Help & Documentation

FluffyStack is a service catalogue, comparison tool, and governance builder for the major cloud providers. This page explains every feature and how the pages flow together.

Workflow Overview

FluffyStack exists to help teams answer one question: which cloud services should we use, and why?

The site is built around a four-step flow: discover → compare → choose → govern. You don't have to follow it in order — most pages stand on their own — but if you're new, this is the typical journey from "I'm planning a project" to "our approved service list is enforced in production".

Step 1Discover
Browse the full catalogue of 149 services across 9 cloud providers. Use the search bar with directives, filter chips, or browse by category in the column view.
Step 2Visualise
See the cloud landscape from above with 7 interactive charts: treemap, honeycomb, sunburst, network graph, sankey flow, radar, and coverage map.
Step 3Compare
Pick up to 4 services and see them side by side. Includes a one-click 'compare with equivalents' button on every service detail page.
Step 4Approve
Build your organisation's approved cloud service list. Add services, drag to reorder, group by provider. Save to a shareable URL or import an existing list.
Step 5Govern
Export your list as services.json, services.md, AWS SCP, Azure Policy, GCP Org Policy, Terraform (.tf), or a print-friendly PDF for governance committees.
Step 6Migrate
Already on one cloud? The migration assistant maps your current services onto the equivalent services on a different provider, marking exact, partial, or missing matches.
Step 7Audit
Compare two saved lists side by side to see what's been added, removed, or unchanged. Useful for quarterly reviews and migration tracking.

What Each Page Does

Browse

Services

The main catalogue. Filter by provider, category, free tier, CPU architecture, and compliance framework. Switch between catalogue, grouped, grid, and table views.

Visualise

Explore

Interactive charts showing the cloud landscape. Treemap is the default; switch via the sidebar drawer. All charts respect filters in real time.

Decide

Compare

Side-by-side comparison of up to 4 services. URL is shareable via ?ids= so you can deep-link to specific comparisons.

Plan

Migrate

Three-step wizard: pick source and target clouds, add the services you currently use, review the mapping table. Export the target list directly.

Approve

Service Builder

Build your approved service list. Drag to reorder, group by provider, save to a shareable URL. Export panel offers 9 different formats.

Audit

Diff

Paste two saved lists and see what changed. Works with any format the import analyser understands (services.json, services.md, AWS SCP, Azure Policy, GCP Org Policy).

Examples

Use Cases

Six curated cloud architectures with pre-built service lists. Click into any one to compare or import directly.

News

Changelog

Track new services launching, services being deprecated, capability additions, brand changes, and compliance updates across all providers.

Search Directives

The search bar supports Google-style directives that filter results before fuzzy matching runs. Combine multiple directives with free-text terms.

Tag vs filter — what's the difference?

FluffyStack uses two related but distinct concepts to narrow down the catalogue. They're easy to confuse.

🏷 Tag

Metadata attached to the service in the underlying data. Tags live in the YAML data files and only change when a service is edited.

A service can have many tags: kubernetes, managed, serverless.

🎚 Filter

A runtime selectoryou apply to narrow down the visible list. Filters are UI controls — chips, dropdowns, toggles. They only exist while you're browsing.

Examples: the Provider chip strip, the Free tier toggle, the CPU architecture radio.

The relationship: filters consume data, tags are one kind of data filters can consume. When you type tag:kubernetes in the search box, you're using a directive that filters by tag value. The category:compute directive is different — it filters by the service's structured category field, which is a separate dimension from tags.

Rule of thumb:use a filter chip when the dimension has a closed vocabulary (Provider, Category, Compliance framework). Use a tag when the dimension is open-ended (serverless, real-time, deprecated). They're not mutually exclusive — both can be applied together.

Try it

kubernetes vendor:aws tier:free compliance:soc2 country:DE

Finds AWS services matching "kubernetes" that have a free tier, SOC 2 attestation, and at least one region in Germany.

