Skip to main content
Cloud Scanning
Cloud Asset Inventory: querying the asset graph

Cloud Asset Inventory: querying the asset graph

After you connect your cloud environments, Aikido automatically builds an asset inventory, giving you visibility across your accounts and regions. Aikido synchronizes the inventory as part of the cloud scans (scheduled and manually triggered) by calling the cloud provider's APIs. Additionally, it enriches the graph with data from the Aikido platform, such as vulnerabilities and end-of-life issues found on virtual machines and containers.

Supported providers

  • AWS

  • GCP (coming soon)

  • Azure (coming soon)

You can access the cloud asset inventory by going to Clouds -> Assets tab. This shows you the assets from all your connected clouds. Alternatively, you can navigate to a specific cloud and, on the assets tab, you will see only the assets from that cloud.

Cloud Asset Search

Natural language search example

To query your cloud inventory, you describe what you want in natural language and let the system figure out how to find the relevant assets. Aikido translates the prompt into one or more steps, depending on the complexity of the prompt. It then shows you the intermediate results as it implements the steps to achieve the final result.

In the example from above, for the prompt "show me EC2 instances with access to S3 buckets", Aikido looked for EC2 instances with IAM roles (attached through instance profiles), found the IAM roles with access to S3 buckets (whether granted through inline or attached policies), found the bucket policies granting access to IAM roles, and combined these in the final result.

You can see a summary of each step by clicking the Explain Result button in the top right. Here is what this looks like for the previous prompt:

Examples

Here are some prompts you might find helpful:

Simple prompts

  • public s3 buckets

  • buckets outside eu

  • users without mfa

  • users with programmatic access

  • databases without deletion protection

Networking prompts

  • EC2 instances with open management ports (you can also look for specific ports)

  • RDS databases allowing traffic from ec2 instances

  • Lambda functions not running in VPCs

  • ec2 instances that might host databases

  • lambdas with access to VPC endpoints

IAM prompts

  • ec2 instances with access to s3 buckets (you can also look for only read, write, or specific IAM actions)

  • lambdas that can create users

  • iam roles accessible from other accounts

  • users with admin privileges

  • overprivileged IAM roles

CVEs/EOL issues

  • ec2 instances vulnerable to CVE-2025-21613

  • ec2 instances running outdated OS

  • vms with outdated python

  • VM with critical vulnerabilities (Aikido defines critical as having a score greater than 90)

  • ec2 instances vulnerable to log4shell

You can combine them

  • show me public ec2 instances vulnerable to CVE-2025-21613 with access to s3 buckets

  • lambda functions created manually

  • functions exposed to the internet with admin permissions

  • my riskiest datastores

There are no predefined prompts, terms, or rules to follow. You can describe anything you want to see from your cloud environment, and let Aikido figure out what it needs to search and generate the queries.

Notes

  • If you search for one word, Aikido performs a text search, allowing you to find assets by name or other fields. For example, if you search for the name of a user, Aikido will return that user and any group the user is a member of, assets for which the user is mentioned in the tags, as well as policies referencing the user by ARN.

  • Aikido caches the prompts, serving subsequent searches much quicker. It also shows you your previous searches (only for your user).