Data collection

CEM collects data from different data sources for which it was granted permission during the onboarding process, making the appropriate API calls to your connected cloud environments according to the relevant data it needs to fetch.

You can control which workspaces CEM scans. For more information, see Connect and manage workspaces.

When CEM scans your cloud environments, it collects the following data for each connected workspace:

  • Identities and the associated metadata of identities that potentially can interact with each connected workspace. For example, this includes the data required to detect misconfigured identities.

    • In CEM, an identity is any object that has permission to interact with a cloud resource or an object that contains a collection of identities. For example, this includes users (human or non-human), group members, and applications.

    • For information about the identity types that are currently covered, see View identities.

  • Entitlements and their relationship to each identity.

    In CEM, entitlement means the instrument by which permissions are granted or denied. For example:

    • In AWS, a policy is an entitlement.

    • In Azure, an Azure role is an entitlement and an Azure deny assignment is a deny entitlement.

    • In Google Cloud, a role is an entitlement.

  • Permission usage history of each identity.

    This information, needed to help reduce the attack surface, is obtained from the following data sources:

    • AWS cloud trail

    • Azure monitor

    • Google Cloud cloud logging