AWS Resource Inventory
Upon setting up the AWS connector, it starts discovering the resources in your AWS account. The inventory and the metadata of the resources are pushed to the Qualys portal. For a list of the resources that are getting collected, refer to Resources List.
To fetch the updated resources, you need to select Run from the quick actions menu for the AWS connector.
AWS Inventory for Cloud Identity Management
The AWS Inventory now supports Cloud Identity Entitlement Management. This security and identity management solution helps organizations control access to cloud-based resources and applications, following the principle of least privilege.
How Does Identity Management Help Secure Your Cloud?
CIEM solves the following challenges in your cloud environment.
Complexity
In the cloud, identities extend beyond users or service accounts; machine identities also exist. As cloud infrastructure grows in complexity, managing identity and entitlements ensures control over the various identities in the infrastructure, reducing management complexity.
Access Control
Reducing the challenges of maintaining the principle of least privilege. Cloud admins often provide excessive permissions to various personas. Managing the associated privileges can go a long way in securing the cloud network.
Identity Lifecycle Management
Helps automate and keep user and service identity lifecycles up to date, including onboarding, offboarding, and role changes.
Audit and Compliance
Maintain audit trails to ensure compliance with industry regulations and internal policies.
Emerging Threats: Stay ahead of emerging security threats and vulnerabilities.
How Does TotalCloud Assist in Managing Identity Entitlement?
TotalCloud AWS Inventory has introduced additional resources to the inventory specific to CIEM. These resources can help track the permissions associated with the identities in your environment. The Policy Analyzer reviews these resources and checks them against newly introduced insights to show gaps in identity entitlements.
Resources List
TotalCloud will discover and fetch the following resources and their corresponding attributes to display in the inventory. We support the following resource type.
| Sl.no | Resource Types | ENUM | Service |
|---|---|---|---|
| 1 | Accelerators | ACCELERATOR |
Global Accelerator |
| 2 | ACM Certificates | ACM_CERTIFICATE |
ACM |
| 3 | AMIs | EC2_IMAGES |
EC2 |
| 4 | API Gateway | API_GATEWAY |
API Gateway |
| 5 | AppFlow Flows | APPFLOW_FLOWS |
AppFlow |
| 6 | AppSync APIs | APPSYNC_API |
Appsync |
| 7 | Athena Workgroups | ATHENA_WORKGROUP |
Athena |
| 8 | Auto Scaling Group | AUTO_SCALING_GROUP |
EC2 |
| 9 | Backup Vaults | BACKUP_VAULTS |
AWS Backup |
| 10 | Bedrock Custom Model | BEDROCK_CUSTOM_MODEL |
Bedrock |
| 11 | Bedrock Foundation Model | BEDROCK_FOUNDATION_MODEL |
Bedrock |
| 12 | Bedrock Knowledge Bases | BEDROCK_KNOWLEDGE_BASES |
Bedrock |
| 13 | Build Project | BUILD_PROJECT |
CodeBuild |
| 14 | CloudFormation Stacks | CLOUDFORMATION_STACK |
Cloud Formation |
| 15 | CloudFront Distributions | CLOUDFRONT_DISTRIBUTION |
CloudFront |
| 16 | Comprehend Analysis Jobs | COMPREHEND_ANALYSIS_JOBS |
Comprehend |
| 17 | Custom Domain Names | CUSTOM_DOMAIN |
API Gateway |
| 18 | Data Firehose | FIREHOSE |
Kinesis |
| 19 | Data Streams | KINESIS_STREAM |
Kinesis |
| 20 | DataSync Tasks | DATASYNC_TASK |
DataSync |
| 21 | DAX Clusters | DAX_CLUSTER |
DynamoDB |
| 22 | DocumentDB Clusters | DOCUMENT_DB_CLUSTERS |
DocumentDB |
| 23 | DocumentDB Instances | DOCUMENT_DB_INSTANCES |
DocumentDB |
| 24 | DocumentDB Snapshots | DOCUMENT_DB_SNAPSHOTS |
DocumentDB |
| 25 | DS Directory | DS_DIRECTORY |
Directory Service |
| 26 | DynamoDB Tables | DYNAMO_DB_TABLE |
DynamoDB |
| 27 | EBS Volume | EBS |
EC2 |
| 28 | EBS Volume Snapshots | EC2_VOLUME_SNAPSHOT |
EC2 |
| 29 | EC2 Key Pairs | EC2_KEY_PAIR |
EC2 |
| 30 | ECR Repositories | ECR_REPOSITORY |
ECR |
| 31 | ECS Clusters | ECS_CLUSTER |
ECS |
| 32 | ECS Task Definitions | ECS_TASK_DEFINITION |
ECS |
| 33 | EFS Access Points | EFS_ACCESS_POINT |
EFS |
| 34 | EFS File System | EFS_FILE_SYSTEM |