Available directives

Directive	Description	Example
`vendor:` Alias: `provider:`	Filter by cloud provider aws · azure · gcp · oracle · ibm · huawei · alibaba · ovh · cloudflare	`vendor:aws`
`category:` Alias: `cat:`	Filter by service category compute · storage · database · networking · security · ai-ml · analytics · etc	`category:compute`
`tier:` Alias: `free:`	Filter by free tier availability free · paid	`tier:free`
`arch:` Alias: `cpu:`	Filter by CPU architecture x86 · arm · power · mainframe · risc-v (accepts aliases: graviton · xeon · ppc64le · s390x · linuxone · riscv)	`arch:arm`
`compliance:` Alias: `cert:`	Filter by compliance attestation gdpr · hipaa · soc2 · iso27001 · pci-dss · fedramp · uk-gcloud · csa-star	`compliance:gdpr`
`country:` Alias: `iso:`	Match services with a region in this country ISO 3166 code (GB, US, DE) or friendly name (united kingdom, germany)	`country:DE`
`region:`	Match services available in this exact region any provider region id	`region:eu-west-2`
`continent:`	Match services with regions on this continent europe · north-america · south-america · asia · oceania · middle-east · africa (plus apac · emea · latam aliases)	`continent:europe`
`sovereign:` Alias: `residency:`	Filter to sovereign-cloud regions only true · false	`sovereign:true`
`tag:`	Match an exact tag any tag value	`tag:kubernetes`
`name:`	Substring match against name only any substring	`name:lambda`
`subservices:` Alias: `features:`	Numeric comparison on sub-service count >N · <N · >=N · <=N · =N	`subservices:>5`
`gpu:` Alias: `accelerator:`	GPU support — boolean or heuristic string match true · false · nvidia · amd · h100 · a100 · tpu	`gpu:true`
`instance-type:` Alias: `instance: · sku: · shape:`	Substring match against service name / tags for a specific instance type any instance type or SKU identifier	`instance-type:c5.2xlarge`

Negation

Prefix any directive with - to exclude matches:

-vendor:aws→ Show services from any provider EXCEPT AWS

storage -tag:deprecated→ Find storage services that aren't tagged deprecated

kubernetes -vendor:gcp -vendor:azure→ Find Kubernetes services excluding GCP and Azure

Quoted phrases

Wrap multi-word phrases in double quotes to keep them as a single search term:

"object storage" vendor:aws→ Search for the exact phrase "object storage" on AWS

Cloud Glossary

Plain-English definitions for common cloud terminology. Every abbreviation in this glossary is also wired into the search — typing K8s matches services tagged kubernetes, typing LB matches load-balancer, and so on. You don't need to know the full terminology to find what you're looking for.

Architecture & deployment models

IaaS— Infrastructure as a Service

Raw compute, storage, and networking you rent and configure yourself. Examples: AWS EC2, Azure Virtual Machines, GCP Compute Engine.

Also:infrastructure-as-a-service

PaaS— Platform as a Service

A managed runtime for your application — you deploy code, the provider handles the servers, scaling, and OS patches. Examples: Heroku, AWS Elastic Beanstalk, Google App Engine.

Also:platform-as-a-service

SaaS— Software as a Service

A ready-made application delivered over the internet. Customers consume it; they don't deploy or manage any infrastructure. Examples: Salesforce, Snowflake, Workday.

Also:software-as-a-service

FaaS— Function as a Service

Run individual functions on demand without provisioning any server. The provider runs your code only when it's invoked and charges per-invocation. Examples: AWS Lambda, Azure Functions, Cloudflare Workers.

Also:function-as-a-serviceserverless-functions

Serverless— Serverless computing

Any model where the provider manages the underlying compute, scales it automatically, and bills per request or per resource used rather than per hour of provisioned capacity. FaaS is one subset.

Compute

VM— Virtual Machine

An emulated computer running on a shared physical host. The default IaaS compute primitive.

Also:virtual-machinevirtual-machinesinstanceinstances

K8s— Kubernetes

An open-source container orchestrator. Schedules containers onto a cluster, restarts them when they crash, and exposes them to the network.

Also:kuberneteskube

Container— Container

A lightweight, isolated runtime for an application, packaged with its dependencies. Much smaller and faster than a VM.

Also:containersdocker

ARM— Advanced RISC Machine

A CPU architecture family known for power efficiency. AWS Graviton, Azure Cobalt, GCP Axion, and Ampere Altra are ARM-based server CPUs.

Also:aarch64gravitonampereapple-silicon

x86— x86 architecture

The dominant server CPU architecture family, implemented by Intel Xeon and AMD EPYC processors.

Also:x64amd64intelamd

GPU— Graphics Processing Unit

A massively parallel processor originally designed for graphics but now the default choice for machine learning training and inference.

Also:nvidiaamd-gpuaccelerator

Storage

Object Storage— Object storage

Storage organised as immutable blobs keyed by a name inside a bucket. Cheap, durable, highly available, and accessed over HTTP. Examples: AWS S3, Azure Blob Storage, GCP Cloud Storage.

