CloudQuery
@cloudquery.bsky.social
Data pipelines for cloud config and security data. Build cloud asset inventory, CSPM, FinOps, and vulnerability management solutions. Extract from AWS, Azure, GCP, and 70+ cloud and SaaS sources.
Agents made sense for physical data centers. They make zero sense when 70-80% of your resources are managed services.
We built a guide on API-driven discovery: https://www.cloudquery.io/blog/death-of-agent-based-discovery
We built a guide on API-driven discovery: https://www.cloudquery.io/blog/death-of-agent-based-discovery
November 10, 2025 at 3:15 PM
Agents made sense for physical data centers. They make zero sense when 70-80% of your resources are managed services.
We built a guide on API-driven discovery: https://www.cloudquery.io/blog/death-of-agent-based-discovery
We built a guide on API-driven discovery: https://www.cloudquery.io/blog/death-of-agent-based-discovery
Security model flips too:
Agents: elevated privileges on every host, distributed credentials, 10,000 binaries to patch
APIs: one read-only IAM role, centralized auditing via CloudTrail, revoke in seconds
Agents: elevated privileges on every host, distributed credentials, 10,000 binaries to patch
APIs: one read-only IAM role, centralized auditing via CloudTrail, revoke in seconds
November 10, 2025 at 3:15 PM
Security model flips too:
Agents: elevated privileges on every host, distributed credentials, 10,000 binaries to patch
APIs: one read-only IAM role, centralized auditing via CloudTrail, revoke in seconds
Agents: elevated privileges on every host, distributed credentials, 10,000 binaries to patch
APIs: one read-only IAM role, centralized auditing via CloudTrail, revoke in seconds
Every cloud service has an API. EC2's DescribeInstances. S3's GetBucketPolicy. RDS's DescribeDBInstances.
APIs return 50-100+ config attributes per resource. Zero installation. Zero compute overhead. Just query and parse JSON.
APIs return 50-100+ config attributes per resource. Zero installation. Zero compute overhead. Just query and parse JSON.
November 10, 2025 at 3:15 PM
Every cloud service has an API. EC2's DescribeInstances. S3's GetBucketPolicy. RDS's DescribeDBInstances.
APIs return 50-100+ config attributes per resource. Zero installation. Zero compute overhead. Just query and parse JSON.
APIs return 50-100+ config attributes per resource. Zero installation. Zero compute overhead. Just query and parse JSON.
The math is brutal at scale:
→ 10,000 instances × $4/month = $40K/year in agent overhead
→ 2-5% CPU constantly consumed
→ 200-500MB memory per instance
→ Agents miss short-lived resources that terminate before registration
→ 10,000 instances × $4/month = $40K/year in agent overhead
→ 2-5% CPU constantly consumed
→ 200-500MB memory per instance
→ Agents miss short-lived resources that terminate before registration
November 10, 2025 at 3:15 PM
The math is brutal at scale:
→ 10,000 instances × $4/month = $40K/year in agent overhead
→ 2-5% CPU constantly consumed
→ 200-500MB memory per instance
→ Agents miss short-lived resources that terminate before registration
→ 10,000 instances × $4/month = $40K/year in agent overhead
→ 2-5% CPU constantly consumed
→ 200-500MB memory per instance
→ Agents miss short-lived resources that terminate before registration
Your Kubernetes pod lives 45 seconds. Your RDS database has no OS you can SSH into. 70-80% of AWS services are managed services with nowhere to install an agent.
Yet we're still trying to deploy agents everywhere.
Yet we're still trying to deploy agents everywhere.
November 10, 2025 at 3:15 PM
Your Kubernetes pod lives 45 seconds. Your RDS database has no OS you can SSH into. 70-80% of AWS services are managed services with nowhere to install an agent.
Yet we're still trying to deploy agents everywhere.
Yet we're still trying to deploy agents everywhere.
Your Lambda function runs 200 milliseconds. Agent initialization takes 2-5 seconds.
The function finishes before the agent even starts. You literally cannot install an agent in serverless.
The function finishes before the agent even starts. You literally cannot install an agent in serverless.
November 10, 2025 at 3:15 PM
Your Lambda function runs 200 milliseconds. Agent initialization takes 2-5 seconds.
The function finishes before the agent even starts. You literally cannot install an agent in serverless.
The function finishes before the agent even starts. You literally cannot install an agent in serverless.
Traditional CMDBs were built for servers lasting 3-5 years. That world doesn't exist anymore.
Read the full guide: https://www.cloudquery.io/blog/real-time-cloud-cmdb-ephemeral-infrastructure
Read the full guide: https://www.cloudquery.io/blog/real-time-cloud-cmdb-ephemeral-infrastructure
November 7, 2025 at 3:15 PM
Traditional CMDBs were built for servers lasting 3-5 years. That world doesn't exist anymore.
