Cloud coverage
This page lists the services Ctadel inventories on each supported cloud provider. If a service is not listed here, we do not scan it today, even if a rule mentions it generically.
Scaleway
Compute
- Compute Instances + their attached volumes, IPs, and security groups
- Bare metal servers (Elastic Metal)
Storage
- Block Storage volumes (BSSD, LSSD, encryption status)
- Instance and volume snapshots, scanned read-only by the snapshot worker
- Object Storage buckets (region, encryption, public access)
Network
- VPCs and Private Networks (with subnets and CIDRs)
- Security Groups (inbound / outbound rules)
- Load Balancers (with backends, frontends, SSL certificates, health checks)
- Public Gateways (NAT and bastion config)
- Flexible IPs (IPv4 and IPv6)
- DNS zones and records
Database
- Managed Database (RDB) instances: PostgreSQL and MySQL, with encryption, ACL rules, backup schedule, read replicas
- Database row sampling for DSPM (PII, PCI, PHI patterns) on Postgres engines
Kubernetes
- Kapsule clusters and node pools (autoscaling, version, upgrade availability)
- Cluster posture scanning (KSPM)
- Pod-level container image scanning for vulnerabilities
Serverless
- Functions (runtime, memory, timeout, environment variables)
- Containers (registry image, scaling, protocol)
- Source code scanning for secrets and DSPM patterns
Identity & secrets
- IAM users, applications, groups
- IAM policies and permission sets
- Container Registry (with images and tags)
- Secret Manager entries (versions, rotation age)
- Key Manager (KMS) keys (usage, rotation policy)
Notes
- CDR (audit-log runtime detection): not yet covered for Scaleway. On the roadmap.
OVHcloud
Compute
- Public Cloud Compute Instances (state, region, flavor, image, SSH key, IPs)
- Bare metal Dedicated Servers (datacenter, OS, IPMI activation)
Storage
- Block Storage volumes (size, type, attachment, bootable flag)
- Volume snapshots, scanned read-only by the snapshot worker
- Public Cloud Object Storage buckets (region, stored bytes, object count, S3 endpoint)
Network
- vRacks (private networks) and subnets
- Security Groups (rules: direction, protocol, port range, IP prefix)
- Load Balancers (VIP, floating IP, region)
- DNS zones and records (DNSSEC flag, nameservers, record types)
Database
- Managed Databases (engine, version, plan, node count, endpoints, backup config, maintenance window)
- Database row sampling for DSPM on supported engines
Kubernetes
- OVH Managed Kubernetes Service (MKS) clusters and node pools
- Cluster posture scanning (KSPM)
- Pod-level container image scanning
Serverless
- AI Deploy applications (image, runtime, region, CPU, memory, GPU, env vars)
- Source code scanning for secrets and DSPM patterns
Identity & secrets
- API credentials (status, allowed IPs, last used)
- Identity users (login, status, email)
- SSH key pairs (fingerprint, regions)
- Container Registry (Harbor) with storage size
Notes
- CDR (audit-log runtime detection): not yet covered for OVHcloud. On the roadmap.
- KMS / Key Management: not covered for OVHcloud today.
AWS
Compute
- EC2 instances (type, public/private IPs, security groups, attached volumes, IMDSv2, monitoring, instance profile)
Storage
- EBS volumes (size, encryption, type, attachment)
- EBS snapshots (owned only), scanned read-only by the snapshot worker
- EFS file systems (encryption, KMS key, backup policy, mount targets)
- S3 buckets (encryption, versioning, logging, ACL, public access block, object lock)
Network
- VPCs (CIDR, default flag, flow logs)
- Security Groups (inbound/outbound rules, references)
- Elastic Load Balancers (ALB, NLB, classic ELB)
- Elastic IPs (allocation, association)
- Route 53 hosted zones and record sets
- CloudFront distributions (HTTPS, WAF, geo restrictions, origin access identity)
- API Gateway REST APIs and stages
- WAFv2 Web ACLs (regional + CloudFront scope)
Database
- RDS instances (engine, encryption, backup, public access, multi-AZ, IAM auth)
- Aurora clusters (encryption, backup, multi-AZ, read replicas)
- DynamoDB tables (encryption, billing mode, PITR, deletion protection, replicas)
- ElastiCache clusters (Redis / Memcached, encryption, auth, node count)
- Database row sampling for DSPM on RDS / Aurora Postgres
Kubernetes
- EKS clusters (Kubernetes version, logging, secrets encryption, endpoint access)
- ECS task definitions (launch type, execution role, privileged containers, secrets in env)
- ECR repositories (image count, visibility)
- Cluster posture scanning (KSPM) and pod-level vulnerability scanning
Serverless
- Lambda functions (runtime, public function URL, memory, timeout, VPC config, DLQ)
- Source code scanning for secrets and DSPM patterns
- CodeBuild projects (privileged mode, artifact storage, secrets in env)
Identity & secrets
- IAM users (API keys with age, MFA, console access)
- IAM roles (assume-role policy, last used, attached policies)
- IAM groups and policies (customer-managed)