Also:object-storagebucketbucketss3blobblob-storage

Block Storage— Block storage

Storage presented as a raw block device (like a hard drive) that you format and mount to a VM. Examples: AWS EBS, Azure Managed Disks, GCP Persistent Disk.

Also:block-storageebspersistent-diskmanaged-disk

File Storage— File storage

Network-mounted filesystems shared across multiple VMs. Examples: AWS EFS, Azure Files, GCP Filestore.

Also:file-storagenfssmbefsazure-files

CDN— Content Delivery Network

A globally distributed cache of static assets. Reduces latency by serving users from the nearest edge location. Examples: Cloudflare, AWS CloudFront, Akamai.

Also:content-delivery-networkedge

Networking

VPC— Virtual Private Cloud

An isolated, customer-defined network space within a public cloud. You carve it into subnets, route-tables, and security groups. Examples: AWS VPC, Azure Virtual Network, GCP VPC.

Also:virtual-private-cloudvirtual-networkvnet

LB— Load Balancer

Distributes incoming traffic across multiple backend instances. Handles health checks, TLS termination, and session affinity.

Also:load-balancerload-balancersalbnlbelb

VPN— Virtual Private Network

An encrypted tunnel between your on-premises network and your cloud VPC. Provides private connectivity without crossing the public internet.

Also:virtual-private-networksite-to-site

WAF— Web Application Firewall

A filter that inspects HTTP requests and blocks attacks like SQL injection, XSS, and bot traffic before they reach your application.

Also:web-application-firewall

DNS— Domain Name System

The system that translates domain names (fluffystack.dev) into IP addresses. Every cloud provider offers managed authoritative DNS.

Also:domain-name-system

Databases

RDBMS— Relational Database Management System

A database organised into tables with rows and columns, queried with SQL. Examples: AWS RDS, Azure SQL Database, GCP Cloud SQL, PostgreSQL, MySQL.

Also:relational-databasesql-databasemysqlpostgrespostgresql

NoSQL— Non-relational database

Umbrella term for databases that don't use the relational model. Includes document (MongoDB, DynamoDB), key-value (Redis), column (Cassandra), and graph (Neo4j) stores.

Also:non-relationaldocument-databasekey-value

OLTP— Online Transaction Processing

Database workloads dominated by small, frequent read/write operations — the kind of queries a web application makes against a user table.

Also:transactionaltransactional-database

OLAP— Online Analytical Processing

Database workloads dominated by large aggregation queries across huge datasets. Examples: Snowflake, BigQuery, Redshift, Azure Synapse.

Also:analyticalanalytical-databasedata-warehouse

Security & identity

IAM— Identity and Access Management

The system that controls who can do what inside a cloud account. Users, roles, policies, and permissions all live here. Examples: AWS IAM, Azure Entra ID, GCP IAM.

Also:identity-and-access-managementaccess-management

SSO— Single Sign-On

A login system that authenticates a user once and grants them access to multiple applications without logging in again. Typically backed by SAML or OIDC.

Also:single-sign-onfederated-login

MFA— Multi-Factor Authentication

Requires a second authentication factor (a code, a key, a biometric) in addition to a password. A cornerstone of modern cloud security.

Also:2famulti-factor-authenticationtwo-factor

KMS— Key Management Service

A managed service for creating and using encryption keys. Keys never leave the service — customers call it to encrypt and decrypt data.

Also:key-managementkey-management-service

SCP— Service Control Policy

An AWS governance primitive that restricts what AWS APIs can be called within an AWS Organisations OU. FluffyStack generates SCPs from your approved service list.

Also:service-control-policy

G-Cloud— UK Government Cloud Framework

The UK Government's procurement framework for buying cloud services. Providers listed on G-Cloud can sell to central and local government bodies via the Digital Marketplace. Services tagged UK-GCloud in FluffyStack are listed on the framework.

Also:gcloud-ukuk-gclouduk-governmentuk-govcrown-commercialcrown-commercial-servicedigital-marketplacegovernment-cloud

FedRAMP— Federal Risk and Authorization Management Program

A US government programme that standardises security assessment for cloud services used by federal agencies. FedRAMP High is required for sensitive government workloads. Providers with FedRAMP authorisation are flagged in FluffyStack's compliance data.

