Arch CLI: the Swiss Army Knife for Architecture, SRE and DevOps Teams on AWS
Arch CLI: the Swiss Army Knife for Architecture, SRE and DevOps Teams on AWS
Anyone who works with AWS on a daily basis knows the pain: the sheer number of services, consoles and CLIs you need to juggle for routine tasks is overwhelming. Listing resources, checking security posture, analyzing costs, managing containers — each task lives in a different place, each with its own set of commands.
Arch CLI was built to solve exactly that. It's an open source tool that centralizes the most common operations for Architecture, SRE and DevOps teams into a single command-line interface. Instead of memorizing dozens of AWS CLI commands, you get an interactive menu that organizes everything by context.Repository: crypto-br/arch-cli
---
1. Overview and Architecture
1.1 What is Arch CLI?
Arch CLI is a hybrid CLI (Shell + Python) that works as an AWS operations hub. Currently at version 4.0, it covers everything from basic tasks like configuring AWS profiles to advanced features like AI-powered cost analysis.
The tool is structured in two layers:
- Shell layer (
arch-cli.sh+modules/): the original core, with modular bash scripts for each functionality - Python layer (
arch_cli/): added in v4.0, enabling pip installation, intelligent commands and MCP integration
This hybrid approach means you can use it as a simple bash script or as a full Python CLI — whatever fits your workflow.
1.2 Installation
git clone https://github.com/crypto-br/arch-cli.git
cd arch-cli
pip install -e .
After installation, just run arch-cli to access the interactive menu. Alternatively, you can run ./arch-cli.sh directly if you prefer the bash-only approach.
1.3 Prerequisites
- AWS CLI: configured with at least one profile
- Python 3: for the pip-based installation and v4.0 intelligent commands
- Prowler: for security auditing features
1.4 Compatibility
Arch CLI runs on:
- Ubuntu/Debian
- Red Hat/CentOS
- Amazon Linux
- macOS
It automatically detects the operating system and installs the necessary dependencies accordingly. The --deps command handles this for you.
---
2. Core Features Deep Dive
2.1 Security Auditing with Prowler
Arch CLI integrates Prowler directly, with no separate configuration needed.
arch-cli prowler
or
./arch-cli.sh --prowler
What happens under the hood:
- Prowler runs against the active AWS account
- Reports are generated in both CSV and HTML formats
- A progress bar shows the audit status in real time
- Results are stored locally for historical comparison
This is particularly useful for teams that need to run regular compliance checks (CIS, PCI-DSS, HIPAA, etc.) without setting up Prowler separately. Having it integrated in the same tool that handles all other operations reduces context switching.
2.2 AWS Resource Listing
arch-cli list
or
./arch-cli.sh --list
Provides a quick overview of resources across the account:
- EC2: running instances, types, states
- S3: buckets and basic configuration
- RDS: database instances
- Lambda: functions and their runtimes
- IAM: users, roles, policies
- CloudFormation: stacks and their statuses
It seems simple, but this is the kind of task you do multiple times a day. In the AWS console, it requires navigating through multiple screens and services. Here, it's one command.
2.3 Monitoring and Observability
arch-cli monitor
or
./arch-cli.sh --monitor
Centralizes CloudWatch operations:
- Alarm management: create, list and manage CloudWatch alarms
- Log visualization: query and view CloudWatch Logs without leaving the terminal
- Service health checks: verify the health status of your services
For SRE teams doing daily health checks and troubleshooting, having monitoring operations in the same CLI as everything else eliminates the need to constantly switch between the CloudWatch console and terminal.
2.4 Cost Optimization and FinOps
Two complementary features here:
Cost analysis and underutilized resource identification
arch-cli optimize
or
./arch-cli.sh --cost
Full FinOps dashboard integration
arch-cli finops
or
./arch-cli.sh --finops
The --cost module:
- Analyzes current spending patterns
- Identifies underutilized resources (idle EC2 instances, unattached EBS volumes, etc.)
- Manages budgets and alerts
The --finops module integrates with the aws-finops-dashboard for a complete cost visualization experience.
For teams that need to justify spending or find where to cut costs, having this in the CLI speeds up the process significantly compared to navigating Cost Explorer in the console.
2.5 Security and Compliance
arch-cli security
or
./arch-cli.sh --security
Goes beyond Prowler with:
- IAM policy analysis: reviews policies for overly permissive configurations
- Compliance verification: checks against security baselines
- Credential rotation management: tracks and manages credential lifecycle
This is the kind of functionality every security team needs but that usually ends up scattered across standalone scripts. Having it centralized means consistent execution and easier auditing.
2.6 Container Management
arch-cli containers
or
./arch-cli.sh --containers
Manages the three main AWS container services from one place:
- EKS: cluster management and operations
- ECS: service management and task definitions
- ECR: image repository management
Anyone operating multiple clusters across different services knows how much time this saves compared to switching between kubectl, aws ecs, and aws ecr commands.
2.7 Database Management
arch-cli database
or
./arch-cli.sh --database
Covers the two most common AWS database services:
- RDS: instance management, status checks, basic operations
- DynamoDB: table management and operations
2.8 Automation
arch-cli automation
or
./arch-cli.sh --automation
Manages:
- Backups: automated backup management across services
- Scheduled tasks: recurring task management
Those routines that every team has but that end up in forgotten cron jobs or lost scripts in some repository — this module brings them under one roof.
---
3. AWS Profile Management
This deserves its own section because it's a small feature that makes a big difference in daily workflows.
