AWS Asset Inventory

Overview

AWS Asset Inventory integration - regscale aws sync_assets - collects comprehensive AWS resource inventory across compute, storage, networking, and security services. This integration provides complete asset visibility for compliance, security posture management, and resource tracking.

Command Syntax

regscale aws sync_assets [OPTIONS]
regscale aws inventory collect [OPTIONS]

Basic Usage

Sync All AWS Assets to RegScale

regscale aws sync_assets --regscale_id 123

Sync Assets with Filtering

# Filter by AWS account
regscale aws sync_assets \
  --regscale_id 123 \
  --account-id 123456789012

# Filter by tags
regscale aws sync_assets \
  --regscale_id 123 \
  --tags Environment=production,Team=security

# Combine filters
regscale aws sync_assets \
  --regscale_id 123 \
  --account-id 123456789012 \
  --tags Environment=production

Collect Inventory to JSON File

# Export inventory to file
regscale aws inventory collect \
  --output inventory.json

# With filtering
regscale aws inventory collect \
  --tags Environment=production \
  --output prod-inventory.json

Supported AWS Services

Compute Services

EC2 (Elastic Compute Cloud)

EC2 instances
EBS volumes
Elastic IPs
AMIs (Amazon Machine Images)

Lambda

Function configurations
Runtime environments
Environment variables
Execution roles

ECS (Elastic Container Service)

Task definitions
Services
Clusters

Systems Manager

Managed instances
Parameter Store parameters
Patch baselines
Associations

Storage Services

S3 (Simple Storage Service)

Buckets
Encryption settings
Versioning status
Logging configuration
Public access settings

EBS (Elastic Block Store)

Volumes
Snapshots
Encryption status

Database Services

RDS (Relational Database Service)

DB instances
DB clusters
Snapshots
Encryption settings
Backup configurations

DynamoDB

Tables
Global tables
Backup settings
Encryption status

Networking Services

VPC (Virtual Private Cloud)

VPCs
Subnets
Route tables
Internet gateways
NAT gateways
Security groups
Network ACLs

Load Balancers

Application Load Balancers (ALB)
Network Load Balancers (NLB)
Classic Load Balancers

CloudFront

Distributions
Origins
Cache behaviors

Route 53

Hosted zones
Record sets
Health checks

Security Services

IAM (Identity and Access Management)

Users
Groups
Roles
Policies
Access keys

KMS (Key Management Service)

Customer managed keys
Key aliases
Key policies
Key rotation status

Secrets Manager

Secrets
Rotation configurations

ACM (AWS Certificate Manager)

Certificates
Certificate status

WAF (Web Application Firewall)

Web ACLs
Rules
Rule groups

Security Hub

Enabled standards
Integration status

Integration Services

API Gateway

REST APIs
HTTP APIs
WebSocket APIs
Stages

SNS (Simple Notification Service)

Topics
Subscriptions

SQS (Simple Queue Service)

Queues
Queue attributes

EventBridge

Event buses
Rules

Container Services

ECR (Elastic Container Registry)

Repositories
Images
Image scanning

Management Services

CloudTrail

Trails
Multi-region status
Log validation

Config

Recorders
Delivery channels
Rules

CloudWatch

Log groups
Retention policies
Metric filters

Audit Manager

Assessments
Frameworks

GuardDuty

Detectors
Finding statistics

Filtering Options

By AWS Account ID

regscale aws sync_assets \
  --regscale_id 123 \
  --account-id 123456789012

Use Case: Multi-account AWS Organizations

By Tags

# Single tag
regscale aws sync_assets \
  --regscale_id 123 \
  --tags Environment=production

# Multiple tags (AND logic)
regscale aws sync_assets \
  --regscale_id 123 \
  --tags Environment=production,Team=security,Compliance=required

Tag Requirements:

Tags are case-sensitive
Resources without tags are excluded when filtering
Use commas to separate tag pairs (no spaces)
Format: key1=value1,key2=value2

By Region

# Specific region
regscale aws sync_assets \
  --regscale_id 123 \
  --region us-west-2

Note: Most services are regional. Run for each region where resources exist.

Cache Management

Default Caching

Asset sync uses caching to improve performance and reduce AWS API costs:

Asset cache: 8 hours
Service data cache: 4 hours

Force Refresh

Bypass cache to get fresh data:

regscale aws sync_assets \
  --regscale_id 123 \
  --force-refresh

When to use --force-refresh:

Initial setup
After major infrastructure changes
Troubleshooting sync issues
Compliance audit preparation

What Gets Created in RegScale

Asset Records

Each AWS resource becomes an asset in RegScale with:

Core Fields:

Name: Resource name or ID
Asset Type: Mapped to RegScale asset types (Server, Database, Storage, etc.)
Status: Active, Inactive, or Decommissioned
ARN: Full Amazon Resource Name
Asset Category: Hardware or Software

Metadata:

Region: AWS region
Account ID: AWS account
Tags: Resource tags from AWS
IP Address: For compute resources
Configuration: Service-specific details

Compliance Fields:

Other Tracking Number: AWS ARN for unique identification
Date Created: Resource creation date
Date Last Updated: Last modification date
Parent ID: Linked to Security Plan

Relationships:

Linked to security findings
Linked to compliance controls
Linked to vulnerabilities