- KMS keys (customer-managed): usage, rotation policy, rotation age
- Secrets Manager entries (rotation status, age)
- ACM certificates (domain, validity, renewal)
Audit & detection
- CloudTrail trails (multi-region, log validation, encryption, management/data events)
- GuardDuty detectors (S3 protection, Kubernetes audit logging, malware protection)
- SecurityHub hubs (auto-enable controls, standards count)
- CloudWatch Log Groups (retention, encryption, alarm count)
Messaging
- SNS topics (encryption, public access, wildcard policy)
- SQS queues (encryption, public access, DLQ, message retention)
GCP
Compute
- Compute Engine VM instances and persistent disks
- Compute firewall rules
Storage
- Cloud Storage buckets (ACL, versioning, encryption, lifecycle, retention)
Network
- VPCs and subnets (with flow logs detection)
- Cloud Armor security policies (rules count, adaptive protection)
Database
- Cloud SQL instances (public IP, authorized networks, SSL, CMEK, IAM auth, binary logging)
- Cloud Memorystore Redis instances (encryption, backup, replicas)
- Database row sampling for DSPM on Cloud SQL Postgres / MySQL
Kubernetes
- GKE clusters and node pools (workload identity, binary auth, network policy, private clusters, shielded nodes)
- Cluster posture scanning (KSPM) and pod-level vulnerability scanning
Serverless
- Cloud Functions v2 (runtime, ingress, VPC connector, memory, timeout)
- Cloud Run services (ingress, registry image)
- Source code scanning for secrets and DSPM patterns
Identity & secrets
- Service accounts (with user-managed API keys: count, age, expiration)
- Cloud KMS keys (protection level, rotation policy, algorithm)
Audit & detection
- Cloud Logging sinks (audit filter detection)
- Cloud Monitoring alert policies (with notification channels)
- Security Command Center activation state and source count
- Cloud Build triggers (git provider integration)
Messaging
- Pub/Sub topics and subscriptions (encryption, dead-letter, retention)
Notes
- CDR (audit-log runtime detection): partial. We track the configuration of Cloud Logging and Security Command Center, but do not currently stream audit log entries themselves. Full CDR is on the roadmap.
Azure
Compute
- Virtual Machines (state, attached disks, NICs, IPs)
- Managed Disks (encryption, size)
- Disk Snapshots (retention, source disk lineage), scanned read-only by the snapshot worker
Storage
- Storage Accounts (access, encryption, soft delete, network rules, TLS settings)
- Blob containers, scanned by the object worker
Network
- VNets and subnets
- Network Security Groups (rules)
- Public IPs
- Load Balancers (public / internal)
- Application Gateway with WAF (WAF enabled, SKU tier)
- Front Door CDN profiles (Standard / Premium SKUs)
- DNS zones and records (full record enumeration)
Database
- Azure SQL servers and databases (TDE, auditing, threat detection, geo-replication)
- PostgreSQL Flexible Servers (HA, backups, geo-redundancy, public access)
- Cosmos DB accounts (API type, consistency, multi-region, backup, public access, CMEK)
- Database row sampling for DSPM (Azure SQL via MSSQL driver, PostgreSQL Flexible)
Kubernetes
- AKS clusters (version, RBAC, Azure AD, network policy, workload identity, private cluster)
- Container Registries (ACR): admin enabled, public access, SKU
- Cluster posture scanning (KSPM) and pod-level vulnerability scanning
Serverless
- Function Apps (runtime, environment variables, VNet integration, managed identity)
- App Service Web Apps (HTTPS-only, state)
- Source code scanning for secrets and DSPM patterns
Identity & secrets
- RBAC role assignments (principal type, role definition, scope)
- Key Vaults (soft delete, purge protection, RBAC auth, private endpoints)
Audit & detection
- Azure Monitor activity log alert rules (enabled / disabled state)
- Azure Monitor metric alert rules
- Defender for Cloud pricing tier per subscription
Messaging
- Service Bus namespaces, queues (with dead-letter), topics
- Event Hub namespaces and event hubs (retention)
Notes
- CDR (audit-log runtime detection): partial. We track activity-log alert rule configuration and Defender for Cloud activation, but do not currently stream Activity Log entries themselves. Full CDR is on the roadmap.
- Microsoft Sentinel: not integrated.
What's not on the list
If a service is not listed above, we do not scan it. Common services we don't yet cover, by category:
- Data analytics: BigQuery, Synapse, Databricks, EMR, Athena, Redshift, Glue.
- AI / ML services: Cognitive Services, SageMaker, Vertex AI, Azure ML.
- API management: AWS API Gateway management plane, Azure API Management, GCP Apigee.
- Edge / IoT: AWS IoT Core, Azure IoT Hub, Scaleway IoT, OVHcloud IoT.
- Backup vaults: AWS Backup, Azure Backup / Recovery Services, GCP Backup & DR.
- Specialised SaaS: AWS WorkSpaces, Cognito, AppFlow, AppStream, Lightsail, EventBridge.
If your environment depends on a service that's not listed, let us know via the contact form. Coverage is added regularly.