Read the full guide: https://www.cloudquery.io/blog/real-time-cloud-cmdb-ephemeral-infrastructure
Read the full guide: https://www.cloudquery.io/blog/real-time-cloud-cmdb-ephemeral-infrastructure
We put together a guide on building CMDBs that actually work with ephemeral cloud services.
Covers sync strategies, API rate limits, and why the Infrastructure Lake architecture beats proprietary CMDB apps.
Covers sync strategies, API rate limits, and why the Infrastructure Lake architecture beats proprietary CMDB apps.
November 7, 2025 at 3:15 PM
We put together a guide on building CMDBs that actually work with ephemeral cloud services.
Covers sync strategies, API rate limits, and why the Infrastructure Lake architecture beats proprietary CMDB apps.
Covers sync strategies, API rate limits, and why the Infrastructure Lake architecture beats proprietary CMDB apps.
We've seen this work at 1,000+ AWS accounts with millions of records per sync.
Extract cloud data to PostgreSQL or BigQuery. Query with SQL. Stop pretending infrastructure lives forever.
Extract cloud data to PostgreSQL or BigQuery. Query with SQL. Stop pretending infrastructure lives forever.
November 7, 2025 at 3:15 PM
We've seen this work at 1,000+ AWS accounts with millions of records per sync.
Extract cloud data to PostgreSQL or BigQuery. Query with SQL. Stop pretending infrastructure lives forever.
Extract cloud data to PostgreSQL or BigQuery. Query with SQL. Stop pretending infrastructure lives forever.
The answer isn't "scan faster." API rate limits make that impossible.
You need tiered sync strategies:
→ Critical (IAM, security groups): 15-30 min
→ Important (EC2, RDS): hourly
→ Everything else: daily
You need tiered sync strategies:
→ Critical (IAM, security groups): 15-30 min
→ Important (EC2, RDS): hourly
→ Everything else: daily
November 7, 2025 at 3:15 PM
The answer isn't "scan faster." API rate limits make that impossible.
You need tiered sync strategies:
→ Critical (IAM, security groups): 15-30 min
→ Important (EC2, RDS): hourly
→ Everything else: daily
You need tiered sync strategies:
→ Critical (IAM, security groups): 15-30 min
→ Important (EC2, RDS): hourly
→ Everything else: daily
Here's what that looks like in practice:
→ Compromised Lambdas mine crypto for 5 minutes and vanish
→ Ephemeral GPU instances rack up $10K bills with zero trace
→ Auditors ask for proof from dates between your scans
→ Engineers debug "ghost" pods that never appeared
→ Compromised Lambdas mine crypto for 5 minutes and vanish
→ Ephemeral GPU instances rack up $10K bills with zero trace
→ Auditors ask for proof from dates between your scans
→ Engineers debug "ghost" pods that never appeared
November 7, 2025 at 3:15 PM
Here's what that looks like in practice:
→ Compromised Lambdas mine crypto for 5 minutes and vanish
→ Ephemeral GPU instances rack up $10K bills with zero trace
→ Auditors ask for proof from dates between your scans
→ Engineers debug "ghost" pods that never appeared
→ Compromised Lambdas mine crypto for 5 minutes and vanish
→ Ephemeral GPU instances rack up $10K bills with zero trace
→ Auditors ask for proof from dates between your scans
→ Engineers debug "ghost" pods that never appeared
Traditional CMDBs with 24-hour discovery windows miss ephemeral resources entirely.
A resource that exists for 30 minutes? Little chance it shows up in your daily scan.
AWS spot instances terminate with 2-minute warnings. Lambda functions execute and vanish.
A resource that exists for 30 minutes? Little chance it shows up in your daily scan.
AWS spot instances terminate with 2-minute warnings. Lambda functions execute and vanish.
November 7, 2025 at 3:15 PM
Traditional CMDBs with 24-hour discovery windows miss ephemeral resources entirely.
A resource that exists for 30 minutes? Little chance it shows up in your daily scan.
AWS spot instances terminate with 2-minute warnings. Lambda functions execute and vanish.
A resource that exists for 30 minutes? Little chance it shows up in your daily scan.
AWS spot instances terminate with 2-minute warnings. Lambda functions execute and vanish.
Organizations extracting maximum value understand they're implementing a business capability, not deploying a technical solution.
Full breakdown: https://www.cloudquery.io/blog/five-tips-maximum-value-cloud-asset-inventory
Full breakdown: https://www.cloudquery.io/blog/five-tips-maximum-value-cloud-asset-inventory
November 5, 2025 at 6:00 AM
Organizations extracting maximum value understand they're implementing a business capability, not deploying a technical solution.
Full breakdown: https://www.cloudquery.io/blog/five-tips-maximum-value-cloud-asset-inventory
Full breakdown: https://www.cloudquery.io/blog/five-tips-maximum-value-cloud-asset-inventory
5/ Plan for continuous improvement and scale
Technology changes. Priorities shift. Cloud environments expand.
Your asset inventory should adapt to organizational change without major re-architecture.
Technology changes. Priorities shift. Cloud environments expand.
Your asset inventory should adapt to organizational change without major re-architecture.
