Operate · Scanning
How infrastructure scanning works.
Every scan is read-only. Axiom enumerates resources via Describe/List/Get APIs only, builds a typed snapshot, and feeds it into the reasoning engine. Nothing is modified, nothing is read that isn't configuration metadata.
The model in one sentence
01
What Axiom scans
For AWS (full implementation), scans cover:
- Compute: EC2 instances, Lambda functions, ECS/Fargate tasks, Auto Scaling Groups
- Storage: S3 bucket configuration (not contents), EBS volumes, EFS filesystems, snapshots
- Databases: RDS instances + clusters, ElastiCache, DynamoDB tables, Aurora
- Networking: VPCs, subnets, security groups, NACLs, Transit Gateways, NAT gateways, ELBs/ALBs
- Identity: IAM roles, policies, trust relationships, Service Control Policies (read-only audit)
- Observability: CloudWatch metrics, log group configurations (not log contents), alarms
- Cost signals: Cost Explorer aggregates for cost-trend reasoning
02 · Hard guarantees
What Axiom does NOT scan
- Object contents in S3 buckets — only metadata (encryption, ACL, lifecycle, versioning)
- Database row contents — only configuration metadata
- Secrets in Secrets Manager or KMS — only their existence and rotation policy
- CloudTrail event history — only the configuration of the trail itself
- Customer data of any kind
See security model for the full data-storage table.
03 · Lifecycle
The scan lifecycle
Connection check
Axiom calls sts:AssumeRole with the External ID. Receives 1-hour temporary credentials.
Region selection
Iterates over the regions you authorized during onboarding. Each region is scanned in parallel.
Resource enumeration
For each service (EC2, S3, RDS, IAM, etc.), Axiom calls the relevant Describe/List/Get APIs. Pagination is handled automatically.
Snapshot construction
Raw responses are normalized into a typed snapshot. Provider-specific identifiers are preserved for traceability.
Reasoning engine
Snapshot feeds the 12-step cognitive loop: observe → interpret → reason → plan → verify → execute. Findings + recommendations + execution plan emerge.
Persistence + audit
Snapshot + findings + plan persist in your tenant only. ExecutionLog + AxiomAuditEvent capture the scan operation immutably.
04 · AWS vs Azure vs GCP
Provider differences
- AWS — Full implementation. Scan, reasoning, plan, execute, monitor, learn.
- Azure — Scan + topology mapping live. Service Principal connector. Reasoning + execution rolling out Q2 2026.
- GCP — Scan + topology mapping live. Service Account connector. Reasoning + execution rolling out Q3 2026.
Reading scan status
- Queued — Scan accepted, waiting for worker
- Running — Active enumeration in progress; partial results may stream to the dashboard
- Completed — Snapshot + findings + plan persisted; status flips to operational
- Failed — Surface the exact AWS error code; link to troubleshooting
Trust questions
What is happening during a scan?
Read-only enumeration of infrastructure across authorized regions. No writes, no object reads, no secret access.
Why does Axiom need this?
To reason about your infrastructure it needs an accurate snapshot. Snapshots refresh on schedule or on demand.
Is the scan safe?
Yes — assume-role + read-only IAM permissions. Throttled to avoid impact on production APIs.
What does Axiom store after the scan?
Configuration metadata + findings + plan. Never object/row contents, never secrets, never access keys.
Can I revoke or pause scans?
Yes — disable the recurring workflow under /dashboard/workflows or delete the IAM role to revoke completely.
What if the scan fails?
Exact AWS error code is shown with a link to troubleshooting. Failed scans do not consume execution quota.
Common scan errors
See the dedicated scanning troubleshooting section for: scan returns 0 resources, partial scan, stuck at queued, scan takes > 5 minutes.
Need a human?
Most flows are documented — but we'll help if anything is unclear.