when done.
# Who has admin access?
grep -l "AdministratorAccess" */global/iam/users/*/policies.json
# Security groups with SSH open
grep -r '"FromPort": 22' */us-east-1/vpc/*/security-groups/
# Roles that Lambda can assume
grep -l "lambda.amazonaws.com" */global/iam/roles/*/info.json
# Secrets in SSM?
grep -r "password" */us-east-1/ssm/
# Lambda functions with secrets in env vars
grep -r "PASSWORD\|SECRET\|API_KEY" */us-east-1/lambda/*/env.json
# Functions using deprecated runtimes
grep -r "python3.8\|nodejs16" */*/lambda/*/config.json
# EC2 instances with public IPs
grep -r "PublicIpAddress" */*/ec2/*/info.json
# Find stopped instances (wasting money?)
grep -r '"Name": "stopped"' */*/ec2/*/info.json
# Connect to an EC2 instance via SSM (no SSH keys needed!)
./default/us-east-1/ec2/i-abc123/connect
# View EC2 boot logs and kernel messages
cat default/us-east-1/ec2/i-abc123/console.log
# View all secrets
ls */us-east-1/secrets/
# Read a secret value
cat default/us-east-1/secrets/myapp/database/value
# List all DNS zones
ls */global/route53/
# View DNS records for a zone
cat default/global/route53/example.com/records.json
# Find all CNAME records
grep -r '"Type": "CNAME"' */global/route53/*/records.json
# Grep recent logs for errors
grep -i "error" default/us-east-1/logs/aws/lambda/my-function/latest.log
# View all log groups
ls */us-east-1/logs/
# List log streams (shows 20 most recent)
ls default/us-east-1/logs/aws/lambda/my-function/
# View events from a specific stream
cat default/us-east-1/logs/aws/lambda/my-function/2024_01_15_abc123/events.log
# ECS: Browse clusters, services, and tasks
ls default/us-east-1/ecs/my-cluster/my-service/
cat default/us-east-1/ecs/my-cluster/my-service/logs/latest.log
# CloudFront: View distributions and functions
ls default/us-east-1/cloudfront/distributions/
cat default/us-east-1/cloudfront/functions/my-auth/code.js
# S3: Check bucket policies and access settings
cat default/global/s3/my-bucket/.meta/policy.json
cat default/global/s3/my-bucket/.meta/public-access-block.json# Compare IAM roles between accounts
diff prod/global/iam/roles/api/info.json staging/global/iam/roles/api/info.json
# Security group drift between regions
diff default/us-east-1/vpc/vpc-xxx/security-groups/sg-xxx.json default/eu-west-1/vpc/vpc-yyy/security-groups/sg-yyy.json
# Lambda config differences
diff prod/us-east-1/lambda/my-func/config.json staging/us-east-1/lambda/my-func/config.json# Pretty print with jq
cat default/global/iam/roles/my-role/info.json | jq '.AssumeRolePolicyDocument'
# Count your roles
ls default/global/iam/roles/ | wc -l
# Find untagged resources
cat default/us-east-1/vpc/vpc-xxx/info.json | jq 'select(.Tags == null)'
# List all Lambda runtimes in use
grep -h "Runtime" */*/lambda/*/config.json | sort | uniq -ccat default/us-east-1/ssm/myapp/database-url # read
echo "postgres://prod:5432" > default/us-east-1/ssm/database-url # write
vim default/us-east-1/ssm/myapp/config # editcp local.txt default/global/s3/my-bucket/backup/
cat default/global/s3/my-bucket/logs/app.log | grep ERROR
rm default/global/s3/my-bucket/old-file.txtsisu # Start at root
sisu --profile prod # Start in prod/
sisu --profile prod --region us-east-1 # Start in prod/us-east-1/
sisu stop # Unmount
sisu --debug # Debug logging| Service | Read | Write | Delete |
|---|---|---|---|
| S3 (objects, bucket policies, access settings) | ✓ | ✓ | ✓ |
| SSM Parameter Store | ✓ | ✓ | ✓ |
| IAM (users, roles, policies, groups) | ✓ | - | - |
| VPC (subnets, security groups, routes) | ✓ | - | - |
| Lambda (config, policy, env vars, logs) | ✓ | - | - |
| EC2 (instances, security groups, tags, logs, remote fs) | ✓ | - | - |
| ECS (clusters, services, tasks, logs) | ✓ | - | - |
| CloudFront (distributions, functions, logs) | ✓ | - | - |
| Secrets Manager | ✓ | - | - |
| Route 53 (zones, records) | ✓ | - | - |
| CloudWatch Logs | ✓ | - | - |
Log stream events.log files are streamed lazily from AWS rather than loaded entirely into memory:
- On-demand fetching: Events are fetched in batches of 100 as you read through the file
- Memory efficient: Only fetched content is buffered, not the entire stream
- Sequential reads: Works with
cat,grep,head,less
# Fetches only enough batches to find the match
grep "ERROR" .../my-stream/events.log
# Fetches just the first batch
head -50 .../my-stream/events.log
# Scroll through with on-demand loading
less .../my-stream/events.log
# Will fetch all events
cat .../my-stream/events.log | wc -lNote: tail does not work correctly with streaming files because it seeks to the end of the file, but the actual file size is unknown until fully loaded. Use cat ... | tail as a workaround.
