You Can't Protect What You Don't Know You Have: AWS Config + Annual Reviews
Nothing is true. Everything is permitted. Except forgetting assets exist—shadow IT isn't innovation, it's shadow vulnerability waiting to become public breach. That test server running unpatched software from 2018? Asset you forgot. That S3 bucket with public access someone created "just for this one demo"? Asset you forgot. That Lambda function deployed by the contractor who left two years ago? Asset you forgot. AWS Config provides automated inventory so amnesia doesn't become CVE. Annual review cycle (next: 2026-11-05) because memory fades but CloudTrail doesn't. FNORD. The assets you don't track are the ones attackers exploit first.
Think for yourself, schmuck! Question authority. Question why organizations accept unknown assets (shadow IT, forgotten test servers, that EC2 instance someone launched in 2019 and forgot about). Question why "comprehensive asset inventory" usually means "Excel spreadsheet someone updated once in 2022." We demonstrate systematic inventory through transparent documentation and automated discovery—not hopeful spreadsheet maintenance and annual audits where everyone panics. Are you paranoid enough to know what's running in your AWS account right now? We are—AWS Config tells us.
At Hack23, asset management demonstrates cybersecurity consulting expertise through comprehensive implementation: AWS Config for cloud asset discovery, GitHub repository inventory for code assets, quarterly access reviews for dormant account detection, classification-driven priority per our Classification Framework. Annual register review (Version 1.0, next: 2026-11-05).
ILLUMINATION: The server you forgot about is running unpatched vulnerabilities from 2015. Asset inventory prevents forgotten vulnerabilities. AWS Config automates discovery before manual spreadsheets become stale.
Our approach combines automated discovery (AWS Config, GitHub API) with classification-driven management, proving systematic asset control scales from single-person operations to enterprise engagements. Full technical implementation in our public Asset Register.
The Five Asset Categories: Comprehensive Coverage Matrix
1. ☁️ Cloud Infrastructure
AWS Config automated discovery. EC2 instances, Lambda functions, S3 buckets, RDS databases, VPCs, security groups. AWS Config continuously monitors all cloud resources. CloudFormation IaC ensures version-controlled infrastructure. Multi-account organization with centralized logging.
AWS Config means real-time inventory, not annual spreadsheets that become stale weekly.
2. 📝 Code & Repositories
GitHub repository inventory. All source code tracked in GitHub organizations (Hack23). 40+ repositories including CIA, Black Trigram, CIA Compliance Manager. GitHub API provides automated repository discovery. SECURITY_ARCHITECTURE.md mandatory in all repos. Public ISMS repository demonstrating transparency.
Code repositories are assets. Abandoned repos are forgotten attack surfaces. Systematic inventory prevents repository sprawl.
3. 👤 Identity & Access
AWS Identity Center + GitHub access reviews. IAM users, roles, policies tracked via AWS Config. GitHub organization members inventoried. 90-day dormant account detection per Access Control Policy. Quarterly access reviews ensure privilege hygiene.
People are assets. Departed employees with active access are vulnerabilities. Quarterly reviews prevent forgotten privileges.
4. 🏷️ Data Assets
Classification-driven data inventory. Databases, S3 buckets, file storage classified per Classification Framework. Extreme/Very High assets quarterly reviewed. Moderate assets semi-annually. Public assets annually. Classification drives protection controls.
Data classification enables appropriate protection. Unclassified data gets generic controls or no controls. Classification-driven inventory means risk-appropriate protection.
5. 🤝 Third-Party Services
SaaS inventory and vendor management. All third-party services documented in Asset Register. AWS (infrastructure), GitHub (code), SonarCloud (quality), Snyk (security), FOSSA (license). Vendor assessments per Third Party Management. Annual reviews ensure continued compliance.
Third-party services are assets you don't control. Vendor inventory enables risk management. Shadow SaaS are shadow vulnerabilities.
Our Approach: AWS Config + Annual Reviews + Classification Priority
At Hack23, asset management demonstrates systematic inventory through automated discovery and classification-driven reviews:
☁️ AWS Config Automated Discovery:
- Continuous Monitoring: AWS Config tracks all cloud resources across multi-account organization
- Resource Inventory: EC2, Lambda, S3, RDS, VPC, security groups, IAM automatically discovered
- Configuration Changes: All infrastructure changes logged and tracked
- Compliance Checks: AWS Config Rules enforce security standards
📊 Asset Review Cycles:
| Asset Classification | Review Frequency | Return/Revocation SLA | Verification Method |
|---|
| 🔴 Extreme/Very High | Monthly | <24 hours | AWS Config + manual validation |
| 🟠 High | Quarterly | <3 days | Quarterly access audits |
| 🟡 Moderate | Semi-Annual | <7 days | Semi-annual reviews |
| 🟢 Low/Public | Annual | <30 days | Annual register updates |
🔄 Annual Register Review:
- Current Version: 1.0 (Effective: 2025-11-05)
- Next Review: 2026-11-05 (12-month cycle)
- Review Triggers: Annual cycle, AWS organization changes, significant asset additions, security incidents
- Public Documentation: Complete Asset Register on GitHub
Full technical implementation details in our public Asset Register—including AWS Config integration, GitHub inventory automation, classification-driven priorities, and termination procedures.
Welcome to Chapel Perilous: Asset Inventory Edition
Nothing is true. Everything is permitted. Except unknown assets creating unknown vulnerabilities—that's not operational excellence, that's systematic blindness.
Most organizations maintain spreadsheet asset registers updated quarterly (maybe). They discover forgotten test servers during breaches. They can't answer "what AWS resources do we have" without manual enumeration. They accept shadow IT because detection requires effort.
We demonstrate systematic asset management: AWS Config automated discovery, GitHub API repository inventory, quarterly access reviews for dormant accounts, classification-driven priorities (monthly for extreme, quarterly for high), annual register reviews (next: 2026-11-05). Public Asset Register demonstrating transparency.
Think for yourself, schmuck! Question organizations claiming "we know our assets" without automated discovery. Question annual reviews when cloud infrastructure changes daily. Question spreadsheet inventories when AWS Config provides real-time tracking. (Spoiler: Because systematic asset management requires automation investment, not manual effort that becomes stale.)
Our competitive advantage: We demonstrate cybersecurity consulting expertise through verifiable asset management. AWS Config integration documented. Classification-driven review cycles transparent. Public asset register showing systematic approach. This isn't compliance checkbox—it's operational reality clients can audit before engagement.
ULTIMATE ILLUMINATION: You are now in Chapel Perilous. The server you forgot about is the one with unpatched Log4Shell. AWS Config means systematic discovery, not hopeful memory. Choose automated inventory over manual spreadsheets that become archaeological artifacts. Your vulnerability management depends on knowing what to patch.
All hail Eris! All hail Discordia!
"Think for yourself, schmuck! Question everything—especially whether that test EC2 instance from 2019 is still running with default credentials."
— Hagbard Celine, Captain of the Leif Erikson 🍎 23 FNORD 5