Assets can be classified based on their intended purpose within the organization’s cloud infrastructure. This classification considers the specific role or function of the asset and how it contributes to business operations. By applying filters based on categories and subcategories, you can narrow down your search and focus on specific groups of assets based on the purpose they serve. Let’s look at the different asset classifications that most CSPM tools use:

• Compute services: These are virtualized instances of computing resources, such as servers, operating systems, and applications. Virtual machines provide the foundation for running software and processing data in the cloud. Compute services can further be sub-categorized as follows:
  • Virtual instances: Examples include Amazon EC2 instances, Azure Virtual Machines, and Google Compute Engines
  • Containers: Examples include Azure Container Instances and Amazon Fargate
  • Serverless: Examples include Amazon Web Services (AWS) Lambda Functions, Azure Functions, Azure Functions app, and Google Cloud Functions
  • Image: Examples include Azure Container Registry (ACR) images, Amazon Elastic Container Registry (ECR) images, and Google Container Registry (GCR) images
• Data storage: Cloud databases store, organize, and manage structured and unstructured data. They offer scalable storage and retrieval capabilities, facilitating data-driven applications and analytics. Along with other cloud resources, CSPM tools fetch data storage and sub-categorize it into different logical groupings based on the common features that the data storage shares. Let’s look at some common groupings:
  • Database: Examples include Amazon DynamoDB instances, Amazon Kafka cluster, Amazon Relational Database Service (RDS) instances, Azure Cosmos DB, Azure Data Factory, Azure MySQL DB, and Google Redis Instances
  • Storage buckets: Examples include AWS S3 buckets, Azure File Share, Azure Blob Storage, Google Storage buckets, and an Azure storage account
  • Filesystem: Examples include Azure Disk, Amazon Elastic File System (EFS), Azure Snapshot, Google VM Snapshot, and Amazon Elastic Block Store (EBS)
  • Messaging and queue: Examples include Azure Storage Queue, Amazon Simple Queue Service (SQS), and Azure Service Bus
  • Container registry: Examples Cloud include Amazon ECR Repository, Azure Container Registry, and Google Cloud Artifact Registry
• Networks: Cloud networks enable communication between various cloud resources, such as virtual machines, databases, and containers. They facilitate secure data transfer and connectivity within the cloud infrastructure. Let’s understand what assets fall under the Networks category and how they are usually categorized:
  • Load balancers: Examples include AWS ELB, Amazon EC2 load balancers, Azure load balancers, Azure HTTP Listener, Azure Application Gateways, and GCP load balancers
  • Domain name system (DNS): Examples include AWS Route 53 Domain, AWS Route 53 Host Zone, Azure DNS Hosted Zone, Domain, and GCP DNS Managed Zone
  • Content delivery network (CDN): Examples include AWS CloudFront, Azure Front Door, and Google Cloud CDN
  • Public exposure: Examples include domains and IP addresses
  • API endpoints: An example is cloud-managed endpoints
  • Network segmentation and security: Examples include Azure Network Security Group (NSG), Amazon EC2 security groups, Amazon Virtual Private Network (VPN) Gateway, network interfaces, AWS Subnet, AWS Virtual Private Cloud (VPC), cloud-native firewalls and Web Application Firewalls (WAFs), Azure Public IP, Azure Subnet, API Gateways, and Azure Virtual Network
• Encryption and secrets: These provide a comprehensive record of the encryption status and management of sensitive information within an organization’s assets. It encompasses identifying assets that store or process sensitive data, tracking their encryption levels, and managing encryption keys and secrets associated with those assets. Let’s understand how assets associated with encryption are categorized:
  • Encryption keys: Examples include AWS Cloud Hardware Security Module (HSM), AWS Key Management Services (KMS), Azure Key Vault, Google Cloud KMS, and customer-managed keys (CMKs)
  • Secrets: Examples include Azure Key Vault secrets, auth tokens, customer secret keys, and API keys
  • Certificates: Examples include AWS certificates, Azure Key Vault certificates, and Google Cloud SSL certificates
• Kubernetes: This refers to the comprehensive record of the Kubernetes resources and configurations that have been deployed within an organization’s Kubernetes clusters. It encompasses identifying, tracking, and managing the various assets within the Kubernetes environment. Let’s understand how Kubernetes assets are usually categorized, which can be super helpful for further management:
  • Kubernetes clusters: Examples include AWS EKS clusters, Azure AKS clusters, GKE clusters, and self-managed clusters
  • Kubernetes controller: Examples include Kubernetes config maps, Kubernetes daemon sets, Kubernetes services, and Kubernetes deployments
  • Kubernetes network: Examples include Kubernetes endpoints and Kubernetes network policies
  • Kubernetes compute: Examples include Kubernetes namespaces and Kubernetes nodes

Furthermore, recognizing the distinctions between Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) assets is essential. In IaaS, organizations have more control over the underlying infrastructure, including virtual machines and networks. PaaS provides a higher level of abstraction, offering a platform for developing and deploying applications without worrying about the infrastructure details. SaaS delivers complete software applications hosted and managed by the cloud provider. Refer to Chapter 1 to understand the cloud security responsibility matrix in detail. By discerning the service model associated with each asset, organizations can determine the level of control and responsibility they have in managing and securing those assets.

This understanding is crucial for effective cloud security posture management as it allows for accurate asset identification, tracking, and the ability to implement the appropriate security controls for each asset type. We will dive deep into this later.