Tutorial: Create your first cloud inventory
In this tutorial, you will create a cloud Segment and run a scan so AlloyScan can populate cloud-resource Inventory.
You can use the same flow for AWS, Azure, or Google Cloud. The credential fields and resource types differ by provider.
Preview: Cloud Segments are Preview features. Resource coverage and wizard fields can change between releases.
Before you begin
- You have an AlloyScan account with the Administrator role on a Site.
- Cloud Segments are enabled on your deployment.
- An Audit Service is installed and active. The Audit Service runs cloud audit scripts.
- For AWS or Azure, the Audit Service host can install required cloud modules, or those modules are already managed on the host.
- You have the matching cloud credential:
- AWS — Access key ID and Secret access key, or IAM role.
- Azure — Tenant ID, Client ID, and Client secret.
- Google — Project ID, client email, and private key, or JSON key file.
Step 1 - Choose the cloud provider
- Open Network > Segments.
- Click + New segment.
- On the Segment type page, select AWS, Azure, or Google.
Each cloud option is marked Preview.
Step 2 - Select the Audit Service
- Click Next.
- In Select or install audit service, choose the active Audit Service that will run the cloud audit.
If you do not have an Audit Service yet, install one first, then return to this tutorial.
Step 3 - Define the cloud scope
In the provider-specific scope step, enter the account, subscription, project, region, or resource scope requested by the wizard.
Examples:
| Provider | Example scope |
|---|---|
| AWS | Account and region |
| Azure | Tenant, subscription, or resource scope |
| Project scope |
The exact fields can vary by deployment.
Step 4 - Add or select credentials
- In Audit credentials, select an existing matching cloud credential.
- Or create a new one:
| Provider | Credential fields |
|---|---|
| AWS | Title, Access key ID, Secret access key, or IAM role |
| Azure | Title, Tenant ID, Client ID, Client secret |
| Title, Project ID, client email, private key, or JSON key file |
Secrets are stored in the Audit Service's encrypted credentials pool. After saving, AlloyScan shows only whether a secret is present; it does not reveal the stored value.
Step 5 - Choose a scan schedule
Choose a recurring scan schedule, or continue without a schedule for a first manual run.
For a first setup, it is often simpler to continue without a schedule, run one manual scan, verify the results, and add the schedule after the cloud scope is correct.
Step 6 - Run the first cloud scan
- Save the Segment.
- Open the new Segment from Network > Segments.
- Click Scan.
- Wait for the Scan Results grid to populate.
Step 7 - Verify cloud Inventory
Open Inventory and check the matching cloud section.
Expected resource families include:
| Provider | Examples |
|---|---|
| AWS | EC2 instances, AMIs, Subnets, Zones, RDS, Key pairs, Network interfaces, Load balancers, S3 buckets, VPCs, Security groups |
| Azure | Virtual machines, Application gateways, Load balancers, Network interfaces, Public IPs, Resource groups, Security groups, Subscriptions, Virtual networks, Volumes |
| VM instances, Bigtable resources, Images, Load balancers, Public IPs, Security groups, Subnets, VPCs, Volumes |
What you have accomplished
You created a cloud Segment, authenticated AlloyScan to the provider, ran a scan, and verified that cloud resources appear in Inventory.
From here, you can:
- add a scan schedule for the cloud Segment
- enable Change tracking for cloud asset categories where needed
- review reports and Inventory exports for the discovered cloud resources