November 5, 2025 at 6:00 AM
5/ Plan for continuous improvement and scale
Technology changes. Priorities shift. Cloud environments expand.
Your asset inventory should adapt to organizational change without major re-architecture.
Technology changes. Priorities shift. Cloud environments expand.
Your asset inventory should adapt to organizational change without major re-architecture.
4/ Provide actionable intelligence, not just data
When someone discovers an unencrypted database, they should remediate immediately—not just report it.
Connect your inventory to build pipelines, alerting systems, and remediation workflows.
When someone discovers an unencrypted database, they should remediate immediately—not just report it.
Connect your inventory to build pipelines, alerting systems, and remediation workflows.
November 5, 2025 at 6:00 AM
4/ Provide actionable intelligence, not just data
When someone discovers an unencrypted database, they should remediate immediately—not just report it.
Connect your inventory to build pipelines, alerting systems, and remediation workflows.
When someone discovers an unencrypted database, they should remediate immediately—not just report it.
Connect your inventory to build pipelines, alerting systems, and remediation workflows.
3/ Prioritize high-impact use cases first
Don't boil the ocean. Find your highest-value problem—upcoming audit, Q4 cost optimization, security gaps.
Solve it completely. Demonstrate clear ROI. Then expand.
Don't boil the ocean. Find your highest-value problem—upcoming audit, Q4 cost optimization, security gaps.
Solve it completely. Demonstrate clear ROI. Then expand.
November 5, 2025 at 6:00 AM
3/ Prioritize high-impact use cases first
Don't boil the ocean. Find your highest-value problem—upcoming audit, Q4 cost optimization, security gaps.
Solve it completely. Demonstrate clear ROI. Then expand.
Don't boil the ocean. Find your highest-value problem—upcoming audit, Q4 cost optimization, security gaps.
Solve it completely. Demonstrate clear ROI. Then expand.
2/ Engage stakeholders across teams
Your inventory isn't an IT project—it's a business capability.
Include FinOps, security, compliance, development, and operations as co-owners from day one. Not just users.
Your inventory isn't an IT project—it's a business capability.
Include FinOps, security, compliance, development, and operations as co-owners from day one. Not just users.
November 5, 2025 at 6:00 AM
2/ Engage stakeholders across teams
Your inventory isn't an IT project—it's a business capability.
Include FinOps, security, compliance, development, and operations as co-owners from day one. Not just users.
Your inventory isn't an IT project—it's a business capability.
Include FinOps, security, compliance, development, and operations as co-owners from day one. Not just users.
1/ Business outcomes over technical features
Don't build it because you can. Draw a direct line from every feature to revenue protection, cost savings, or risk reduction.
If you can't explain the business value in one sentence, don't build it.
Don't build it because you can. Draw a direct line from every feature to revenue protection, cost savings, or risk reduction.
If you can't explain the business value in one sentence, don't build it.
November 5, 2025 at 6:00 AM
1/ Business outcomes over technical features
Don't build it because you can. Draw a direct line from every feature to revenue protection, cost savings, or risk reduction.
If you can't explain the business value in one sentence, don't build it.
Don't build it because you can. Draw a direct line from every feature to revenue protection, cost savings, or risk reduction.
If you can't explain the business value in one sentence, don't build it.
If these questions take more than 30 seconds to answer, your cloud asset inventory needs work.
Here's what we learned from AWS PSA Keegan Marazzi about building asset inventories that actually get used:
Here's what we learned from AWS PSA Keegan Marazzi about building asset inventories that actually get used:
November 5, 2025 at 6:00 AM
If these questions take more than 30 seconds to answer, your cloud asset inventory needs work.
Here's what we learned from AWS PSA Keegan Marazzi about building asset inventories that actually get used:
Here's what we learned from AWS PSA Keegan Marazzi about building asset inventories that actually get used:
Traditional CMDBs solved a real problem in 2006. That world doesn't exist anymore.
Infrastructure is code. Resources are ephemeral. APIs provide real-time state.
Stop forcing cloud into 20-year-old models.
Full comparison: https://www.cloudquery.io/blog/cloud-cmdb-vs-traditional-cmdb-2026
Infrastructure is code. Resources are ephemeral. APIs provide real-time state.
Stop forcing cloud into 20-year-old models.
Full comparison: https://www.cloudquery.io/blog/cloud-cmdb-vs-traditional-cmdb-2026
November 3, 2025 at 2:15 PM
Traditional CMDBs solved a real problem in 2006. That world doesn't exist anymore.
Infrastructure is code. Resources are ephemeral. APIs provide real-time state.
Stop forcing cloud into 20-year-old models.
Full comparison: https://www.cloudquery.io/blog/cloud-cmdb-vs-traditional-cmdb-2026
Infrastructure is code. Resources are ephemeral. APIs provide real-time state.
Stop forcing cloud into 20-year-old models.
Full comparison: https://www.cloudquery.io/blog/cloud-cmdb-vs-traditional-cmdb-2026