Scan workspaces

This topic describes how CEM scans your environment.

Overview

When CEM scans your cloud environments, it gathers and analyzes data from your connected workspaces to provide insights about how to reduce exposure.

The method that CEM uses to scan varies according to each platform. CEM uses the permissions granted when you connected a workspace. CEM can only access the data required to analyze permissions.

The main processes to scan workspaces, for all platforms, are as follows:

Process	Description
Scan cloud entities	Identify which entities were granted permissions in the workspace.
Analyze permissions	Identify which permissions were granted to the entity. A permission is composed of an action permitted on a service and the resource associated to that service.
Analyze usage	Identify which permissions the entity uses, and by extension, are not used.

Process

Description

Scan cloud entities

Identify which entities were granted permissions in the workspace.

Analyze permissions

Identify which permissions were granted to the entity. A permission is composed of an action permitted on a service and the resource associated to that service.

Analyze usage

Identify which permissions the entity uses, and by extension, are not used.

Entity types

CEM monitors each workspace for the following entity types.

Icon	Object	Description
	User	A human user on your cloud platform.
	Non-human user	A generic non-human user on your cloud platform. This user has different names across providers: AWS - Role Microsoft Azure - Application or managed identity Google Cloud - Service account
	Group	An object that binds together different cloud users or service accounts. Permissions are granted to the group and inherited by the group members.

Icon

Object

Description

User

A human user on your cloud platform.

Non-human user

A generic non-human user on your cloud platform. This user has different names across providers:

AWS - Role
Microsoft Azure - Application or managed identity
Google Cloud - Service account

Group

An object that binds together different cloud users or service accounts. Permissions are granted to the group and inherited by the group members.

Additional objects

The following objects are considered part of the of cloud entity permissions.

Icon	Object	Description
	Service	A general functionality granted to a cloud entity with a permission. The usage of this permission is tracked by CEM.
	Resource	The specific object on which the entity is allowed to execute the functionality the service provides. Resources are specific to the service.

Scan methods

The following scan methods are supported:

Method	Description
Automatic	You can exclude either an entire workspace or a specific entity from the daily scans. The duration of each scan depends on the scale of the data and the platform; the average time is 15 minutes.
On demand	You can run an on-demand scan for a specific workspace.

Method

Description

Automatic

You can exclude either an entire workspace or a specific entity from the daily scans.

The duration of each scan depends on the scale of the data and the platform; the average time is 15 minutes.

On demand

You can run an on-demand scan for a specific workspace.

Configure integrations

What is exposure?