Skip to main content

Infrastructure

The Infrastructure module provides visibility into your cloud environment through automated inventory scanning, interactive network diagrams, drift detection, security finding review, and network access reviews. Connect your AWS account to auto-discover resources, or create freestyle network diagrams manually for compliance documentation.

Overview

Access from Security Operations → Infrastructure in the sidebar. The module has five tabs:

Infrastructure Network Diagram showing auto-generated topology with AWS Account us-east-1 boundary, two VPCs — crescendo-prod-vpc (10.0.0.0/16) with Internet Gateway, public subnets (bastion, NAT gateway), private subnets (api-1, api-2, worker-1, ml-processor), database subnets (prod-db, replica), ALBs, and six security groups — and crescendo-dev-vpc (10.1.0.0/16) with a stopped dev-server. S3 storage buckets and Lambda functions shown outside VPCs with resource type legend
  • Network Diagram — Interactive visual topology of your infrastructure
  • Inventory — Complete resource listing with classification
  • Drift Detection — Changes detected between inventory snapshots
  • Security — Aggregated security findings with review workflow
  • Network Access — Security group and NACL rule review

Connect an AWS account through Administration → Integrations to enable automated scanning, or click Create Freestyle Diagram to build a manual network diagram.

Network Diagram

The Network Diagram tab renders an interactive topology visualization of your cloud infrastructure using data from inventory scans.

Automated Diagrams

When connected to AWS, the diagram auto-generates from inventory data showing:

  • VPC boundaries with CIDR blocks
  • Subnet placement within VPCs (public vs. private)
  • Resource nodes — EC2 instances, RDS databases, load balancers, containers
  • Security group relationships and network connectivity
  • Hierarchical layout for readability

Freestyle Diagrams

Create manual network diagrams without an AWS integration. Freestyle mode provides a canvas where you can:

  • Add custom nodes representing any infrastructure component
  • Draw connections between nodes
  • Annotate data flows between resources
  • Export as evidence for compliance audits

Diagram Workspaces

Multiple diagram workspaces can be created, each with its own customizations:

  • Resource labels — Assign friendly names to resources
  • Data flows — Annotate data movement between resources with data type tags (PII, PHI, Financial)
  • Hidden resources — Hide irrelevant resources from the view
  • Viewport state — Saved zoom and position per workspace

Workspaces can be synced to the latest inventory snapshot to incorporate newly discovered resources.

Inventory

Inventory tab showing 32 resources grouped by category — Compute (6 EC2 instances with running/stopped state), Networking (2 VPCs), Database (2 RDS instances with Confidential classification and owner) — with All Types, All Regions, All VPCs filters, search bar, and Needs Classification badge

The Inventory tab shows all discovered cloud resources grouped by category.

Resource Categories

CategoryResource Types
ComputeEC2 instances
NetworkingVPCs, Subnets, Security Groups, Network ACLs, Internet Gateways, NAT Gateways
DatabaseRDS instances
Load BalancersApplication Load Balancers (ALB), Network Load Balancers (NLB)
ContainersECS Clusters, EKS Clusters
GlobalS3 Buckets, CloudFront Distributions, Route 53 Hosted Zones

Resource Table

Each resource row shows:

FieldDescription
NameResource name (from AWS Name tag) or resource ID
TypeResource type badge (EC2, RDS, S3, etc.)
Data ClassificationFor data-storing resources: Public, Internal, Confidential, Restricted, or Unclassified
OwnerAssigned team member or external contact
RegionAWS region badge
StateColor-coded status (running/available = green, stopped = red)
VPCParent VPC ID

Use the filter bar to search by name, filter by resource type, region, or VPC. A Needs Classification button shows the count of data-storing resources that haven't been classified.

Resource Detail Sidecar

Click any resource to open the detail sidecar with five tabs:

  • Overview — Related resources, identity fields (resource ID, region, AZ, VPC, subnet, ARN)
  • Configuration — Full resource metadata grouped by category (compute, network, security, storage, encryption)
  • Connections — Resources this resource connects to or from
  • Tags — AWS resource tags as key-value pairs
  • Classification — Data classification dropdown, owner assignment, and notes (for data-storing resources only)

Data Classification

Data-storing resources (S3, RDS, ECS, EKS) can be classified for compliance purposes:

LevelDescription
PublicData intended for public access
InternalInternal business data, not sensitive
ConfidentialSensitive data requiring access controls
RestrictedHighly sensitive data (PHI, PII, financial) requiring strict controls

Scan History

The Inventory tab includes a Scan History sub-tab showing all past infrastructure scans with date, resource count, regions scanned, duration, and status (Completed, Failed, In Progress).

