Guide: Activate Cloud Asset Context in ASM

This guide outlines the steps to enable and leverage Cloud Asset Context in Censys Attack Surface Management (ASM) to streamline identification and remediation workflows. By ingesting metadata directly from your cloud providers, you can gain full visibility and direct risks to the appropriate security teams.

Step 1: Ingestion and integration

To begin, ensure your cloud connectors are active to ingest the cloud metadata fields from AWS, Azure, GCP, and Wiz. Some examples:

• ARN (Amazon Resource Name)
• Resource group (AWS)
• Subscription ID (Azure)
• Cloud tags
• Project Name (GCP)

Step 2: Feature activation and setup

Step 3: Operationalize the context

Once the data is flowing, use these new fields to close the loop on risk prioritization and remediation with the following workflows.

• Build advanced queries: Create new search queries using cloud tags or resource groups to filter your attack surface by business unit or environment.
• Direct remediation: Use fields such Billing Provider or Cloud Tags to automatically identify which team owns a specific vulnerable asset.
• Determine asset importance: Ensure that you are acting on high-importance assets, but reviewing the cloud context of your ingested cloud resources.

The following example queries can help get you started.

Identify ownership by business unit

Use cloud-specific tags to find all assets belonging to a specific project or department to quickly list all assets owned by the "Security" team for targeted risk assessments across AWS, Azure, and GCP.

Leverage auto-tagging to automatically tag assets with department or project tags for assignment of future associated assets.

Query:

(cloud.aws.tags.key: "Department" and cloud.aws.tags.value: "Security") or (cloud.azure.tags.key: "Department" and cloud.azure.tags.value: "Security") or (cloud.gcp.tags.key: "Department" and cloud.azure.tags.value: "Security")

Locate unmanaged AWS assets

Find specific AWS resources by their Amazon Resource Name (ARN) to verify they are being tracked in your internal CMDB and audit all AWS assets to ensure they have the correct ARN metadata for compliance.

Use Saved Query Automation to send alerts that contain newly tagged assets that have not been reviewed to Slack, email lists, Teams, or other tools.

Query:

cloud.aws.arn:*

Prioritize risks based on asset type

Identify assets that need to be remediated first based on relevant cloud metadata, like load balancers in AWS.

Similar to the use case described above, you can use Saved Query Automation to get alerts about newly discovered assets that meet your query criteria.

Query:

cloud.aws.dns_name: *elb.amazonaws.com

Filter on fields across any level in the cloud hierarchy

Isolate assets based on any level in the cloud hierarchy in AWS, Azure, or GCP. This includes organization, management group, account, subscription, project, and resource-level metadata. This specific query filters for assets in the production-west subscription or project across Azure and GCP, prioritization remediation for production critical infrastructure.

Enable Saved Query Automation to send alerts to downstream apps about critical infrastructure.

Query:

cloud.azure.subscription.name: "production-west" or cloud.gcp.project.name: "production-west"

Identify ownership based on contact email

Find all assets associated with a specific cloud contact. Use the account contact email to match remediation owners with discovered attack surface assets.

Use auto-tagging to assign asset tags to the findings for a deeper managed workspace.

Query:

cloud.aws.account.email: "[email protected]"

Additional resources

Review the Cloud Context blog for real-world examples of queries you can use today.