Also:federal-riskus-governmentus-govgovernment-cloudgovcloud

SOC 2— System and Organization Controls 2

An audit framework that evaluates a service provider's controls for security, availability, processing integrity, confidentiality, and privacy. Most enterprise cloud buyers require SOC 2 Type II reports.

Also:soc2soc-2system-and-organization-controls

HIPAA— Health Insurance Portability and Accountability Act

US legislation governing the handling of protected health information (PHI). Cloud services that are HIPAA-eligible sign a Business Associate Agreement (BAA) with the customer.

Also:healthcarehealth-dataphiprotected-health-information

Operations

CI/CD— Continuous Integration / Continuous Delivery

The practice of automatically building, testing, and deploying code on every change. Examples: GitHub Actions, GitLab CI, Jenkins, AWS CodePipeline.

Also:cicdcicdcontinuous-integrationcontinuous-delivery

IaC— Infrastructure as Code

Defining infrastructure in version-controlled files (HCL, YAML, TypeScript) rather than clicking through a console. Examples: Terraform, Pulumi, AWS CloudFormation.

Also:infrastructure-as-codeterraformpulumicloudformation

SRE— Site Reliability Engineering

An engineering discipline focused on reliability, uptime, and operational excellence. Coined at Google.

Also:site-reliability-engineering

SLA— Service Level Agreement

A formal commitment from a provider about availability, performance, or recovery time — usually with financial credits if breached.

Also:service-level-agreementuptime-guarantee

AI & ML

ML— Machine Learning

Training models from data rather than writing explicit rules. The foundation of modern AI services.

Also:machine-learningai-ml

LLM— Large Language Model

A transformer model trained on huge volumes of text, capable of generation, reasoning, and conversation. Examples: GPT, Claude, Gemini, Llama.

Also:large-language-modelgptclaudegemini

RAG— Retrieval-Augmented Generation

Giving an LLM access to a search index so it can ground its answers in specific documents instead of relying only on its training data.

Also:retrieval-augmented-generation

Vector DB— Vector database

A database optimised for similarity search on high-dimensional embedding vectors — the storage layer behind most RAG systems.

Also:vector-dbvector-databaseembedding-database

Building Your Approved List

The Service Builder page is where you assemble the cloud services your organisation has approved for use. Two columns: catalogue on the left, approved list on the right.

Adding services

Click the button next to any catalogue item
Drag a catalogue item onto the approved drop zone
Append ?add=service-id to the URL (used by the "Add to Service Builder" button on service detail pages)
Append ?services=id1,id2,id3 to load an entire list at once

Reordering

Drag the grip handle on any approved item to reorder
Keyboard: Tab to a handle, Space to pick up, ↑↓ to move, Space to drop
The visual list always groups by provider — moving across providers reorders within the source group

Sharing

The Share button saves your list to the FluffyStack API and gives you a short URL. Anyone with the URL can load the same list. Lists expire after 90 days unless re-saved.

Import & Export

Lists can be imported from and exported to several formats. The smart import analyser detects the format automatically.

Supported import formats

services.json — FluffyStack v1 hierarchical format
services.md — FluffyStack v1 hierarchical markdown format
AWS SCP — Service Control Policy JSON
Azure Policy — Resource policy definition JSON
GCP Organization Policy — Org policy YAML/JSON

Export formats

Format	When to use
`services.json`	Machine-readable list. Use with LLMs, governance scripts, or to re-import later.
`services.md`	Human-readable. Drop into wikis, runbooks, or Notion docs.
`AWS SCP`	Attach to your AWS Organisation OU as a Service Control Policy to enforce the list.
`Azure Policy`	Deploy as an Azure Policy assignment to deny non-approved resource types.
`GCP Org Policy`	Apply via gcloud as an organisation policy on gcp.restrictServiceUsage.
`Terraform (.tf)`	One .tf file with all relevant policy resources. Drop into your infra-as-code repo.
`Print / PDF`	Browser print preview optimised for A4. Use Save as PDF for governance committees.
`Embed snippet`	Copies an <iframe> snippet pointing at /embed?services=… for internal wikis.

Governance Policies

The platform-native exports (AWS SCP, Azure Policy, GCP Org Policy) generate deny-by-default policies. They allow only the services on your approved list and deny everything else. This is the strongest enforcement model.

Test in a sandbox account first.Generated policies are based on the cloud provider's public service identifiers and may not cover every nested API. Always test before applying to production accounts.

Migration Planning

The Migration Assistant maps services across clouds using the equivalence data baked into each service. Match quality is one of:

Exact

Direct equivalent declared in FluffyStack data (e.g. AWS Lambda → Azure Functions → GCP Cloud Functions).

