Cloudlist: Building a Multi-Cloud Asset Inventory Without the CSPM Bloat
Hook
Your security team is blind to 30% of your cloud infrastructure. Not because of misconfiguration, but because your assets are scattered across AWS, GCP, Azure, and that DigitalOcean droplet from 2019 that everyone forgot about.
Context
Cloud sprawl is the silent killer of security programs. As organizations adopt multi-cloud strategies, assets proliferate across providers faster than teams can track them. That forgotten EC2 instance running an unpatched web server? It’s not in your AWS inventory tool because someone spun it up in the shadow IT GCP project. Traditional Cloud Security Posture Management (CSPM) solutions promise comprehensive visibility, but they’re expensive, complex to deploy, and often overkill when you just need a simple answer: “What do we have running right now?”
ProjectDiscovery built Cloudlist to solve this enumeration gap for security teams doing Attack Surface Management. Rather than competing with enterprise CSPM platforms, it occupies the tactical space between manual API calls and full-scale monitoring solutions. The design philosophy is Unix-like: do one thing well (enumerate assets), output to stdout, and play nicely with other tools in a security pipeline. If you’ve used ProjectDiscovery’s other tools like nuclei or httpx, you’ll recognize the pattern—Cloudlist feeds the discovery layer while other tools handle scanning and exploitation.
Technical Insight
Cloudlist’s architecture is a masterclass in Go plugin patterns. At its core, it defines a Provider interface that every cloud service must implement. This abstraction layer is what enables the tool to treat AWS, Azure, and Kubernetes clusters as interchangeable data sources. Each provider implements methods for authentication, resource enumeration, and result normalization.
Here’s how you’d configure multiple providers in the YAML config file:
providers:
- provider: aws
profile: production
aws_access_key: AKIA...
aws_secret_key: secret...
regions:
- us-east-1
- eu-west-1
- provider: gcp
gcp_service_account_key: path/to/key.json
project_ids:
- my-project-123
- provider: do
digitalocean_token: dop_v1_...
- provider: azure
tenant_id: ...
client_id: ...
client_secret: ...
subscription_id: ...The real power emerges when you chain Cloudlist with other tools. Because it outputs clean, line-delimited results to stdout, you can pipe directly into scanners. For example, enumerating all AWS EC2 instances and feeding them into nuclei for vulnerability scanning:
# Get all public IPs from AWS and GCP
cloudlist -provider aws,gcp -output public_ips.txt
# Or pipe directly into nuclei
cloudlist -provider aws -skip-private | httpx -silent | nuclei -t exposures/
# Extract only hostnames from all providers
cloudlist -provider all -output-fields hostname | sort -uThe provider architecture supports both fast, service-specific APIs and comprehensive organization-level discovery. For AWS, Cloudlist queries the EC2 DescribeInstances API directly, which is fast but requires proper IAM permissions per region. For GCP, it can use the Cloud Asset API to pull organization-wide resources in a single call, or fall back to project-specific queries. This flexibility matters when you’re dealing with hundreds of projects and need results in under a minute.
One clever design choice is the filtering system. Rather than building complex query languages, Cloudlist exposes simple flags that compose well:
# Only AWS resources, exclude private IPs
cloudlist -provider aws -skip-private
# Only specific services
cloudlist -provider azure -id vm,storage
# JSON output for programmatic processing
cloudlist -provider all -json | jq '.[] | select(.provider=="aws")'The codebase is organized into provider-specific packages under pkg/providers/, each implementing the common interface. Adding a new provider requires three components: authentication handling, API client initialization, and resource enumeration logic. The PROVIDERS.md file provides a template, and most implementations clock in under 300 lines of Go. This low barrier to contribution explains why the tool grew from 8 providers at launch to over 15 today.
Performance is achieved through goroutine-based parallelization. When you specify multiple providers, Cloudlist spawns concurrent workers for each, aggregating results as they arrive. For a typical multi-cloud setup (AWS + GCP + Azure), you’ll get complete results in 15-30 seconds depending on asset count and API latency. The code uses contexts for timeout management, so you can bail early if a provider is hanging.
Gotcha
The credential management story is Cloudlist’s biggest weakness. Unlike enterprise tools with OAuth flows or automatic role assumption, you’re manually editing YAML files with API keys. For organizations with dozens of AWS accounts or GCP projects, this becomes a maintenance nightmare. There’s no built-in credential rotation, no secrets manager integration, and if your keys expire, enumeration silently fails for that provider.
Rate limiting is another pain point. Cloud provider APIs have quota limits, and running Cloudlist repeatedly against large environments can trigger throttling. The tool doesn’t expose rate limit controls or backoff strategies, so you might see errors during discovery without clear guidance on remediation. For AWS accounts with thousands of resources across multiple regions, you’ll want to batch your queries or risk hitting service quotas. Cost is also untracked—some APIs (like GCP Cloud Asset) are free, but others charge per request, and there’s no built-in usage monitoring.
The documentation is spread across multiple markdown files (README.md, PROVIDERS.md, DESIGN.md) without a unified guide for first-time users. You’ll find yourself jumping between files to understand authentication requirements for each provider. Error messages sometimes reference provider-specific API errors without translation, so debugging requires familiarity with each cloud’s SDK.
Verdict
Use if: You’re a security team doing periodic attack surface enumeration across multiple cloud providers and need a lightweight CLI tool that integrates with existing pipelines. Especially valuable if you’re already in the ProjectDiscovery ecosystem (nuclei, httpx, subfinder) and want seamless data flow. Perfect for one-off audits, pre-pentest reconnaissance, or scheduled asset inventory jobs run from CI/CD. Skip if: You need continuous monitoring, compliance reporting, or a UI for non-technical stakeholders—Cloudlist is strictly a CLI enumeration tool. Also skip if you work exclusively with one cloud provider where native tools (AWS Config, Azure Resource Graph) provide deeper integration and better credential management. If you require automatic cost tracking, rate limit handling, or secrets manager integration, look at CloudQuery or enterprise CSPM solutions instead.
