Cloud Asset Discovery
Cloud asset discovery is the continuous process of enumerating every resource that exists across an organisation's cloud accounts — compute, storage, identity, networking, data — to maintain an accurate, up-to-date inventory for security, compliance, and cost management.
You cannot secure what you don't know exists. In on-premises environments, asset inventory is a slow problem with mostly fixed answers. In the cloud, the inventory changes by the minute: a developer spins up a new RDS instance for a hackathon, a CI pipeline creates a temporary S3 bucket, an acquired company's AWS organisation gets merged into yours. Cloud asset discovery is the discipline of keeping the inventory honest in real time.
A complete discovery solution covers more than just compute. It enumerates storage (S3 buckets, blob containers, file shares), identity (IAM roles, users, service principals, access keys), networking (VPCs, security groups, NACLs, load balancers, public IPs), data services (databases, caches, queues, data warehouses), serverless (Lambda functions, Cloud Functions, container-image triggers), and the relationships between them. The output is a living graph rather than a flat list — answering questions like "which workloads can reach the production database?" or "which IAM principals can read this S3 bucket?" requires the relational structure.
Discovery is the foundation that everything else in cloud security stands on. Configuration scanning (CSPM) needs to know what exists before it can check whether it's configured safely. Vulnerability management needs the asset inventory to scope scans. Incident response needs it to answer "what is this resource and who owns it?" within minutes of an alert. Compliance evidence (SOC 2, ISO 27001, PCI DSS scope) requires demonstrable, auditable knowledge of every in-scope resource.
Modern discovery tools use the cloud provider's own APIs (AWS Config, Azure Resource Graph, GCP Cloud Asset Inventory) for read-only, agent-less coverage. They run continuously rather than nightly, surface drift the moment it happens, and integrate with CI/CD so newly created resources are tagged, owned, and security-reviewed before they ever serve traffic. The shadow-IT case — accounts and resources outside the central management plane — is harder; some organisations supplement API-based discovery with billing-aware enumeration to catch accounts that aren't in the org tree but still appear on the invoice.