Sold by: Wallarm
AWS resource growth outpaces your ability to keep track. Wallarm Infrastructure Discovery solves the problem. No agents to install, and the first scan delivers a live, searchable map of all your AWS resources across every account and region.
Field-level drift detection records every configuration change, so "what changed last week?" always has an answer. Built-in and custom rules surface misconfigurations and exposure in real time. No code changes. No DevOps tickets.
Each deployment enriches the AWS security services you already own: Security Hub, GuardDuty, IAM Access Analyzer, CloudTrail, Systems Manager, and more. A defensible answer to what you have, what changed, and what is exposed. Part of the Wallarm AI Control Platform: the closed loop that discovers, observes, and governs your AWS AI estate.
Overview
Wallarm Infrastructure Discovery is a continuous AWS inventory, change detection, and API discovery service delivered as a per-customer tenant in the Wallarm cloud. Connect AWS accounts with a read-only IAM role and external ID (or AWS SSO profile, or static access key) and the first scan produces a live inventory of every EC2 instance, VPC and its networking, EKS cluster and node group, Lambda function, load balancer, and API Gateway deployment across the regions you ask Wallarm to scan. There is no agent for your team to install, host, or operate.
WHAT YOU GET ON THE FIRST SCAN A searchable asset inventory across every connected AWS account and region, filterable by service, region, account, and resource type. A live relationship graph derived from the AWS APIs themselves, not from a diagram someone drew last quarter. CloudTrail creator attribution on every resource, so "who created this and when" is answered without spelunking through audit logs. Built-in detection rules for the common exposure patterns (public IPs, wide-open security groups, sensitive ports open to the internet, missing HTTPS redirects, public EKS endpoints) and a policy engine that lets your team write detection and triage rules in Common Expression Language without filing a feature request.
DRIFT DETECTION AND CHANGE ATTRIBUTION Every scan compares against the prior state and records created, updated, and deleted resources with the specific fields that changed. Filter drift events by account, region, service, severity, and time to scope an incident, assemble an audit timeline, or answer the audit committee's "what changed in our cloud last week." Drift records are persistent, so you can hand auditors the same view your on-call team uses.
API DISCOVERY AND AUTOMATED TRAFFIC MIRRORING Discovering an API is only useful if you can protect it. Infrastructure Discovery automatically detects HTTP endpoints behind EC2 instances (standalone and Auto Scaling Group), EKS pods, and ALB and NLB load balancers. From the same console, provision VPC Traffic Mirroring or Gateway Load Balancer inspection paths to route real traffic into Wallarm API security in minutes. No application code changes, no DevOps ticket, no inline production risk. AWS service activation runs on AWS Systems Manager with credentials stored in AWS Secrets Manager, and a single API call tears the pipeline down cleanly when you remove it.
MULTI-ACCOUNT, MULTI-REGION, MULTI-AUTH Each AWS account is registered once with whichever credential method that account supports: cross-account IAM role with external ID (the default), AWS SSO profile, or static access keys. Multiple regions per account. The inventory, graph, drift events, and findings unify across every connected account into a single view with per-account filtering. Designed for production AWS estates: thousand-account scale is a configuration question, not a different tool.
READ-ONLY BY DESIGN The Wallarm-published IAM policy template grants Describe, List, and Get permissions only. The cross-account role trust policy uses an external ID to prevent confused-deputy attacks. Customer credentials never appear in API responses or log lines, and an optional separate write role is used only for traffic mirroring when the customer opts in.
ON-RAMP TO THE WALLARM AI CONTROL PLATFORM The same scan that inventories your AWS estate surfaces the AI workloads running on it: EKS clusters labeled with AI frameworks, Lambda functions hitting model providers, agent frameworks, and MCP servers. Customers extending Wallarm coverage into AI Hypervisor (Wallarm's runtime AI governance platform on Amazon EKS, separately licensed) use Infrastructure Discovery to scope deployment before installation.
WHO IT IS FOR Security leaders who need a defensible answer to "what do we have in AWS, what is exposed, and what changed?" without trusting a vendor with write access to production. Platform and SRE leaders running large multi-account AWS estates. Compliance and audit owners producing evidence of inventory, change control, and posture against SOC 2, ISO 27001, and internal review boards. Wallarm Infrastructure Discovery is the territory map that makes the rest of Wallarm's AWS-native platform deployable, and stands on its own for any team that needs an accurate, current picture of the AWS cloud they are responsible for.