Each service has logs directly under its resource - no need to hunt for log groups:
# Lambda function logs
cat default/us-east-1/lambda/my-function/logs/latest.log
# EC2 instance logs (searches for log groups containing instance ID)
cat default/us-east-1/ec2/i-abc123/logs/latest.log
# ECS service logs
cat default/us-east-1/ecs/my-cluster/my-service/logs/latest.log
# CloudFront function logs
cat default/us-east-1/cloudfront/functions/my-auth/logs/latest.logAll integrated logs use streaming - they fetch events on-demand as you read.
Browse ECS clusters, services, and tasks:
ecs/
├── my-cluster/
│ ├── web-service/
│ │ ├── info.json # Service configuration
│ │ ├── logs/
│ │ │ └── latest.log # Streaming service logs
│ │ └── tasks/
│ │ └── abc123/
│ │ └── info.json # Task details
│ └── api-service/
│ └── ...
# List all ECS clusters
ls default/us-east-1/ecs/
# View service configuration
cat default/us-east-1/ecs/my-cluster/web-service/info.json
# Stream service logs
cat default/us-east-1/ecs/my-cluster/web-service/logs/latest.log
# List running tasks
ls default/us-east-1/ecs/my-cluster/web-service/tasks/Browse CloudFront distributions and functions:
cloudfront/
├── distributions/
│ └── E1ABC123/
│ ├── info.json # Distribution config
│ └── origins.json # Origins with OAC/OAI info
└── functions/
└── my-auth/
├── code.js # Function source code
├── config.json # Function configuration
└── logs/
└── latest.log # Function execution logs
# List distributions
ls default/us-east-1/cloudfront/distributions/
# Check origin access configuration (debug S3 access issues!)
cat default/us-east-1/cloudfront/distributions/E1ABC123/origins.json
# View and edit CloudFront function code
cat default/us-east-1/cloudfront/functions/my-auth/code.js
# Debug function execution
cat default/us-east-1/cloudfront/functions/my-auth/logs/latest.logEach S3 bucket has a hidden .meta/ directory with bucket configuration:
# View bucket policy
cat default/global/s3/my-bucket/.meta/policy.json
# Check public access block settings
cat default/global/s3/my-bucket/.meta/public-access-block.jsonUseful for debugging CloudFront-to-S3 access issues!
Each EC2 instance exposes:
ls default/us-east-1/ec2/i-abc123/
# info.json security-groups.json tags.json console.log connect fs/ logs/Connect via SSM (no SSH keys, no public IP needed):
./default/us-east-1/ec2/i-abc123/connectRequires Session Manager plugin.
View boot logs and kernel messages:
cat default/us-east-1/ec2/i-abc123/console.logBrowse the instance's filesystem remotely (via SSM Run Command):
# List files on the instance
ls default/us-east-1/ec2/i-abc123/fs/etc/
# Read remote files
cat default/us-east-1/ec2/i-abc123/fs/etc/hostname
# Grep across remote logs
grep ERROR default/us-east-1/ec2/i-abc123/fs/var/log/syslog
# Compare configs between instances
diff prod/us-east-1/ec2/i-111/fs/etc/nginx/nginx.conf \
prod/us-east-1/ec2/i-222/fs/etc/nginx/nginx.confNo SSH keys or open ports needed - uses SSM Run Command under the hood.
| Tool | What it does |
|---|---|
| fzf | Fuzzy finder with preview |
| jq | JSON query/transform |
| difftastic | Structural diff (understands JSON) |
# Browse and preview any resource interactively
find */global/iam/roles -name "info.json" | fzf --preview 'jq . {}'
# Find Lambda functions with high memory
jq -r 'select(.MemorySize > 512) | .FunctionName' */us-east-1/lambda/*/config.json
# Compare prod vs staging config
difft prod/us-east-1/lambda/api/config.json staging/us-east-1/lambda/api/config.jsonSince it's just files, AI tools can read and analyze your AWS directly:
cd ~/.sisu/mnt && claude
"Find security groups that allow SSH from 0.0.0.0/0"
"Review IAM roles for overly permissive policies"
"Compare prod and staging Lambda configs"Problem: ECS service failing with "No Container Instances were found in your cluster"
Using sisu to diagnose without SSH:
# Check cluster status - no instances registered
cat ecs/jobdeck-cluster/info.json | jq '.RegisteredContainerInstancesCount'
# → 0
# Check service config - using EC2 launch type
cat ecs/jobdeck-cluster/jobdeck-api/info.json | jq '.LaunchType, .FailedTasks'
# → "EC2", 136
# EC2 instance exists - check its ECS config
cat ec2/i-xxx/fs/etc/ecs/ecs.config
# → ECS_CLUSTER=jobdeck-cluster ✓
# Check ECS agent logs - no agent log!
ls ec2/i-xxx/fs/var/log/ecs/
# → ecs-volume-plugin.log (missing ecs-agent.log!)
# Check what AMI is running
cat ec2/i-xxx/fs/etc/image-id
# → image_name="amzn2-ami-minimal-hvm" ← NOT ECS-optimized!Root cause found: The EC2 instance uses Amazon Linux 2 Minimal AMI instead of ECS-optimized AMI. The minimal AMI has ECS packages installed but the agent service is not enabled by default.
Fix: Use ECS-optimized AMI, or add systemctl enable --now ecs to user-data.
All of this debugging was done by Claude AI browsing the filesystem through sisu - no manual SSH required!
- Results are cached for 5 minutes
- S3 listings cap at 100 items per directory
- CloudWatch Logs fetches events in batches of 100
MIT