Partial

Same category but no explicit equivalent. FluffyStack picks the first matching service in the target provider's catalogue. Verify in Compare before relying on it.

Missing

No service in that category exists for the target provider. You'll need to find an alternative architecture.

Embedding in Wikis

Click Embed snippet in the export panel to copy an <iframe> that renders your approved list chromelessly. Drop it into Confluence, Notion, internal wikis, or any HTML host.

<iframe
  src="https://fluffystack.dev/embed?services=aws-ec2,azure-vm,gcp-compute-engine"
  width="100%"
  height="640"
  style="border:0;"
  loading="lazy"
  title="Approved cloud services"
></iframe>

The embed updates whenever the host page is reloaded — but the service IDs are baked into the URL, so the embed itself stays static. To change the list shown, paste a new snippet.

Public API

FluffyStack exposes a JSON API for programmatic access to the full service catalogue, governance policy generation, and list management. Use it from CI pipelines, LLM agents, Terraform modules, or your own tooling.

Base URL

https://api.fluffystack.dev/v1

All responses are JSON. HTTPS only.

Authentication

Read-only catalogue endpoints work without a key. Governance endpoints (policy generation, list creation, exports) require a free API key. Get one by signing in on the Account page.

Pass your key via the X-API-Key header or the api_key query parameter.

Rate limits

Tier	Limit	Identifier
Anonymous	30 req/min	By IP address
Authenticated	120 req/min	By API key

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.

Endpoints

Method	Path	Auth	Description
GET	/v1/providers	—	List all cloud providers
GET	/v1/categories	—	List all service categories
GET	/v1/services	—	Search/filter services (paginated)
GET	/v1/services/:slug	—	Single service with full details
GET	/v1/compare?ids=a,b,c	—	Side-by-side comparison (max 10)
POST	/v1/policies/aws-scp	KEY	Generate AWS Service Control Policy
POST	/v1/policies/azure-policy	KEY	Generate Azure Policy definition
POST	/v1/policies/gcp-org-policy	KEY	Generate GCP Organisation Policy
POST	/v1/export/markdown	KEY	Export service list as Markdown
POST	/v1/lists	KEY	Save a shareable approved list
GET	/v1/lists/:id	—	Retrieve a saved list
GET	/v1/status	—	API health check

Examples

Browse AWS compute services

curl "https://api.fluffystack.dev/v1/services?provider=aws&category=compute"

Generate an AWS SCP (requires key)

curl -X POST https://api.fluffystack.dev/v1/policies/aws-scp \
  -H "X-API-Key: flsk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"serviceIds": ["aws-ec2", "aws-s3", "aws-lambda"]}'

Schema validation

Exported service lists include a $schema pointer to the published JSON Schema. Use it to validate exports in your CI pipeline:

/v1/schemas/service-list.schema.json →

Accessibility

FluffyStack is built to WCAG 2.2 AA standards. The site honours your operating system preferences:

Dark mode — auto-detected from prefers-color-scheme
Reduced motion — auto-detected from prefers-reduced-motion
Browser zoom — text reflows at any zoom level up to 200%
Keyboard navigation — every interactive element is reachable via Tab and operable via Space/Enter
Visible focus rings — all focusable elements have a 3px focus indicator
Skip-to-content link — first Tab on every page
ARIA live regions — list changes are announced to screen readers

In addition, the colour filter overlay (palette icon in the header) provides tinted overlays for users with visual stress or Irlen syndrome. The theme toggle (sun/moon icon) lets you override OS dark mode.

Reading preferences (book icon)

The book icon in the header opens a panel with four independent knobs for neurodiverse and low-vision users:

Font — default (Geist), Atkinson Hyperlegible (designed for low-vision users, open letter shapes), or OpenDyslexic (weighted bottoms that help with letter flipping).
Motion— follow system, always reduce, or always animate. Useful if your OS preference doesn't match your actual preference for this site.
Line spacing — normal, relaxed, or loose. Loose adds generous vertical space, word-spacing, and letter-spacing; most dyslexia research recommends extra line height.
Focus mode — dims decorative chrome (ads, sparkles, non-interactive icons) so the service list reads like a clean document. Hover to unhide.

All four settings are remembered across visits (localStorage). A small dot on the book icon means you have active non-default preferences.

Still stuck?

Have a question, found a bug, or want to request a feature? Get in touch via GitHub.

Report an issue