AWS Asset Inventory

Overview

AWS Asset Inventory integration - regscale aws sync_assets - collects comprehensive AWS resource inventory across compute, storage, networking, and security services. This integration provides complete asset visibility for compliance, security posture management, and resource tracking.

Command Syntax

regscale aws sync_assets [OPTIONS]
regscale aws inventory collect [OPTIONS]

Basic Usage

Sync All AWS Assets to RegScale

regscale aws sync_assets --regscale-id 123

Sync Assets with Filtering

# Filter by AWS account
regscale aws sync_assets \
  --regscale-id 123 \
  --account-id 123456789012

# Filter by tags
regscale aws sync_assets \
  --regscale-id 123 \
  --tags Environment=production,Team=security

# Combine filters
regscale aws sync_assets \
  --regscale-id 123 \
  --account-id 123456789012 \
  --tags Environment=production

Collect Inventory to JSON File

# Export inventory to file
regscale aws inventory collect \
  --output inventory.json

# With filtering
regscale aws inventory collect \
  --tags Environment=production \
  --output prod-inventory.json

Supported AWS Services

The AWS inventory collector provides comprehensive information about ~78 AWS Services across 12 categories with universal account and tag filtering support.

Compute Services (8 services)

• EC2 (Elastic Compute Cloud) - Instances, AMIs, snapshots, volumes
• Lambda - Functions, layers, aliases
• ECS (Elastic Container Service) - Clusters, services, task definitions
• AWS Batch - Compute environments, job queues, job definitions
• App Runner - Services, configurations, deployments
• Elastic Beanstalk - Applications, environments, configurations
• Amazon Lightsail - Instances, containers, databases
• Systems Manager - Managed instances, patch compliance, parameters

Storage Services (6 services)

• S3 (Simple Storage Service) - Buckets, encryption, versioning, logging
• EBS (Elastic Block Store) - Volumes, snapshots, encryption status
• Amazon EFS - File systems, mount targets, performance modes
• Amazon FSx - File systems for Windows, Lustre, NetApp ONTAP, OpenZFS
• AWS Storage Gateway - Gateways, volumes, tape libraries
• AWS Backup - Backup vaults, plans, recovery points

Database Services (9 services)

• RDS (Relational Database Service) - Instances, engines, Multi-AZ, encryption
• DynamoDB - Tables, indexes, capacity units, encryption
• Amazon ElastiCache - Redis and Memcached clusters
• Amazon Neptune - Graph database clusters
• Amazon DocumentDB - MongoDB-compatible clusters
• Amazon Redshift - Data warehouse clusters
• Amazon Keyspaces - Cassandra-compatible keyspaces
• Amazon Timestream - Time-series databases

Networking & Content Delivery (11 services)

• VPC (Virtual Private Cloud) - VPCs, subnets, security groups, NACLs
• Elastic IP - Public IPs, allocation IDs
• Load Balancers (ALB/NLB) - Application and Network load balancers
• CloudFront - Distributions, origins, behaviors
• Route 53 - Hosted zones, record sets, health checks
• AWS Direct Connect - Connections, virtual interfaces
• Transit Gateway - Gateways, attachments, route tables
• VPN Connections - Site-to-site VPNs, customer gateways
• AWS Global Accelerator - Accelerators, listeners, endpoint groups
• AWS Network Firewall - Firewalls, policies, rule groups
• Route53 Resolver - Resolver endpoints, rules

Security, Identity & Compliance (11 services)

• IAM (Identity and Access Management) - Users, roles, groups, policies
• KMS (Key Management Service) - Keys, aliases, rotation status
• Secrets Manager - Secrets, rotation configurations
• WAF (Web Application Firewall) - Web ACLs, IP sets, rule groups
• ACM (Certificate Manager) - SSL/TLS certificates, validation status
• CloudTrail - Trails, event selectors, log file validation
• AWS Config - Configuration recorders, rules, compliance status
• GuardDuty - Detectors, findings, threat intelligence
• Security Hub - Security standards, controls, findings
• AWS Inspector - Assessment templates, findings, vulnerability scans
• AWS Audit Manager - Assessments, frameworks, controls, evidence

Analytics Services (6 services)

