AWS Resource Inventory

Upon setting up the AWS connector, it starts discovering the resources in your AWS account. The inventory and the metadata of the resources are pushed to the Qualys portal. For a list of the resources that are getting collected, refer to Resources List.

To fetch the updated resources, you need to select Run from the quick actions menu for the AWS connector.

AWS Inventory for Cloud Identity Management

The AWS Inventory now supports Cloud Identity Entitlement Management. This security and identity management solution helps organizations control access to cloud-based resources and applications, following the principle of least privilege.

How Does Identity Management Help Secure Your Cloud?

CIEM solves the following challenges in your cloud environment.

Complexity

In the cloud, identities extend beyond users or service accounts; machine identities also exist. As cloud infrastructure grows in complexity, managing identity and entitlements ensures control over the various identities in the infrastructure, reducing management complexity. 

Access Control

Reducing the challenges of maintaining the principle of least privilege. Cloud admins often provide excessive permissions to various personas. Managing the associated privileges can go a long way in securing the cloud network.

Identity Lifecycle Management

Helps automate and keep user and service identity lifecycles up to date, including onboarding, offboarding, and role changes.

Audit and Compliance

Maintain audit trails to ensure compliance with industry regulations and internal policies.

Emerging Threats: Stay ahead of emerging security threats and vulnerabilities.

How Does TotalCloud Assist in Managing Identity Entitlement?

TotalCloud AWS Inventory has introduced additional resources to the inventory specific to CIEM. These resources can help track the permissions associated with the identities in your environment. The Policy Analyzer reviews these resources and checks them against newly introduced insights to show gaps in identity entitlements. 

Resources List

TotalCloud will discover and fetch the following resources and their corresponding attributes to display in the inventory. We support the following resource type.

