Appearance
Understand Adapters
Adapters are the connections between AttackLens and your cloud provider accounts. Each adapter stores the credentials and configuration needed to authenticate with a cloud provider and discover the resources within it.
What is an Adapter?
An adapter represents a single connection to a single cloud account:
- An Azure adapter connects to one Azure subscription.
- An AWS adapter connects to one AWS account.
- A GCP adapter connects to one GCP project.
- A vSphere adapter connects to one vCenter instance.
You can configure multiple adapters for the same provider if you have multiple accounts or subscriptions. For example, you might have separate adapters for your production Azure subscription, your development Azure subscription, and your AWS staging account.
Supported Providers
AttackLens supports four cloud providers. Each provider uses a different authentication method and discovers different resource types.
| Provider | Authentication | Resource Types | Categories |
|---|---|---|---|
| Azure | App Registration (Tenant ID, Client ID, Client Secret, Subscription ID) | 80+ | Compute, Containers, Network, Storage, Data, Security & Identity, Monitoring, Messaging, Serverless, AI/ML, Delivery, Backup |
| AWS | IAM User (Access Key ID, Secret Access Key) | 190+ | EC2 & Compute, VPC & Networking, S3, Database & Cache, IAM & Identity, Containers & Lambda, Security, Monitoring, Messaging, Analytics, AI/ML, DevOps, Backup |
| GCP | Service Account (Project ID, Client Email, Private Key) | 65+ | Compute, Kubernetes, Network, Storage, Databases, Security & Identity, Serverless, Monitoring, Messaging, Data |
| VMware vSphere | vCenter (Host, Username, Password) | VMs, Hosts, Datastores, Networks | On-premises virtualization infrastructure |
Azure Resource Categories
| Category | Resource Types | Examples |
|---|---|---|
| Compute | 8 | Virtual Machines, VM Scale Sets, Batch Accounts, Disks, Snapshots, Desktop Virtualization |
| Containers | 3 | AKS Managed Clusters, Container Registries, Container Instances |
| Network | 21 | Virtual Networks, Subnets, NSGs, Firewalls, Load Balancers, Application Gateways, VPN Gateways, DNS Zones, Public IPs, Route Tables, Bastion Hosts, Network Watchers |
| Storage | 4 | Storage Accounts, Blob Containers, File Shares |
| Data | 11 | SQL Databases, PostgreSQL, MySQL, Cosmos DB, Redis Cache, Data Factory, Data Lake |
| Security & Identity | 8 | Key Vaults, Entra ID Users, Groups, Service Principals, Role Assignments, Role Definitions, Domain Services, Conditional Access |
| Monitoring | 7 | Log Analytics, Alerts, Automation Accounts, Policy Assignments |
| Messaging | 4 | Service Bus, Event Hubs, Event Grid, Notification Hubs |
| Serverless | 3 | Functions, Logic Apps, IoT Hubs |
| AI/ML | 3 | Cognitive Services, Bot Services, Machine Learning Workspaces |
| Delivery | 2 | CDN Profiles, Static Sites |
| Backup | 1 | Backup Vaults |
AWS Resource Categories
| Category | Resource Types | Examples |
|---|---|---|
| EC2 & Compute | 21 | Instances, Auto Scaling Groups, AMIs, Snapshots, Volumes, Key Pairs, Elastic IPs, Launch Templates |
| VPC & Networking | 14 | VPCs, Subnets, Security Groups, Route Tables, Internet Gateways, NAT Gateways, Network ACLs, Transit Gateways |
| Networking & CDN | 10 | API Gateways, CloudFront Distributions, Route 53, Global Accelerators |
| S3 Storage | 1 | Buckets (with encryption, versioning, public access, lifecycle) |
| Database & Cache | 18 | RDS, Aurora, DynamoDB, Redshift, ElastiCache, DocumentDB, Neptune, Keyspaces, MemoryDB |
| IAM & Identity | 10 | Users, Groups, Roles, Policies, Access Keys, MFA Devices |
| Containers & Governance | 18 | ECS Clusters, EKS Clusters, Lambda Functions, Step Functions, Fargate, Audit Manager |
| Security | 30 | Security Hub, GuardDuty, ACM, KMS, Secrets Manager, WAF, Network Firewall, Inspector, Access Analyzer |
| Monitoring | 5 | CloudWatch, CloudTrail, Config Rules, SSM |
| Messaging | 7 | SNS, SQS, EventBridge, AmazonMQ, Kinesis |
| Analytics | 9 | Athena, Glue, EMR, OpenSearch |
| AI/ML | 5 | SageMaker, Bedrock |
| DevOps | 10 | CodeBuild, CodePipeline, CloudFormation |
GCP Resource Categories
| Category | Resource Types | Examples |
|---|---|---|
| Compute | 6+ | Compute Engine VMs, Instance Templates, Instance Groups, Disks, Snapshots |
| Kubernetes | 2+ | GKE Clusters, Node Pools |
| Network | 10+ | VPC Networks, Subnets, Firewalls, Cloud NAT, Load Balancers, Cloud Armor, Cloud DNS |
| Storage | 1+ | Cloud Storage Buckets |
| Databases | 6+ | Cloud SQL, Cloud Spanner, Bigtable, Firestore, Memorystore |
| Security & Identity | 5+ | Service Accounts, IAM Roles, IAM Policies, KMS Keys |
| Serverless | 3+ | Cloud Functions, Cloud Run, App Engine |
| Monitoring | 3+ | Logging Sinks, Alert Policies, Uptime Checks |
| Messaging | 2+ | Pub/Sub Topics, Pub/Sub Subscriptions |
| Data | 3+ | BigQuery, Dataflow, Dataproc |
How Adapter Authentication Works
Each adapter stores credentials that are encrypted at rest using AES-256 encryption. AttackLens never stores credentials in plain text.
