This chapter covers Cloud Asset Inventory, a critical service for security compliance and resource management in Google Cloud. On the ACE exam, questions related to asset inventory appear in approximately 5-8% of questions, typically within the Security Compliance domain (Objective 5.1). You will learn how to use Cloud Asset Inventory to discover, monitor, and analyze all your cloud resources, understand its features like real-time exports and history, and master the common exam scenarios and pitfalls.
Jump to a section
Imagine a large corporation with thousands of assets: laptops, servers, furniture, vehicles. The company has a registry that tracks every item: its serial number, location, owner, purchase date, and warranty status. This registry is updated automatically when new equipment is purchased, moved, or retired. Without it, the company would have no idea what it owns, where things are, or when they need maintenance. Cloud Asset Inventory works the same way for Google Cloud resources. It is a metadata service that continuously discovers and records all resources across your projects — Compute Engine instances, Cloud Storage buckets, IAM policies, networks, and more. It maintains a real-time inventory with historical snapshots, so you can see what existed at any point in the past. Just as the company registry helps with audits, compliance, and asset management, Cloud Asset Inventory enables you to monitor changes, enforce policies, and maintain security compliance across your entire cloud footprint.
What is Cloud Asset Inventory?
Cloud Asset Inventory is a Google Cloud service that provides a centralized view of all your cloud resources across projects, folders, and organizations. It continuously scans your environment and maintains a database of resource metadata, including configurations, IAM policies, and ancestry. It supports over 200 resource types, including Compute Engine instances, Cloud Storage buckets, Cloud SQL databases, VPC networks, and IAM policies. The service is designed to answer questions like: 'What resources do I have?', 'Who has access to what?', and 'What changed in my environment yesterday?'
Why It Exists
Before Cloud Asset Inventory, managing resources across a large organization was manual and error-prone. You had to use multiple APIs or scripts to gather resource lists, and there was no unified view of historical changes. Compliance requirements (e.g., PCI DSS, SOC 2) demand that you know exactly what resources exist and how they are configured at any point in time. Cloud Asset Inventory solves this by providing a single source of truth for resource metadata, with built-in history and export capabilities.
How It Works Internally
Cloud Asset Inventory uses a combination of real-time streaming and periodic scanning to maintain its database. When you enable the service for an organization, folder, or project, it begins collecting metadata from the Google Cloud resource hierarchy. It listens to Cloud Audit Logs for resource creation, deletion, and modification events, and it also performs full scans every 24 hours to ensure consistency. The inventory data is stored in a managed database within Google Cloud, and you can access it via the Cloud Asset API, gcloud CLI, or Google Cloud Console.
Key Components
- Asset types: The service supports over 200 resource types. Common ones include:
- compute.googleapis.com/Instance
- storage.googleapis.com/Bucket
- iam.googleapis.com/Policy
- cloudresourcemanager.googleapis.com/Project
- cloudresourcemanager.googleapis.com/Folder
- cloudresourcemanager.googleapis.com/Organization
- Content types: Each asset can have multiple content types:
- RESOURCE: The resource's metadata (e.g., machine type, disk size).
- IAM_POLICY: The IAM policy attached to the resource.
- ORG_POLICY: The organization policy applied to the resource.
- ACCESS_POLICY: Access context manager policies.
- Snapshot vs. History:
- Snapshot: A point-in-time view of all assets. You can export a snapshot to BigQuery, Cloud Storage, or Pub/Sub.
- History: You can query the state of assets at a specific time in the past (up to 35 days for standard tier, up to 5 years for premium tier).