Click Scan Now to trigger a manual infrastructure discovery scan.

Drift Detection

Drift Detection tab showing Unacknowledged filter (4 events) and All Events toggle, with four drift events — INFO ADDED EC2 crescendo-ml-processor, CRITICAL ADDED SecurityGroup legacy-open-sg, WARNING MODIFIED SecurityGroup prod-app-sg, WARNING MODIFIED S3 crescendo-static-site — each with region, timestamp, and Acknowledge button

Drift detection compares consecutive inventory snapshots and flags changes to your infrastructure.

Drift Events

Each drift event shows:

FieldDescription
SeverityCritical, Warning, or Info
Change TypeAdded (green), Removed (red), or Modified (amber)
ResourceResource type and name/ID
RegionAWS region
TimestampWhen the change was detected
ChangesField-level diffs for modified resources

Severity Levels

SeverityExamples
CriticalSecurity group opened to 0.0.0.0/0, encryption disabled, public access enabled
WarningNew public-facing resource, IAM policy change, instance type change
InfoTag modification, minor configuration update

Filter by Unacknowledged to see events requiring attention. Click Acknowledge on any event to mark it as reviewed with an optional note.

Security Findings

Security tab showing three stat cards (Network 1, Encryption 2, Access 1), category and status filter pills, 4 findings grouped as Network Findings (EC2 Public IP Exposure on crescendo-bastion), Encryption Findings (2x RDS Not Encrypted at Rest), and Access Findings (EC2 No IAM Instance Profile on crescendo-dev-server), with Review dropdowns, Export CSV, and Add All to Risk Register buttons

The Security tab aggregates security findings from your latest infrastructure scan with a review workflow.

Finding Categories

CategoryDescription
NetworkOverly permissive security group rules, open NACL entries
EncryptionUnencrypted storage, missing KMS keys, weak cipher configurations
AccessOverly broad IAM policies, public resource access

Review Workflow

Each finding can be reviewed with one of three decisions:

DecisionDescription
ApprovedConfiguration is intentional and acceptable
JustifiedConfiguration has a documented business justification
FlaggedConfiguration requires remediation

Flagged findings can be promoted to the Risk Register as formal risk entries. Findings can also be exported as CSV for offline review.

Remediation

AI-powered remediation guidance can be generated for security findings, providing step-by-step instructions for resolving the issue.

Network Access Reviews

Network Access tab showing two reviews in a table — Network Access Review May 2026 (0/0 progress) and Q2 2026 Network Access Review (7/9 progress, 1 flagged) — with Status, Date, Progress bar, Flagged count columns, and Resume buttons

The Network Access tab provides a formal review process for security group and NACL rules. The review list shows all reviews with their status, creation date, progress bars, and flagged rule counts.

Creating a Review

Click Start New Review to create a review based on the latest inventory snapshot. The review pulls all security group and NACL rules for systematic evaluation.

Rule Review

Network Access Review detail showing Q2 2026 review with stat cards (9 Total Rules, 5 Approved, 1 Flagged, 1 Risk Accepted, 2 New Rules, 2 Not Reviewed), six collapsible security group sections (prod-alb-sg, prod-app-sg, prod-bastion-sg, prod-database-sg, prod-lambda-sg, legacy-open-sg) with individual rules showing Direction, Protocol/Ports, Source/Dest, Status badges, Decision dropdowns, and Justification text fields

Click Resume on any review to open the rule-level detail. Rules are grouped by security group, each showing direction, protocol/ports, source/destination, and a decision dropdown with justification field. Stat cards at the top summarize review progress.

Each rule is evaluated individually with a decision:

DecisionDescription
Not ReviewedRule hasn't been evaluated yet
ApprovedRule is necessary and properly scoped
Flagged for RemovalRule should be removed
Risk AcceptedRule is overly broad but the risk is accepted with justification

AI Analysis

Click Analyze to have AI review all rules and provide recommendations based on security best practices, least-privilege principles, and your organization's compliance requirements.

Review Lifecycle

StatusDescription
In ProgressReview is active, rules being evaluated
CompletedAll rules reviewed, findings documented

Completed reviews serve as evidence of periodic network access review for compliance frameworks (SOC 2, ISO 27001).

Evidence Generation

Infrastructure data feeds directly into compliance evidence:

  • Network diagrams — Export as PNG for visual evidence of network architecture
  • Inventory exports — CSV exports of resource inventory
  • Drift detection reports — Demonstrate continuous monitoring of infrastructure changes
  • Security finding summaries — Document security posture and remediation efforts
  • Network access reviews — Evidence of periodic access rule review

Diagrams and inventory can be saved directly to Evidence Requests via the Save as Evidence action.