The infrastructure engineer who never touches the AWS console.
The infrastructure bottleneck
Every new service starts the same way — a console session, a Slack thread, and an engineer who'd rather be shipping product.
Manual provisioning
Every new service starts with a console session and tribal knowledge of what "good" looks like.
Security as an afterthought
Hardening happens after the finding, not before the resource ships.
IAM sprawl
Roles and policies pile up. Nobody remembers which ones are still needed.
Cost blindspots
Idle instances and over-provisioned databases bill you quietly, every month.
Five ways teams use Architect
One agent, worked through chat, CLI, or MCP — see it plan, draft, and open the PR.
| change | before | after |
|---|---|---|
| ECS service exposure | public task ENI | internal VPC only |
| Load balancer | none | internal ALB + WAF |
| IAM task role | s3:* on * | scoped to app bucket |
| Multi-AZ | single AZ | 2 AZ + auto-failover |
| field | value |
|---|---|
| role | analytics-readonly |
| policy | redshift:GetClusterCredentials |
| scope | analytics-prod cluster only |
| principal | priya@acme.com · SSO group |
| console access | NOT REQUIRED |
| resource | issue | savings |
|---|---|---|
| db.r5.xlarge (analytics-staging) | idle · 2% avg CPU | $190/mo |
| 2x EBS volumes | unattached · 400GB | $40/mo |
| reserved capacity | 3-instance mismatch | $30/mo |
| resource | type | status |
|---|---|---|
| marketing-site bucket | S3 static hosting | PLANNED |
| CDN | CloudFront + ACM cert | PLANNED |
| WAF | AWS WAF | ENABLED |
| DNS | Route 53 | PENDING MERGE |
| issue | resource | fix |
|---|---|---|
| publicly_accessible = true | RDS billing-prod | set to false |
| 0.0.0.0/0:5432 | sg-billing | restrict to app tier |
| no encryption at rest | RDS billing-prod | enable storage encryption |
Ask. Review. Merge.
No ticket. No meeting. No console.
Work the way your team already works
Architect meets your engineers where they already are.
Terminal-native
Script it, alias it, run it from CI. No new tool to open.
Inside your coding agent
Call Architect as a tool from Claude, Cursor, or any MCP client.
Tudovu dashboard
Same plan → PR flow, no terminal required.
Architect vs. Remediator
Different jobs. Same PR-first workflow.
Architect
Builds it right the first time. New infrastructure, IAM, deployments — scoped and hardened by design. Nothing ships that needs a finding to fix it later.
Remediator
Fixes what's already broken. Findings from Security Hub, GuardDuty, and your GRC tool — with blast-radius analysis and IaC fixes for what's already in production.
