User Guide

How to create a Cloud segment

Preview: This feature is in preview and subject to change.

This guide shows you how to create a Cloud segment to discover and audit cloud resources in AWS, Azure, or Google Cloud.

Prerequisites

  • Site Administrator role.
  • An Audit Service that hosts the cloud audit script execution.
  • A cloud credential of the matching type:
  • AWS — Access key ID and Secret access key (or IAM role).
  • Azure — Tenant ID, Client ID, and Client secret.
  • Google — Project ID, Client email, and Private key (or JSON key file).
  • (For AWS and Azure cloud audit scripts) the Audit Service host must allow module installation. An Administrator can enable this on Admin Center > Site Settings > Settings > Audit service settings by selecting Allow module installation on audit service host.

Choose the cloud type

Pick the cloud Segment type that matches the provider account you want to discover.

Type Use it for Typical credential Expected Inventory sections
AWS AWS accounts and regions Access key ID and Secret access key, or IAM role EC2 instances, AMIs, Subnets, Zones, RDS, Key pairs, Network interfaces, Load balancers, S3 buckets, VPCs, Security groups
Azure Azure tenants, subscriptions, and resource groups Tenant ID, Client ID, Client secret Virtual machines, Application gateways, Load balancers, Network interfaces, Public IPs, Resource groups, Security groups, Subscriptions, Virtual networks, Volumes
Google Google Cloud projects Project ID, Client email, Private key, or JSON key file VM instances, Bigtable resources, Images, Load balancers, Public IPs, Security groups, Subnets, VPCs, Volumes

Preview: The exact resource list and wizard fields can change between releases. Treat the provider-specific resource lists as current guidance, not as a fixed contract.

Steps

  1. Navigate to Network > Segments.
  2. Click + New segment.
  3. On the Segment type page, select AWS, Azure, or Google. Each cloud option carries a Preview badge.
  4. Click Next.
  5. In Step 1 - Select or install audit service, pick an Audit Service to run the cloud audit.
  6. In Step 2, enter the cloud-specific scope, such as an AWS region, an Azure subscription/resource scope, or a Google Cloud project scope, as required by the wizard.
  7. In Step 3 - Audit credentials, select or create the cloud credential of the matching type.
  8. In Step 4 - Scan schedule, pick a recurrence or Continue without a schedule.
  9. In Step 5, review the configuration and create the segment.

Verify

After saving, the new segment appears in Network > Segments with the cloud type icon (AWS, Azure, or Google).

  1. Open the Segment.
  2. Click Scan to discover cloud resources.
  3. Review the Scan Results grid.
  4. Open Inventory and check the matching cloud section (AWS, Azure, or Google) for discovered resources.

Note: Because this is a Preview feature, the available cloud resource types and the segment wizard fields may change between releases.