Skip to content

Infrastructure Discovery Overview

Wallarm Infrastructure Discovery is a SaaS product that continuously maps your cloud infrastructure, identifies vulnerable configurations, and gives you full visibility into what you have deployed and how resources are connected. Access is read-only โ€” Infrastructure Discovery never modifies your cloud resources.

Subscription

Infrastructure Discovery requires a separate subscription. Contact sales@wallarm.com to request access.

Supported cloud providers

Infrastructure Discovery currently supports AWS. Support for Azure and GCP is coming soon.

Issues addressed by Infrastructure Discovery

Modern cloud environments grow organically: teams spin up resources across multiple accounts, regions, and services. Over time, misconfigurations accumulate โ€” publicly exposed services, overly permissive security groups, unencrypted storage โ€” while the gap between what you think is deployed and what is actually running widens. Infrastructure Discovery closes that gap by providing:

  • Security posture analysis โ€” built-in rules that automatically evaluate resource configurations against security best practices, flag vulnerable setups, and surface findings with severity levels. Policies let you tune how findings are handled for your environment.

  • AWS-native finding aggregation โ€” imports AWS Security Hub findings (Amazon GuardDuty, Amazon Inspector, IAM Access Analyzer, and more) and correlates them with discovered resources, so all findings live in one place.

  • Impact analysis โ€” a blast radius view for each finding that shows which connected resources could be affected, helping you prioritize remediation.

  • Full visibility into your cloud estate โ€” a continuously updated inventory of resources across all connected accounts and regions.

  • Relationship mapping โ€” a graph view showing how resources connect to each other (e.g. which EC2 instances sit behind which load balancers, which security groups are attached to which ENIs).

  • Change tracking โ€” comparison of successive scans highlighting created, updated, and deleted resources so you can spot unintended configuration changes.

How it works

Infrastructure Discovery connects to your cloud accounts via read-only credentials and periodically scans resource metadata through the cloud provider APIs.

  1. Connect โ€” you add one or more cloud accounts by creating a cross-account IAM role or providing an access key. See Setup.

  2. Scan โ€” Infrastructure Discovery runs automated scans on a recurring schedule that enumerate resources, their configurations, and inter-resource relationships.

  3. Assess security โ€” built-in rules evaluate resource configurations against security best practices. Findings are surfaced with severity levels, and policies let you suppress or adjust them for known-benign patterns.

  4. Inventory โ€” scan results are assembled into a searchable inventory with a relationship graph. You can filter by account, region, service, and resource type.

  5. Track changes โ€” each scan is compared to the previous one. Created, updated, and deleted resources are highlighted so you can review what changed over time.

!Infrastructure Discovery diagram

What is discovered

Infrastructure Discovery inventories resources from the following AWS services:

AWS service Examples of discovered resources
EC2 Instances
VPC networking VPCs, subnets, route tables, internet gateways, NAT gateways, security groups, network interfaces (ENIs), elastic IPs, VPC peering connections, transit gateways
Elastic Load Balancing Application, Network, and Gateway Load Balancers; target groups; listeners and listener rules
EKS Clusters, node groups, Fargate profiles
Lambda Functions, layers
API Gateway REST APIs, HTTP APIs, stages, VPC links
IAM Roles, users, groups, policies, access keys
Amazon Bedrock Foundation models, custom models, provisioned throughput, agents, knowledge bases

In addition to inventorying resources, Infrastructure Discovery imports existing AWS Security Hub findings and correlates them with the resources it discovers, so that third-party security signals appear alongside Wallarm's own findings.

Expanding coverage

The list of supported services and cloud providers is expanding. If you need coverage for a service not listed here, contact your Wallarm account team.

Data handling

Infrastructure Discovery stores resource metadata only โ€” IDs, configurations, tags, and relationships. It does not access data-plane content (no S3 object reads, no RDS queries, no log reading).

All metadata is:

  • Encrypted at rest and in transit.

  • Isolated per tenant โ€” each Wallarm account's data is stored separately with strict access controls.

  • Processed in Wallarm's cloud backend; no on-premise component is required.

For details on AWS permissions, see Setup โ†’ Required AWS permissions.

Getting started

To start using Infrastructure Discovery:

  1. Ensure you have an active Infrastructure Discovery subscription. Contact sales@wallarm.com if needed.

  2. Connect your cloud accounts.

  3. Wait for the first scan to complete (typically a few minutes depending on account size).

  4. Explore your inventory in the Wallarm Console.