Asset Types Mapping

AWS Resource	RegScale Asset Type
EC2 Instance	Virtual Machine (VM)
RDS Instance	Database
S3 Bucket	Storage
Lambda Function	Software/Application
Load Balancer	Network Appliance
CloudFront Distribution	Network Service
IAM User	Identity
KMS Key	Security Control
Security Group	Firewall Rule

Common Use Cases

Use Case 1: Initial Asset Discovery

# First-time comprehensive inventory
regscale aws sync_assets \
  --regscale_id 123 \
  --force-refresh

Use Case 2: Production Environment Inventory

# Tag-filtered production assets
regscale aws sync_assets \
  --regscale_id 123 \
  --tags Environment=production,CostCenter=Engineering

Use Case 3: Compliance Boundary Assets

# FedRAMP ATO boundary
regscale aws sync_assets \
  --regscale_id 123 \
  --tags ATO=FedRAMP,Boundary=Moderate \
  --account-id 123456789012

Use Case 4: Multi-Account Organization

# Account A - Production
regscale aws sync_assets \
  --regscale_id 123 \
  --account-id 111111111111 \
  --tags Environment=production \
  --profile account-a

# Account B - Staging
regscale aws sync_assets \
  --regscale_id 456 \
  --account-id 222222222222 \
  --tags Environment=staging \
  --profile account-b

# Account C - Development
regscale aws sync_assets \
  --regscale_id 789 \
  --account-id 333333333333 \
  --tags Environment=development \
  --profile account-c

Use Case 5: Export for Offline Analysis

# Export inventory to JSON
regscale aws inventory collect \
  --tags Environment=production \
  --output prod-inventory-$(date +%Y%m%d).json

Use Case 6: Team-Based Asset Management

# Security team assets
regscale aws sync_assets \
  --regscale_id 456 \
  --tags Team=security,Owner=security-lead

# Engineering team assets
regscale aws sync_assets \
  --regscale_id 789 \
  --tags Team=engineering,Owner=eng-lead

Command Options Reference

Option	Description	Example
`--regscale_id`	RegScale Security Plan ID (required)	`--regscale_id 123`
`--account-id`	Filter by AWS account ID	`--account-id 123456789012`
`--tags`	Filter by resource tags	`--tags Env=prod,Team=sec`
`--region`	AWS region	`--region us-east-1`
`--force-refresh`	Bypass cache	`--force-refresh`
`--profile`	AWS profile name	`--profile production`
`--output`	Output file (for `inventory collect`)	`--output inventory.json`

Best Practices

1. Tagging Strategy

Tag all production resources with Environment=production
Use Compliance=Required for compliance boundary resources
Include CostCenter, Owner, Team tags for management
Maintain consistent tag naming conventions

2. Initial Setup

# Run with force-refresh for initial sync
regscale aws sync_assets \
  --regscale_id 123 \
  --force-refresh

# Then run normally for updates
regscale aws sync_assets --regscale_id 123

3. Regular Updates

Schedule daily or weekly syncs:

#!/bin/bash
# Daily asset sync (cron: 0 1 * * *)

regscale aws sync_assets \
  --regscale_id 123 \
  --tags Environment=production

4. Multi-Region Coverage

# Sync all regions with resources
for region in us-east-1 us-west-2 eu-west-1; do
  regscale aws sync_assets \
    --regscale_id 123 \
    --region $region \
    --tags Environment=production
done

5. Performance Optimization

Use tag filtering to reduce scope
Cache is enabled by default (8 hours for assets)
Target specific regions where resources exist
Run during off-peak hours for large inventories

6. Compliance Tracking

# Define ATO boundary with tags
regscale aws sync_assets \
  --regscale_id 123 \
  --tags ATO=FedRAMP,Boundary=Moderate,Compliance=Required

Enabled Services Configuration

The AWS integration uses the init.yaml configuration to control which services are enabled for inventory collection.

Default Enabled Services:

✅ Compute (EC2, Lambda, ECS, Systems Manager)
✅ Storage (S3, EBS)
✅ Database (RDS, DynamoDB)
✅ Networking (VPC, Load Balancers, CloudFront, Route 53)
✅ Security (IAM, KMS, Security Hub, Audit Manager)
✅ Integration (API Gateway, SNS, SQS, EventBridge)
✅ Containers (ECR)
✅ Management (Config)

To modify enabled services, edit init.yaml:

aws:
  inventory:
    enabled_services:
      compute:
        enabled: true
        services:
          ec2: true
          lambda: true
          # ...

Troubleshooting

No Assets Returned

Cause: No resources or filters too restrictive.

Solution:

Verify resources exist in AWS console
Check tag values match exactly (case-sensitive)
Try without filters: regscale aws sync_assets --regscale_id 123
Use --force-refresh to bypass cache

Missing Asset Types

Cause: Service not enabled in init.yaml or region-specific.

Solution:

Check init.yaml for enabled services
Verify resources are in the correct region
Run with --region flag for specific regions

Permission Errors

Cause: Insufficient IAM permissions.

Solution:

Verify IAM user/role has read permissions for all services
Use AWS ReadOnlyAccess managed policy
Check for service control policies (SCPs) restrictions

Cache Issues

Cause: Cached data outdated or corrupted.

Solution:

Use --force-refresh to bypass cache
Delete cache files if needed
Check cache expiration settings