Resource Inventory Overview

Use the resource inventory to view, filter, and search for resources in your cloud accounts. We provide a complete inventory of your cloud resources along with their spend data, tags, and compliance status. You can keep an eye on resource totals and status at a high level, and, if you notice something you need to address, you can quickly drill down to specific resources to take action.

Any supported resources associated with accounts in Kion are automatically pulled in to the resource inventory. Resource inventory scans are run every 24 hours.

Currently, resource inventory only supports AWS and Azure resources. Google Cloud support will be added in an upcoming release. For a complete list of the resource types supported in resource inventory, see Resource Inventory Support.

Enabling Resource Inventory

Resource inventory functionality can be enabled by navigating to Settings > System Settings > Application Settings > Resource Inventory Settings.

Viewing Resources

From the Resource Inventory Overview page, click View All Resources to see a full list of your cloud resources, or click on one of the graphs to see a pre-filtered list based on your selection.

On the Resource Inventory page, you can use the filters on the left to narrow down which resources you are viewing, sort results by any of the included columns, or search for specific resources with the top search box.

Filtering

Adding an Active Between filter not only narrows down your view, it also adds a column to the results table that shows the total cost accrued by each resource during that time frame.

Selecting Display Deleted Resources includes resources that were in a previous scan but not the most recent scan.

Exporting Reports

You can export two report types from resource inventory.

Resource Detail Report

The Resource Detail Report exports a CSV file containing the inventory data currently displayed in the table. The export respects all active filters at the time of download, ensuring that only the filtered data is included in the report.

Resource Access Report

When Admin Audit is turned on in system settings, Kion provides Admins the ability to download a resource access CSV report that provides information on which IAM roles and users can access specific AWS resources, and the access capability. This report saves time for CloudOps and SecOps engineers who need to do access reviews for sensitive cloud resources. This report is not yet filterable and will export a .CSV for each account in the system.

The report contains the following columns:

• Service name (e.g., S3, KMS, etc.)
• Resource name
• Resource ARN
• Access Capability (e.g., read, write, use, delete, administer)
• Principal type (e.g., IAM Role or IAM User)
• Principal name
• Principal ARN

The report is available to users with both of the following permissions:

• Browse All Admin Audit Data
• Global Browse Resource Inventory

To access the report:

1. Navigate to Cloud Resources > Resource Inventory
2. Under "AWS Resources" click "View All"
3. Click "Export" in the table

Access Capabilities

Each IAM user or role’s provisioned access to AWS resources has been summarized into a small number of access capabilities:

administer-resource – principal may execute one or more AWS api actions that administer an AWS resource with create, modify, or destroy actions or the security controls for that resource, e.g. modify bucket policies, create RDS cluster

read-config – principal has the ability to read service or resource configuration metadata, e.g. the names of database clusters, the number of instances in those clusters, a security policy

use-resource – a generic capability indicating that the principal has the ability to use a resource, but the resource manages its access control internally, e.g. rds-db:connect

read-data – principal has the ability to read data from the resource, e.g. read objects from an S3 bucket or DynamoDB table

write-data – principal has the ability to write data in the resource, e.g. put objects into an S3 bucket or DynamoDB table

delete-data – principal has the ability to delete data from the resource, e.g. delete objects in an S3 bucket or items from a DynamoDB table

unclassified-access – an internal classification indicating access has not been classified.

 

How to Use the Report

Use the report to understand who has access to a specific resource, what access capabilities that principal has on that resource, which resources have the most principals with access, and more.

1. Open in a Spreadsheet Tool

   Download the .csv file and open it in Excel, Google Sheets, or another spreadsheet application.

2. Enable Filters

   Turn on filters in your spreadsheet tool so you can easily sort and narrow down values in columns like:

   • resource_name
   • service_name
   • principal_name
   • access_capability

Use Case 1: Who Has Access to a Specific Resource (e.g., an S3 Bucket)?

You might want to understand who has access to a particular bucket and what kind of access they have (e.g., read vs write).

Steps:

1. Filter the resource_name column for the S3 bucket of interest.
2. Review the matching rows to see:
   • The list of principal_names with access.
   • The corresponding access_capability (e.g., read-data, write-data, administer-resource).

This gives you a straightforward audit of who can do what with the selected resource.

Use Case 2: Which Resources Have Many Principals?

Resources with many different principals accessing them may represent potential risk or complexity, such as overly broad permissions. This could be a point of interest if:

• The resource is sensitive.
• You want to tighten access scopes.
• You're conducting a privilege review.

How to Analyze:

Use a pivot table to summarize and sort this information.

Steps (in Excel or Google Sheets):

1. Insert a Pivot Table:
   • Select all data.
   • Insert → Pivot Table.
2. Configure the Pivot Table:
   • Rows: resource_name
   • Values: principal_arn (set to "Count" to count the number of unique principals per resource)
3. Sort the Result:
   • Sort the pivot table by the count of principal_arn (descending).
   • This will show which resources have the most principals accessing them.
4. Optionally, dimension by access capability (by configuring the pivot table columns: access_capability to understand the number of principals who can read/ write/ delete / administer, etc.

Using a pivot table displaying the number of unique principals per resource, you can quickly identify which resources are accessed by the most entities—potentially highlighting those that may need a closer access review.

 

Even more use cases for using the report:

• Who has write/delete/admin access?
  • Filter the access_capability column to show only sensitive access types.
  • Then review which principals appear repeatedly or across multiple resources.
• Which roles or services are over-permissioned?
  • Group by principal_name and count how many resources each one can access.

Resource Details

When you select a resource in the table, the resource's details are shown in a panel below.

On the Overview tab, you can see general information about the resource, including cloud provider, status, associated projects, account numbers, regions, and data specific to the resource type. You can also see Cloud Provider Tags. We pull these straight from the cloud provider, so you can see every tag on a resource at once. Using the Cloud Access option, you can federate directly into the cloud account containing the resource using Kion cloud access roles.

The Monthly Spending tab shows the resource's spend data over its lifetime.

The Savings Opportunities tab shows recommended rightsizing and decommissioning opportunities to reduce the resource's spend. For more information, see What is a Savings Opportunity?

The Compliance Findings tab shows any compliance findings associated with the resource. For more information, see What is a Finding?

Demonstration