When a discovery run executes or a connection test is performed, AttackLens:
- Decrypts the stored credentials in memory.
- Authenticates to the cloud provider using the provider's standard authentication mechanism.
- Uses the authenticated session to query management APIs.
- Discards the decrypted credentials from memory after the operation completes.
Authentication by Provider
| Provider | Auth Mechanism | What AttackLens Uses |
|---|---|---|
| Azure | OAuth 2.0 Client Credentials | ClientSecretCredential via Azure SDK -- authenticates with Tenant ID, Client ID, and Client Secret to obtain an OAuth token. Uses Azure Resource Manager APIs for infrastructure and Microsoft Graph API for Entra ID. |
| AWS | AWS Signature v4 | Static credentials (AccessKeyId + SecretAccessKey) used to sign API requests. Each AWS service client is initialized per region. |
| GCP | Google OAuth 2.0 Service Account | Service account private key signs a JWT, which is exchanged for an OAuth access token. Uses Google Cloud SDK client libraries. |
| vSphere | vCenter SOAP/REST API | Username and password authenticate to the vCenter API. |
INFO
All adapter credentials are encrypted using AES-256 before storage. Decryption occurs only in memory during active operations. AttackLens uses read-only access -- it never creates, modifies, or deletes resources in your cloud accounts.
Adapter Statuses
Each adapter has two status indicators:
Active/Inactive Status
The Active/Inactive toggle controls whether the adapter participates in scheduled discovery runs.
| Status | Meaning |
|---|---|
| Active | The adapter is enabled. Discovery runs on schedule. The adapter can be manually synced. |
| Inactive | The adapter is paused. No discovery runs will execute. Configuration and historical data are preserved. |
You can toggle this status from the adapter edit page. See Manage Adapters for details.
Last Sync Status
The Last Sync Status reflects the outcome of the most recent discovery run.
| Status | Meaning |
|---|---|
| Completed | Discovery finished successfully. All resources were enumerated and snapshots created. |
| Error | Discovery encountered a problem. The adapter detail page shows the specific error message. |
| (blank) | No discovery has run yet for this adapter. |
Adapter Scope and Regions
Scope
Some providers support scoping discovery to a subset of the account:
- Azure: By default, the adapter discovers all resources in the specified subscription. You can optionally set the scope to a specific resource group (e.g.,
/subscriptions/{id}/resourceGroups/{name}). - AWS and GCP: Discovery covers the entire account or project. Scoping is done via region selection.
Regions
For multi-region providers, you can optionally select specific regions to discover:
- Azure: Select specific Azure regions (e.g.,
eastus,westeurope). Leave empty to discover all regions. - AWS: Select specific AWS regions (e.g.,
us-east-1,eu-west-1). Leave empty to discover all regions. - GCP: Resources are discovered project-wide regardless of region.
TIP
Selecting specific regions reduces discovery time for large accounts that only operate in certain regions. If you leave regions empty, AttackLens discovers resources across all available regions.
Sensor Deployment Capability
When testing an adapter's connection, AttackLens checks whether the credentials have sufficient permissions to deploy sensors remotely. This capability is reported as Deploy Capable on the adapter.
| Provider | Required Permission | Mechanism |
|---|---|---|
| Azure | Virtual Machine Contributor | VM Run Commands |
| AWS | AmazonSSMFullAccess | SSM Run Command |
| GCP | OS Config Guest Policy Admin | OS Config |
Sensor deployment capability is optional. Adapters without it still discover resources normally. See Understand Sensors for more about sensor deployment.
Setup Guides
For step-by-step instructions on configuring each provider:
Next Steps
- Understand discovery for a conceptual overview of the discovery process.
- Manage adapters to edit, test, and delete adapters.
- View discovery snapshots to inspect discovered resource data.