An accurate reference of every resource type GrandLine discovers today across AWS, Azure, and GCP — pulled directly from the connector codebase. 23 AWS SDK clients, 12 Azure ARM clients, 12 GCP client libraries, and a unified cost graph across all three.
~70
Services discovered
3
Cloud providers
4
Shipping security rules
1
Unified cost graph
Compute
EC2 InstancesLive
Lambda FunctionsLive
ECS Clusters / Services / TasksLive
EKS Clusters and Node GroupsLive
Networking
VPCsLive
SubnetsLive
Route TablesLive
Internet Gateways (IGW)Live
NAT GatewaysLive
VPC EndpointsLive
VPC PeeringLive
Security GroupsLive
Network ACLs (NACLs)Live
Transit Gateways (TGW)Live
AWS Cloud WANLive
Direct Connect (DX)Live
ALB / NLB (ELBv2)Live
Route 53Live
CloudFront DistributionsLive
Storage and Data
S3 BucketsLive
EBS VolumesLive
RDS / Aurora Clusters and InstancesLive
DynamoDB TablesLive
ElastiCache ClustersLive
Messaging
SQS QueuesLive
SNS TopicsLive
Identity and Secrets
IAM RolesLive
IAM UsersLive
IAM GroupsLive
IAM PoliciesLive
IAM Instance ProfilesLive
IAM Trust GraphsLive
KMS KeysLive
Secrets ManagerLive
ACM CertificatesLive
API and Edge
API Gateway v1 and v2Live
CloudFront DistributionsLive
Organisation
AWS Organizations Account InventoryLive
Organisational Unit (OU) TreeLive
Compute
Virtual Machines (VMs)Live
VM Scale SetsLive
AKS Clusters (Container Service)Live
App ServiceLive
Networking
Virtual Networks (VNets)Live
SubnetsLive
Network Security Groups (NSGs)Live
Load BalancersLive
Application GatewaysLive
Public IPsLive
Private EndpointsLive
ExpressRouteLive
Azure Virtual WAN (VWAN)Live
Azure DNSLive
Storage and Data
Storage AccountsLive
Managed DisksLive
Azure SQLLive
Cosmos DBLive
Identity and Secrets
Key VaultLive
RBAC Role Assignments (arm-authorization)Live
Messaging
Service BusLive
Organisation
SubscriptionsLive
Resource GroupsLive
Compute
Compute Engine VMsLive
Managed Instance Groups (MIGs)Live
GKE Clusters and Node PoolsLive
Cloud Run ServicesLive
Cloud FunctionsLive
Networking
VPC NetworksLive
SubnetsLive
Firewall RulesLive
Cloud Load Balancing StackLive
Cloud NATLive
Cloud ArmorLive
Network Connectivity Center (NCC)Live
Cloud DNSLive
Storage and Data
GCS BucketsLive
Cloud SQLLive
BigQuery DatasetsLive
Messaging
Pub/Sub Topics and SubscriptionsLive
Identity and Secrets
Project IAM BindingsLive
Secret ManagerLive
Organisation
Organisation NodeLive
FoldersLive
Projects Fan-out DiscoveryLive
AWS — Cost Explorer API
Daily spend granularityLive
Dimension: SERVICELive
Dimension: LINKED_ACCOUNTLive
Dimension: REGIONLive
Dimension: USAGE_TYPELive
Dimension: RESOURCE_ID (where activated)Live
Tag key dimensionsLive
Unblended costLive
Amortized costLive
Azure — Cost Management API
Daily spend at subscription scopeLive
Daily spend at resource-group scopeLive
Dimension: ServiceNameLive
Dimension: ResourceGroupLive
Dimension: ResourceLocationLive
Dimension: MeterCategoryLive
Tag dimensionsLive
GCP — BigQuery Billing Export
Detailed billing export dataset queryLive
Dimension: SKULive
Dimension: ServiceLive
Dimension: ProjectLive
Label cost dimensionsLive
Unified Cost Graph (all clouds)
Invoice reconciliation against billing totalLive
Top-N cost driver viewsLive
Week-over-week deltasLive
Untagged spend surfaceLive
Idle resource attributionLive
Cost linked back to discovered resourcesLive
What ships today: GrandLine runs a focused set of high-signal security rules at the end of every discovery sync. Security value also comes from the architecture graph itself — public exposure paths, overly permissive IAM trust edges, unencrypted data stores, and dangling DNS all surface as flagged nodes on the diagram. A full per-rule compliance scorecard view is on the near-term roadmap.
The architecture graph surfaces equivalent security issues for Azure and GCP directly on the diagram. Explicit per-rule Findings entries are on the roadmap.
Public exposure pathsLive
Open NSG / firewall rulesLive
Public VMs and instancesLive
Overly permissive IAM trust edgesLive
Unencrypted data storesLive
Dangling DNS recordsLive
Honest position: GrandLine does not currently ship a one-click CIS / SOC 2 / PCI scorecard view. The four shipping AWS rules have published framework mappings per rule. A full compliance tab grouping findings by control ID is on the near-term roadmap.
Shipping Rule Mappings
Rule
CIS AWS v3.0
NIST CSF 2.0
AWS Well-Architected
MITRE ATT&CK
sg-open-ssh
5.2
PR.AC-5
SEC05-BP01
T1190
sg-open-rdp
5.3
PR.AC-5
SEC05-BP01
T1190
public-instance
5.1 (adjacent)
PR.AC-5
SEC05-BP02
T1133
no-instance-role
.
PR.AC-1
SEC02-BP02
T1078.004
Platform Posture (GrandLine itself)
Targeting
SOC 2 Type II
GrandLine is designed to the Trust Services Criteria. Type II audit is targeted within 12 months of GA. Controls documentation lives in docs/compliance/SOC2_READINESS.md.
Aligned
GDPR
EU data residency option available. Data processing agreement available (docs/legal/dpa.md). Subject access and erasure request workflows built in. Documented subprocessor list published.
Roadmap
Full Compliance Tab
The plan is to extend the Rule model with a frameworks column, seed mappings for CIS AWS / Azure / GCP Foundations, NIST CSF 2.0, AWS Well-Architected, SOC 2 CC, PCI-DSS 4.0, and HIPAA Security Rule, then expose a Compliance tab grouping findings by control.
Roadmap
Azure and GCP Rule Catalogue
The Azure and GCP rule scaffolding is in place. Explicit per-rule findings with framework mappings for Azure NSG rules, GCP IAM bindings, and encryption checks are on the near-term roadmap.
Need a specific resource type or framework mapping?
Coverage grows every release. Tell us what matters for your stack.