⌘K
v2026.1 Open Portal ↗
On this page

Cloud Discovery

Discovery Architecture

StackFlow Cloud Discovery automatically populates the CMDB with resources from AWS, Azure, and GCP cloud accounts. Discovery runs as a scheduled Lambda function that calls each cloud provider's asset API to enumerate resources, then upserts CI records in Aurora and edges in the Neptune graph. Discovery is non-invasive — it uses read-only API credentials and makes no changes to cloud resources.

⚙️ Minimum Requirements
  • IAM Role: StackFlowDiscoveryRole with ec2:Describe*, rds:Describe*, lambda:List*, elasticache:Describe* read-only permissions
  • Lambda: StackFlowCloudDiscovery deployed with 15-minute EventBridge schedule trigger
  • DynamoDB: StackFlow_CI and StackFlow_DiscoveryJob tables writable by discovery Lambda
  • Neptune: StackFlowNeptuneCMDBSeeder Lambda triggered after each discovery run to sync graph
Architecture: The StackFlowAPI Lambda handles discovery orchestration. For large accounts with thousands of resources, discovery uses paginated API calls with SQS queue offloading to stay within Lambda's 300-second timeout.

AWS Discovery

AWS discovery uses AWS Config (for resource inventory) and AWS Systems Manager (for server details). The minimum required IAM permissions are read-only access to Config, Systems Manager, EC2, RDS, Lambda, ELB, S3, VPC, and CloudWatch.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "config:List*", "config:Describe*", "config:Get*",
      "ec2:Describe*", "rds:Describe*", "lambda:List*", "lambda:Get*",
      "elasticloadbalancing:Describe*", "s3:ListAllMyBuckets", "s3:GetBucketLocation",
      "cloudwatch:GetMetricData", "ssm:List*", "ssm:Describe*"
    ],
    "Resource": "*"
  }]
}

Azure Discovery

Azure discovery uses the Azure Resource Manager API with a service principal that has the Reader role on the target subscription(s). Provide the service principal credentials (tenant ID, client ID, client secret) in Admin → Cloud Accounts → Add Azure Account. The credentials are stored in AWS Secrets Manager.

az ad sp create-for-rbac --name "StackFlow-Discovery-SP"   --role Reader   --scopes /subscriptions/{subscription-id}   --sdk-auth

GCP Discovery

GCP discovery uses the Cloud Asset Inventory API with a service account that has the cloudasset.viewer IAM role. Export the service account key JSON and store it in AWS Secrets Manager via the StackFlow admin console at Admin → Cloud Accounts → Add GCP Account.

Scheduling Discovery

Discovery schedules are configured per cloud account in Admin → Cloud Accounts → Discovery Schedule. Default schedule is every 6 hours for full discovery and every 15 minutes for change-event-triggered updates. EventBridge rules trigger the discovery Lambda on AWS Config change events for near-real-time CMDB accuracy.

Discovery TypeDefault ScheduleTrigger
Full DiscoveryEvery 6 hoursEventBridge Scheduled
Delta DiscoveryEvery 15 minutesAWS Config change event
Manual DiscoveryOn-demandAdmin console / API
← Previous
CI Classes & Hierarchy
CI types and relationships
On-Prem Discovery
Agent-based infrastructure scanning