Sl.no Resource Types ENUM Service
1 Accelerators ACCELERATOR Global Accelerator
2 ACM Certificates ACM_CERTIFICATE ACM
3 AMIs EC2_IMAGES EC2
4 API Gateway API_GATEWAY API Gateway
5 AppFlow Flows APPFLOW_FLOWS AppFlow
6 AppSync APIs APPSYNC_API Appsync
7 Athena Workgroups ATHENA_WORKGROUP Athena
8 Auto Scaling Group AUTO_SCALING_GROUP EC2
9 Backup Vaults BACKUP_VAULTS AWS Backup
10 Bedrock Custom Model BEDROCK_CUSTOM_MODEL Bedrock
11 Bedrock Foundation Model BEDROCK_FOUNDATION_MODEL Bedrock
12 Bedrock Knowledge Bases BEDROCK_KNOWLEDGE_BASES Bedrock
13 Build Project BUILD_PROJECT CodeBuild
14 CloudFormation Stacks CLOUDFORMATION_STACK Cloud Formation
15 CloudFront Distributions CLOUDFRONT_DISTRIBUTION CloudFront
16 Comprehend Analysis Jobs COMPREHEND_ANALYSIS_JOBS Comprehend
17 Custom Domain Names CUSTOM_DOMAIN API Gateway
18 Data Firehose FIREHOSE Kinesis
19 Data Streams KINESIS_STREAM Kinesis
20 DataSync Tasks DATASYNC_TASK DataSync
21 DAX Clusters DAX_CLUSTER DynamoDB
22 DocumentDB Clusters DOCUMENT_DB_CLUSTERS DocumentDB
23 DocumentDB Instances DOCUMENT_DB_INSTANCES DocumentDB
24 DocumentDB Snapshots DOCUMENT_DB_SNAPSHOTS DocumentDB
25 DS Directory DS_DIRECTORY Directory Service
26 DynamoDB Tables DYNAMO_DB_TABLE DynamoDB
27 EBS Volume EBS EC2
28 EBS Volume Snapshots EC2_VOLUME_SNAPSHOT EC2
29 EC2 Key Pairs EC2_KEY_PAIR EC2
30 ECR Repositories ECR_REPOSITORY ECR
31 ECS Clusters ECS_CLUSTER ECS
32 ECS Task Definitions ECS_TASK_DEFINITION ECS
33 EFS Access Points EFS_ACCESS_POINT EFS
34 EFS File System EFS_FILE_SYSTEM EFS
35 EKS Cluster EKS_CLUSTER EKS
36 EKS Fargate Profile EKS_FARGATE_PROFILE EKS
37 EKS Node Group EKS_NODEGROUP EKS
38 EMR Clusters EMR_CLUSTER EMR
39 Glacier Vaults GLACIER_VAULT S3 Glacier
40 IAM Group IAM_GROUP IAM
41 IAM Policy IAM_POLICY IAM
42 IAM Role IAM_ROLE IAM
43 IAM User IAM_USER IAM
44 Instance EC2_INSTANCE EC2
45 Internet Gateway INTERNET_GATEWAY VPC
46 KMS KMS KMS
47 Lambda Function LAMBDA Lambda Function
48 Load Balancer LOAD_BALANCER EC2
49 Memcached MEMCACHED ElastiCache
50 Meshes MESH App Mesh
51 MQ Brokers MQ_BROKER MQ
52 MSK Clusters MSK_CLUSTER MSK
53 NeptuneDB Clusters NEPTUNE_DB_CLUSTERS NeptuneDB
54 NeptuneDB Instances NEPTUNE_DB_INSTANCES NeptuneDB
55 NeptuneDB Snapshots NEPTUNE_DB_SNAPSHOTS NeptuneDB
56 Network ACL NETWORK_ACL VPC
57 Network Interfaces NETWORK_INTERFACES EC2
58 OpenSearch Domains ES_DOMAIN Elasticsearch Service
59 QLDB Ledgers (Deprecated) QLDB_LEDGER Quantum Ledger DB
60 RDS RDS RDS
61 RDS Snapshot RDS_SNAPSHOT RDS
62 Redis REDIS ElastiCache
63 Redshift Cluster REDSHIFT_CLUSTERS Redshift
64 Replication instances DMS_REPLICATION DMS
65 Route Table ROUTE_TABLE VPC
66 Route53 Domains ROUTE_53_DOMAIN Route 53
67 Route53 Hosted Zones ROUTE_53_HOSTED_ZONE Route 53
68 Route53 Records ROUTE_53_RECORD Route 53
69 S3 Bucket BUCKET S3
70 Sagemaker Hyper Parameter Tuning Jobs SAGEMAKER_HYPER_PARAMETER_TUNING_JOB SageMaker
71 Sagemaker Models SAGEMAKER_MODEL SageMaker
72 Sagemaker Notebook SAGEMAKER_NOTEBOOK SageMaker
73 Sagemaker Processing Jobs SAGEMAKER_PROCESSING_JOB SageMaker
74 Sagemaker Training Jobs SAGEMAKER_TRAINING_JOB SageMaker
75 Secrets SECRETS Secrets Manager
76 Security Group VPC_SECURITY_GROUP VPC
77 SES Identities SES_IDENTITIES SES
78 SNS Topic SNS_TOPIC SNS
79 SQS Queue SQS_QUEUE SQS
80 State Machine STATE_MACHINE Step Function
81 Subnet SUBNET VPC
82 System Manager SYSTEM_MANAGER System Manager
83 Transfer Family Servers TRANSFER_SERVER AWS Transfer Family
84 Transit Gateways TRANSIT_GATEWAY VPC
85 VPC VPC VPC
86 VPC Endpoint VPC_ENDPOINT VPC
87 VPC Endpoint Service VPC_ENDPOINT_SERVICE VPC
88 Workspace Directories DIRECTORY Workspace
89 Workspace Personal WORKSPACE Workspace
90 WorkSpace Pools WORKSPACE_POOLS Workspace

For IAM resources, the Policy Analyzer does not work on China accounts. TotalCloud only creates an inventory of the Policies. They will not be analyzed with Insights.

You can find additional resources on the inventory beyond what is listed above. These additional resources can be viewed, but they do not have a Resource Details page, nor do they have dedicated tokens.

The following Resource Types are available in the evaluation index but not mapped to any detailed/evaluation-based inventory resource types:

Resource Types
(used only for evaluation purpose and are not mapped to any inventory)
CLOUD_WATCH_LOGGROUP
LAUNCH_CONFIGURATION (Deprecated / New Resource Creation Stopped)
IAM_PASSWORD (Setting / Not a actual resource)
CLOUD_WATCH (All Account Level Controls)
CLOUD_TRAIL
IAM_SERVER_CERTIFICATE
AWS_CONFIG (All Account Level Controls)
SSM_SESSION (All Account Level Controls)
GUARD_DUTY (All Account Level Controls)
SECURITY_HUB (All Account Level Controls)
SSM_DOCUMENT (All Account Level Controls)
RDS_CLUSTER_SNAPSHOT
IAM_ACCESS_ANALYZER (All Account Level Controls)
MICROSOFT_AD_DIRECTORY

Known Issues

  • TotalCloud currently only fetches API Gateway resources of the REST API type and not HTTP or Web Sockets types. This limitation is planned to be addressed in future releases.