• Amazon EMR - Clusters, instance groups, steps
• Amazon Kinesis Data Streams - Streams, shards, retention periods
• Amazon Kinesis Firehose - Delivery streams, destinations
• AWS Glue - Databases, tables, crawlers, jobs
• Amazon Athena - Workgroups, query executions
• Amazon MSK (Managed Streaming for Kafka) - Kafka clusters, brokers

Machine Learning Services (6 services)

• Amazon SageMaker - Inference endpoints, models, notebook instances
• Amazon Rekognition - Face collections, custom labels
• Amazon Comprehend - Custom model endpoints, entity recognizers

Developer Tools (4 services)

• AWS CodePipeline - Pipelines, stages, actions
• AWS CodeBuild - Build projects, environments, artifacts
• AWS CodeDeploy - Applications, deployment groups
• AWS CodeCommit - Repositories, branches, commits

Application Services (4 services)

• AWS Step Functions - State machines, executions
• AWS AppSync - GraphQL APIs, schemas, resolvers
• Amazon WorkSpaces - Virtual desktops, bundles
• AWS IoT Core - Things, certificates, policies, rules

Application Integration (4 services)

• API Gateway - REST and HTTP APIs, stages, deployments
• SNS (Simple Notification Service) - Topics, subscriptions
• SQS (Simple Queue Service) - Queues, dead-letter queues
• EventBridge (CloudWatch Events) - Event buses, rules, targets

Containers (1 service)

• ECR (Elastic Container Registry) - Repositories, images, image scanning

Configuration Management (1 service)

• AWS Config - Configuration items, snapshots, compliance timeline

Filtering Options

Account ID Filtering

regscale aws sync_assets --regscale-id 3 --account-id 123456789012

Tag Filtering

# Single tag
regscale aws sync_assets --regscale-id 3 --tags Environment=production

# Multiple tags (AND logic - all must match)
regscale aws sync_assets --regscale-id 3 \
    --tags Environment=production,Team=security,CostCenter=Engineering

Combined Filtering

regscale aws sync_assets --regscale-id 3 \
    --account-id 123456789012 \
    --tags Environment=production,Compliance=required

Note: Tag filtering uses AND logic - all specified tags must match. Resources without tags are excluded when filtering by tags.

Tag Requirements:

• Tags are case-sensitive
• Resources without tags are excluded when filtering
• Use commas to separate tag pairs (no spaces)
• Format: key1=value1,key2=value2

By Region

# Specific region
regscale aws sync_assets \
  --regscale_id 123 \
  --region us-west-2

Note: Most services are regional. Run for each region where resources exist.

Cache Management

Default Caching

Asset sync uses caching to improve performance and reduce AWS API costs:

• Asset cache: 8 hours
• Service data cache: 4 hours

Force Refresh

Bypass cache to get fresh data:

regscale aws sync_assets \
  --regscale_id 123 \
  --force-refresh

When to use --force-refresh:

• Initial setup
• After major infrastructure changes
• Troubleshooting sync issues
• Compliance audit preparation

What Gets Created in RegScale

Asset Records

Each AWS resource becomes an asset in RegScale with:

Core Fields:

• Name: Resource name or ID
• Asset Type: Mapped to RegScale asset types (Server, Database, Storage, etc.)
• Status: Active, Inactive, or Decommissioned
• ARN: Full Amazon Resource Name
• Asset Category: Hardware or Software

Metadata:

• Region: AWS region
• Account ID: AWS account
• Tags: Resource tags from AWS
• IP Address: For compute resources
• Configuration: Service-specific details

Compliance Fields:

• Other Tracking Number: AWS ARN for unique identification
• Date Created: Resource creation date
• Date Last Updated: Last modification date
• Parent ID: Linked to Security Plan

Relationships:

• Linked to security findings
• Linked to compliance controls
• Linked to vulnerabilities

Asset Types Mapping

Common Use Cases

Use Case 1: Initial Asset Discovery

# First-time comprehensive inventory
regscale aws sync_assets \
  --regscale-id 123 \
  --force-refresh

Use Case 2: Production Environment Inventory

# Tag-filtered production assets
regscale aws sync_assets \
  --regscale-id 123 \
  --tags Environment=production,CostCenter=Engineering