Highlights
- Continuous, agentless AWS inventory across every connected account and region. Wallarm Infrastructure Discovery scans EC2, VPCs and networking, EKS clusters, Lambda functions, load balancers, and API Gateway deployments via a read-only IAM role with external ID, AWS SSO profile, or static access key. The first scan produces a searchable inventory with full configuration, tags, and CloudTrail creator attribution. Multi-account, multi-region, unified into one filterable view.
- Field-level drift detection across the AWS estate. Every scan compares against the prior state and records created, updated, and deleted resources with the specific fields that changed and who created each asset. Filter by account, region, service, severity, and time to scope an incident or assemble an audit timeline. SOC 2 and ISO 27001 evidence comes from the same data your on-call team uses, not from spreadsheets assembled the week before the audit.
- Automated API discovery and traffic mirroring with no application code changes. HTTP endpoints behind EC2 instances, EKS pods, and ALB or NLB load balancers are detected on every scan. Provision VPC Traffic Mirroring or Gateway Load Balancer inspection paths from the same console to route real traffic into Wallarm API security in minutes. The same inventory surfaces shadow AI, MCP servers, and AI workloads on AWS, the on-ramp to the Wallarm AI Control Platform.
Details
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/month |
|---|---|---|
Free Tier - Wallarm Infrastructure Discovery | COVERAGE: 1 AWS account, 1 region. SCAN FREQUENCY: 1 scan per day. ASSET DISCOVERY: Unlimited Assets within the Connected Account. LIMITS: 1 subscription per customer, not stackable, no traffic mirroring. PRICING: Free FEATURES: Live asset inventory, relationship graph, drift detection between scans, built-in detection rules, customer-authored detection and CEL triage rules, CloudTrail creator attribution. CONNECTION METHODS: Cross-account IAM role with external ID, AWS SSO profile, or static access key | $0.00 |
Starter Tier - Wallarm Infrastructure Discovery | Everything in Free Tier, Plus: COVERAGE: Up to 3 AWS accounts, still 1 region. SCAN FREQUENCY: Configurable + on-demand scans LIMITS: 1 Subscription per customer; not stackable. PRICING: Flat Rate, no private pricing available for Starter Tier. ADDITIONAL FEATURES: HTTP endpoint detection with automated VPC Traffic Mirroring. | $200.00 |
Standard Tier - Wallarm Infrastructure Discovery | Everything in Starter Tier, Plus: COVERAGE: Up to 10 AWS accounts, 2 regions per account. SCAN FREQUENCY: Configurable + on-demand scans LIMITS: Stackable, up to 5 concurrent subscriptions per customer (max 50 accounts total). PRICING: Flat Rate, no private pricing available for Standard Tier. ADDITIONAL FEATURES: HTTP endpoint detection with automated VPC Traffic Mirroring. | $500.00 |
Enterprise Tier - Wallarm Infrastructure Discovery | Everything in Standard Tier, plus custom coverage, scan frequency, and no need to stack subscriptions. Agreement terms of this tier will be established through a custom pricing option via a private offer working with Wallarm or Wallarm partners. | $30,000.00 |
Vendor refund policy
This is a monthly service. Do not renew your subscription to stop incurring charges.
Custom pricing options
Request a private offer to receive a custom quote.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Protect APIs and AI agents by integrating Wallarm with your existing NGINX traffic management, enabling real-time threat mitigation, full API visibility, and risk detection.
Wallarm protects your entire API portfolio with advanced API security capabilities.
Wallarm AI Hypervisor (AIH) is the runtime governance layer for every LLM call, agent action, and MCP tool invocation running in AWS. Deploy and within minutes every outbound AI call is captured in-kernel and attributed to the originating end-user across every service hop. Built on patented non-invasive memory analysis, AIH covers AI interactions without requiring a single application code change. Review the prompt that produced a bad answer. Block a session in real time without restarting pods. Prove to auditors what data left for which model provider, on whose behalf. Recognizes Anthropic, OpenAI, AWS Bedrock, Azure OpenAI, Gemini, Cohere, Mistral, and Together out of the box. Part of the Wallarm AI Control Platform. All tiers transact as AWS Marketplace private offers.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.