Cloud Scan is the operation that is responsible for discovering the data stores, assets, resources, and their associated configurations in each onboarded account
Think of it as the task that collects all the inventory details from each account.
After onboarding a cloud account, the Cloud Scan is triggered as post-process. For already onboarded accounts, this scan is run on an incremental basis every 15 mins (if enabled during Account Onboarding) or can be run manually. Manually triggering the scan always initiates a Full Scan.
In the Accounts section, this can be launched manually as well from the selecting the dots menu for the chosen account and then selecting Trigger Full Scan.
Cloud Scan collects the details of all the assets that are currently available on the account including data stores (structured and unstructured), KeyPairs, KMS, EC2 instances, VPC, Subnets, etc.
Along with collecting the details for each of these assets, the appropriate object-tags are assigned to each of them, namely: S3Bucket, EC2KeyPairs, RDSInstance, AWSSubnet, etc.
Once the tagging is completed as well, the entire inventory list is then displayed in DSPM.
Cloud Scans are done in one of two modes:
-
Full Cloud Scan - In this mode the scan would consider all the resources and assets on the cloud account and capture the details anew irrespective of whether there are any changes on the entities. This mode of scan is enabled for account onboarding since DSPM does not yet have any information about the assets in the account.
-
Incremental Cloud Scan - Once the account is onboarded and if the configuration to run incremental scan mode is enabled, then the scan operation will consider only those resources which are:
- newly added to the account
- deleted
- have changes to the configuration
Information regarding the additions, deletions, or updates are captured from the CloudTrail logs.