EFS |
| 35 | EKS Cluster | EKS_CLUSTER |
EKS |
| 36 | EKS Fargate Profile | EKS_FARGATE_PROFILE |
EKS |
| 37 | EKS Node Group | EKS_NODEGROUP |
EKS |
| 38 | EMR Clusters | EMR_CLUSTER |
EMR |
| 39 | Glacier Vaults | GLACIER_VAULT |
S3 Glacier |
| 40 | IAM Group | IAM_GROUP |
IAM |
| 41 | IAM Policy | IAM_POLICY |
IAM |
| 42 | IAM Role | IAM_ROLE |
IAM |
| 43 | IAM User | IAM_USER |
IAM |
| 44 | Instance | EC2_INSTANCE |
EC2 |
| 45 | Internet Gateway | INTERNET_GATEWAY |
VPC |
| 46 | KMS | KMS |
KMS |
| 47 | Lambda Function | LAMBDA |
Lambda Function |
| 48 | Load Balancer | LOAD_BALANCER |
EC2 |
| 49 | Memcached | MEMCACHED |
ElastiCache |
| 50 | Meshes | MESH |
App Mesh |
| 51 | MQ Brokers | MQ_BROKER |
MQ |
| 52 | MSK Clusters | MSK_CLUSTER |
MSK |
| 53 | NeptuneDB Clusters | NEPTUNE_DB_CLUSTERS |
NeptuneDB |
| 54 | NeptuneDB Instances | NEPTUNE_DB_INSTANCES |
NeptuneDB |
| 55 | NeptuneDB Snapshots | NEPTUNE_DB_SNAPSHOTS |
NeptuneDB |
| 56 | Network ACL | NETWORK_ACL |
VPC |
| 57 | Network Interfaces | NETWORK_INTERFACES |
EC2 |
| 58 | OpenSearch Domains | ES_DOMAIN |
Elasticsearch Service |
| 59 | QLDB Ledgers (Deprecated) | QLDB_LEDGER |
Quantum Ledger DB |
| 60 | RDS | RDS |
RDS |
| 61 | RDS Snapshot | RDS_SNAPSHOT |
RDS |
| 62 | Redis | REDIS |
ElastiCache |
| 63 | Redshift Cluster | REDSHIFT_CLUSTERS |
Redshift |
| 64 | Replication instances | DMS_REPLICATION |
DMS |
| 65 | Route Table | ROUTE_TABLE |
VPC |
| 66 | Route53 Domains | ROUTE_53_DOMAIN |
Route 53 |
| 67 | Route53 Hosted Zones | ROUTE_53_HOSTED_ZONE |
Route 53 |
| 68 | Route53 Records | ROUTE_53_RECORD |
Route 53 |
| 69 | S3 Bucket | BUCKET |
S3 |
| 70 | Sagemaker Hyper Parameter Tuning Jobs | SAGEMAKER_HYPER_PARAMETER_TUNING_JOB |
SageMaker |
| 71 | Sagemaker Models | SAGEMAKER_MODEL |
SageMaker |
| 72 | Sagemaker Notebook | SAGEMAKER_NOTEBOOK |
SageMaker |
| 73 | Sagemaker Processing Jobs | SAGEMAKER_PROCESSING_JOB |
SageMaker |
| 74 | Sagemaker Training Jobs | SAGEMAKER_TRAINING_JOB |
SageMaker |
| 75 | Secrets | SECRETS |
Secrets Manager |
| 76 | Security Group | VPC_SECURITY_GROUP |
VPC |
| 77 | SES Identities | SES_IDENTITIES |
SES |
| 78 | SNS Topic | SNS_TOPIC |
SNS |
| 79 | SQS Queue | SQS_QUEUE |
SQS |
| 80 | State Machine | STATE_MACHINE |
Step Function |
| 81 | Subnet | SUBNET |
VPC |
| 82 | System Manager | SYSTEM_MANAGER |
System Manager |
| 83 | Transfer Family Servers | TRANSFER_SERVER |
AWS Transfer Family |
| 84 | Transit Gateways | TRANSIT_GATEWAY |
VPC |
| 85 | VPC | VPC |
VPC |
| 86 | VPC Endpoint | VPC_ENDPOINT |
VPC |
| 87 | VPC Endpoint Service | VPC_ENDPOINT_SERVICE |
VPC |
| 88 | Workspace Directories | DIRECTORY |
Workspace |
| 89 | Workspace Personal | WORKSPACE |
Workspace |
| 90 | WorkSpace Pools | WORKSPACE_POOLS |
Workspace |
For IAM resources, the Policy Analyzer does not work on China accounts. TotalCloud only creates an inventory of the Policies. They will not be analyzed with Insights.
You can find additional resources on the inventory beyond what is listed above. These additional resources can be viewed, but they do not have a Resource Details page, nor do they have dedicated tokens.
The following Resource Types are available in the evaluation index but not mapped to any detailed/evaluation-based inventory resource types:
| Resource Types (used only for evaluation purpose and are not mapped to any inventory) |
|---|
CLOUD_WATCH_LOGGROUP |
LAUNCH_CONFIGURATION (Deprecated / New Resource Creation Stopped) |
IAM_PASSWORD (Setting / Not a actual resource) |
CLOUD_WATCH (All Account Level Controls) |
CLOUD_TRAIL |
IAM_SERVER_CERTIFICATE |
AWS_CONFIG (All Account Level Controls) |
SSM_SESSION (All Account Level Controls) |
GUARD_DUTY (All Account Level Controls) |
SECURITY_HUB (All Account Level Controls) |
SSM_DOCUMENT (All Account Level Controls) |
RDS_CLUSTER_SNAPSHOT |
IAM_ACCESS_ANALYZER (All Account Level Controls) |
MICROSOFT_AD_DIRECTORY |
Known Issues
- TotalCloud currently only fetches API Gateway resources of the REST API type and not HTTP or Web Sockets types. This limitation is planned to be addressed in future releases.