Set active profile
arch-cli profile prod
Now all commands automatically use the "prod" profile
arch-cli list
arch-cli health
arch-cli analyze
Switch to another profile
arch-cli profile staging
Anyone working with multiple AWS accounts knows the pain of constantly switching profiles. With arch-cli profile, you set it once and every subsequent command uses it automatically. No more --profile flags on every single command.
You can also configure new profiles interactively:
arch-cli np
or
./arch-cli.sh --np
This guides you through setting up a new AWS CLI profile, including support for AWS SSO — which is increasingly the standard for organizations using IAM Identity Center.
---
4. Version 4.0: AI-Powered Analysis with MCP
The biggest addition in v4.0 is the integration with the Model Context Protocol (MCP), bringing three intelligent commands:
4.1 Analyze
Basic analysis (~30 seconds)
arch-cli analyze
Comprehensive analysis (~2-3 minutes)
arch-cli analyze --comprehensive
With specific profile
arch-cli analyze --profile prod
The analyze command performs a contextual analysis of the AWS account, identifying:
- Security issues and misconfigurations
- Unnecessary costs and waste
- Optimization opportunities
- Predictive insights on potential problems
The --comprehensive flag runs a deeper analysis that takes longer but provides more detailed findings and recommendations.
4.2 Optimize
arch-cli optimize
arch-cli optimize --profile staging
Focused specifically on cost savings, this command:
- Identifies resources that can be right-sized
- Finds idle or underutilized resources
- Suggests Reserved Instance or Savings Plan opportunities
- Provides estimated savings for each recommendation
4.3 Health
arch-cli health
arch-cli health --profile prod
A quick health check (~10 seconds) that validates:
- Service availability
- Resource health status
- Critical alarm states
- Basic security posture
4.4 Fallback Mode
The most interesting architectural decision in v4.0: the tool works with or without the MCP server.
- With MCP: you get deeper contextual analysis, predictive insights and auto-remediation suggestions
- Without MCP: commands still work using local analysis, just with less depth
This means you can start using the intelligent commands immediately, and when you set up the MCP server, the analysis quality improves automatically — no configuration changes needed.
---
5. Modular Architecture
The project is organized in modules separated by functionality:
arch-cli/
├── arch-cli.sh # Main bash script
├── arch_cli/ # Python package (v4.0+)
├── modules/ # Bash modules by functionality
│ ├── utils.sh # Utility functions
│ ├── dependencies.sh # Dependency checking
│ ├── aws_profile.sh # AWS profile configuration
│ ├── prowler.sh # Prowler execution
│ ├── support_user.sh # Support user creation
│ ├── aws_resources.sh # AWS resource listing
│ ├── monitoring.sh # Monitoring and observability
│ ├── cost_optimization.sh # Cost optimization
│ ├── security.sh # Security and compliance
│ ├── automation.sh # Routine automation
│ ├── containers.sh # Container management
│ └── database.sh # Database management
├── tests/ # Test suite
└── docs/ # Documentation
This modular approach has two key benefits:
- Easy to contribute: want to add a new feature? Create a module and integrate it. The architecture makes this straightforward.
- Easy to maintain: each module is self-contained, so changes in one area don't affect others.
---
6. Support User Creation
A specific but very useful feature for teams that manage multiple accounts:
arch-cli lsu --acc
or
./arch-cli.sh --lsu --acc
This creates an administrative support user in the specified AWS account. For organizations where the architecture or SRE team needs temporary access to client or project accounts for troubleshooting, this automates what would otherwise be a manual IAM process.
---
7. Logging and Auditing
All operations are logged to ~/.arch-cli/arch-cli.log. This is important for:
- Debugging: when something goes wrong, you have a detailed trace
- Auditing: you can track who ran what and when
- Compliance: some organizations require logging of all administrative actions
---
8. Use Cases by Team
Architecture Teams
- Quick visibility into account resources and configurations
- Security posture assessment before architecture reviews
- Cost analysis for capacity planning
SRE Teams
- Daily health checks with
arch-cli health - Monitoring and alarm management from the terminal
- Quick resource listing during incident response
DevOps Teams
- Container management across EKS, ECS and ECR
- Automated backup management
- Profile switching for multi-account deployments
FinOps Teams
- Cost analysis and optimization recommendations
- Underutilized resource identification
- Budget management and tracking
Security Engineers
- Prowler audits integrated in the workflow
- IAM policy analysis
- Credential rotation management
- Compliance verification
---
9. Best Practices
- Set up profiles for each account: use
arch-cli npto configure profiles with SSO, then switch between them witharch-cli profile
- Run regular security audits: schedule
arch-cli prowlerandarch-cli analyze --comprehensiveweekly or monthly
- Use health checks in CI/CD: integrate
arch-cli healthas a pre-deployment check
- Review costs periodically: run
arch-cli optimizemonthly to catch cost drift early
- Keep the tool updated: pull the latest version regularly to get new features and security improvements
---
Conclusion
Arch CLI is the kind of tool that's born from the real needs of people operating AWS daily. Instead of having dozens of scattered scripts, bashrc aliases and console bookmarks, you get everything centralized in a CLI with an interactive menu.
Version 4.0 with MCP integration and intelligent analysis shows the tool is evolving in the right direction: not just automating tasks, but bringing insights that help with decision-making. And being open source means any team can adapt it to their reality.
If you work with AWS and haven't tried it yet, it's worth a look. The time you spend configuring and switching between tools today, Arch CLI solves with a single command.
---