Scan workspaces

This topic describes how CEM scans your environment.


When CEM scans your cloud environments, it gathers and analyzes data from your connected workspaces to provide insights about how to reduce exposure.

The method that CEM uses to scan varies according to each platform. CEM uses the permissions granted when you connected a workspace. CEM can only access the data required to analyze permissions.

The main processes to scan workspaces, for all platforms, are as follows:



Scan cloud entities

Identify which entities were granted permissions in the workspace.


Analyze permissions

Identify which permissions were granted to the entity. A permission is composed of an action permitted on a service and the resource associated to that service.

Analyze usage

Identify which permissions the entity uses, and by extension, are not used.

Entity types

CEM monitors each workspace for the following entity types.





A human user on your cloud platform.

Non-human user

A generic non-human user on your cloud platform. This user has different names across providers:

  • AWS - Role

  • Microsoft Azure - Application or managed identity

  • Google Cloud - Service account


An object that binds together different cloud users or service accounts. Permissions are granted to the group and inherited by the group members.

Additional objects

The following objects are considered part of the of cloud entity permissions.





A general functionality granted to a cloud entity with a permission. The usage of this permission is tracked by CEM.


The specific object on which the entity is allowed to execute the functionality the service provides. Resources are specific to the service.

Scan methods

The following scan methods are supported:




You can exclude either an entire workspace or a specific entity from the daily scans.

The duration of each scan depends on the scale of the data and the platform; the average time is 15 minutes.

On demand

You can run an on-demand scan for a specific workspace.