Cloud Asset Inventory provides inventory services based on a time series database. This database keeps a 35 day history of Google Cloud asset metadata. For an existing asset with no changes in the past 35 days, Cloud Asset Inventory keeps the asset's most recent status.
Cloud Asset Inventory allows you to:
Search asset metadata by using a custom query language.
Export all asset metadata at a certain timestamp or export event change history during a specific timeframe.
Monitor asset changes by subscribing to real-time notifications.
Analyze IAM policy to find out who has access to what.
Features
Search assets
The Cloud Asset Inventory search service allows you to search asset metadata in a project, folder, or organization using a custom query language.
See Searching resources guide and Search IAM policies guide for more information.
Export asset history and metadata
The Cloud Asset Inventory export service allows you to export all the asset metadata at a given timestamp to a Cloud Storage file or a BigQuery table. You can also export the event change history of multiple assets during a given timeframe. The exported event change history shows you all the create, delete, and update events for the specified assets over time.
See Exporting assets to BigQuery, Exporting assets to Cloud Storage, and Viewing asset history for more information.
Monitoring asset changes
You can use Cloud Asset Inventory to monitor resource and policy changes you're subscribed to through real-time notifications. By creating and subscribing to an asset feed, you receive immediate updates about any changes for the desired asset names or asset types.
See Monitoring asset changes for more information.
Analyze assets
The Cloud Asset Inventory analysis service allows you to analyze IAM policies in a project, folder, or organization.
See Analyzing IAM policies, Writing results to Cloud Storage, and Writing results to BigQuery for more information.
The Recommender service allows you to view insights generated from your assets.
Key concepts
Content types
You can specify the content type when querying the API.
Content type | Description | |
---|---|---|
gcloud name | REST name | |
access-policy |
ACCESS_POLICY |
The Access Context Manager policy set on an asset. |
content-type-unspecified |
CONTENT_TYPE_UNSPECIFIED |
No metadata is output. |
iam-policy |
IAM_POLICY |
The IAM policy metadata binding to the resource. |
org-policy |
ORG_POLICY |
The organization policy metadata set on an asset. This content type
outputs legacy organization policy v1. For organization policy v2, try the
resource content type and a resource type of
orgpolicy.googleapis.com/Policy . |
os-inventory |
OS_INVENTORY |
The runtime OS inventory information. |
relationship |
RELATIONSHIP |
The related resources. Only available for Security Command Center Premium tier subscribers. |
resource |
RESOURCE |
The resource's metadata. |
For non-resource
content types, the input asset type or asset name should be
the asset type or asset name the policy binds to, not the policy themselves.
Assets
An asset refers to a Google Cloud resource or policy. Cloud Asset Inventory supports three main asset content types:
Resource: Metadata of a Google Cloud resource. Examples include:
Compute Engine virtual machines (VMs)
Cloud Storage buckets
App Engine instances
Policies: Metadata of one of the following policies set on a Google Cloud resource. Examples include:
IAM policies
Organization policies
Access Context Manager policies
Runtime information: Metadata of a runtime information set on a Google Cloud resource. For example, OS inventory management.
See Supported asset types for more information.
Asset snapshot
An asset snapshot is the set of available assets under a Resource Manager project, folder, or organization at a specific timestamp.
Asset history
For a given asset, asset history includes all metadata create, delete, and update events between timestamp T1 and T2. See Viewing asset history for more information.
Retention
Cloud Asset Inventory keeps a 35 day history of Google Cloud asset metadata. This includes all asset creation, update, and deletion history in the five weeks. If an existing asset hasn't been updated or deleted in the past 35 days, Cloud Asset Inventory keeps its most recent status.
Next steps
- Try out the Cloud Asset Inventory Quickstart to start exporting assets.