Use Case 3: Compliance Boundary Assets

# FedRAMP ATO boundary
regscale aws sync_assets \
  --regscale-id 123 \
  --tags ATO=FedRAMP,Boundary=Moderate \
  --account-id 123456789012

Use Case 4: Multi-Account Organization

# Account A - Production
regscale aws sync_assets \
  --regscale-id 123 \
  --account-id 111111111111 \
  --tags Environment=production \
  --profile account-a

# Account B - Staging
regscale aws sync_assets \
  --regscale-id 456 \
  --account-id 222222222222 \
  --tags Environment=staging \
  --profile account-b

# Account C - Development
regscale aws sync_assets \
  --regscale-id 789 \
  --account-id 333333333333 \
  --tags Environment=development \
  --profile account-c

Use Case 5: Export for Offline Analysis

# Export inventory to JSON
regscale aws inventory collect \
  --tags Environment=production \
  --output prod-inventory-$(date +%Y%m%d).json

Use Case 6: Team-Based Asset Management

# Security team assets
regscale aws sync_assets \
  --regscale-id 456 \
  --tags Team=security,Owner=security-lead

# Engineering team assets
regscale aws sync_assets \
  --regscale-id 789 \
  --tags Team=engineering,Owner=eng-lead

Command Options Reference

Best Practices

1. Tagging Strategy

• Tag all production resources with Environment=production
• Use Compliance=Required for compliance boundary resources
• Include CostCenter, Owner, Team tags for management
• Maintain consistent tag naming conventions

2. Initial Setup

# Run with force-refresh for initial sync
regscale aws sync_assets \
  --regscale-id 123 \
  --force-refresh

# Then run normally for updates
regscale aws sync_assets --regscale-id 123

3. Regular Updates

Schedule daily or weekly syncs:

#!/bin/bash
# Daily asset sync (cron: 0 1 * * *)

regscale aws sync_assets \
  --regscale-id 123 \
  --tags Environment=production

4. Multi-Region Coverage

# Sync all regions with resources
for region in us-east-1 us-west-2 eu-west-1; do
  regscale aws sync_assets \
    --regscale-id 123 \
    --region $region \
    --tags Environment=production
done

5. Performance Optimization

• Use tag filtering to reduce scope
• Cache is enabled by default (8 hours for assets)
• Target specific regions where resources exist
• Run during off-peak hours for large inventories

6. Compliance Tracking

# Define ATO boundary with tags
regscale aws sync_assets \
  --regscale-id 123 \
  --tags ATO=FedRAMP,Boundary=Moderate,Compliance=Required

Enabled Services Configuration

The AWS integration uses the init.yaml configuration to control which services are enabled for inventory collection.

Default Enabled Services:

• ✅ Compute (EC2, Lambda, ECS, Systems Manager)
• ✅ Storage (S3, EBS)
• ✅ Database (RDS, DynamoDB)
• ✅ Networking (VPC, Load Balancers, CloudFront, Route 53)
• ✅ Security (IAM, KMS, Security Hub, Audit Manager)
• ✅ Integration (API Gateway, SNS, SQS, EventBridge)
• ✅ Containers (ECR)
• ✅ Management (Config)

To modify enabled services, edit init.yaml:

aws:
  inventory:
    enabled_services:
      compute:
        enabled: true
        services:
          ec2: true
          lambda: true
          # ...

Troubleshooting

No Assets Returned

Cause: No resources or filters too restrictive.

Solution:

• Verify resources exist in AWS console
• Check tag values match exactly (case-sensitive)
• Try without filters: regscale aws sync_assets --regscale_id 123
• Use --force-refresh to bypass cache

Missing Asset Types

Cause: Service not enabled in init.yaml or region-specific.

Solution:

• Check init.yaml for enabled services
• Verify resources are in the correct region
• Run with --region flag for specific regions

Permission Errors

Cause: Insufficient IAM permissions.

Solution:

• Verify IAM user/role has read permissions for all services
• Use AWS ReadOnlyAccess managed policy
• Check for service control policies (SCPs) restrictions

Cache Issues

Cause: Cached data outdated or corrupted.

Solution:

• Use --force-refresh to bypass cache
• Delete cache files if needed
• Check cache expiration settings