Configuration and Verification
To enable Cloud Asset Inventory, you must first enable the Cloud Asset API:
gcloud services enable cloudasset.googleapis.comThen, you can list assets using the gcloud CLI:
gcloud asset list --project=my-project --asset-types=compute.googleapis.com/InstanceTo export a snapshot to BigQuery:
gcloud asset export --project=my-project --content-type=resource --bigquery-table=my_dataset.asset_snapshotTo query historical state, use the --snapshot-time flag:
gcloud asset list --project=my-project --asset-types=compute.googleapis.com/Instance --snapshot-time=2023-01-01T00:00:00ZInteraction with Related Technologies
Cloud Asset Inventory integrates deeply with: - Cloud Audit Logs: Inventory uses audit logs to detect real-time changes. - Organization Policy Service: Inventory can export organization policies. - IAM: Inventory captures IAM policies for each resource, allowing you to audit permissions at scale. - BigQuery: You can export inventory data to BigQuery for advanced analysis and SQL queries. - Cloud Storage: Export to Cloud Storage for archival or backup. - Pub/Sub: Stream inventory changes to Pub/Sub for real-time event-driven workflows. - Security Command Center: Inventory data feeds into Security Command Center for vulnerability and threat detection.
Defaults and Timers
Scan frequency: Full scans occur every 24 hours, but real-time changes are streamed via audit logs.
History retention: Standard tier retains history for 35 days; premium tier retains up to 5 years (requires an additional subscription).
Export limits: You can export up to 10,000 assets per API call; for larger inventories, use pagination.
API rate limits: 1,000 requests per 100 seconds per project.
Exam-Relevant Details
The service is free for standard tier; premium tier (longer history) incurs costs.
You must enable the Cloud Asset API and grant appropriate IAM roles (e.g., roles/cloudasset.viewer) to users.
Inventory covers resources at the project, folder, and organization levels.
Use gcloud asset search-all-resources for quick searches across all resource types.
The --content-type flag is critical for specifying what data you want (resource, IAM policy, etc.).
Enable Cloud Asset API
Before using Cloud Asset Inventory, you must enable the Cloud Asset API for your project or organization. Use the command `gcloud services enable cloudasset.googleapis.com`. This is a one-time step. Without enabling the API, all other commands will fail with a 'service not enabled' error. Ensure the user has the `serviceusage.services.enable` permission, typically granted by roles like `roles/editor` or `roles/serviceusage.serviceUsageAdmin`.
Grant IAM Roles
Assign the appropriate IAM roles to users who need to view or export inventory data. The minimum role for reading assets is `roles/cloudasset.viewer`. For exporting, you need `roles/cloudasset.owner` or additional permissions on the destination (e.g., BigQuery data editor). The principle of least privilege applies: do not grant broader roles like `roles/editor` when `roles/cloudasset.viewer` suffices.
List Current Assets
Use `gcloud asset list` to see all assets in a scope. You can filter by asset type, project, or folder. For example: `gcloud asset list --project=my-project --asset-types=compute.googleapis.com/Instance`. This returns a JSON list of resources with their metadata. The command uses the Cloud Asset API to query the inventory database. If you omit `--asset-types`, it returns all supported asset types.
Export Snapshot to BigQuery
To analyze inventory data with SQL, export a snapshot to BigQuery. Use: `gcloud asset export --project=my-project --content-type=resource --bigquery-table=my_dataset.asset_snapshot`. This creates a new table (or overwrites an existing one) with the current state of all resources. You can also export to Cloud Storage or Pub/Sub. For large inventories, the export may take several minutes; check the operation status with `gcloud asset operations describe`.
Query Historical State
To see what assets existed at a past time, use `gcloud asset list --snapshot-time=2023-01-01T00:00:00Z`. This returns the state of assets at that exact timestamp. The history is available up to 35 days (standard) or 5 years (premium). This is useful for compliance audits to prove that a resource was deleted or created at a specific time.
Enterprise Scenarios
1. Compliance Auditing for PCI DSS A financial institution must demonstrate that no sensitive data is stored in improperly configured Cloud Storage buckets. They use Cloud Asset Inventory to export a daily snapshot of all buckets to BigQuery. A SQL query checks for buckets with public access or missing encryption. If any non-compliant bucket is found, an automated pipeline triggers a remediation function. The inventory history allows auditors to verify that the environment was compliant on specific dates. Common pitfalls: forgetting to export IAM policies alongside resource data, or not enabling the API on all projects in the organization.
2. Change Monitoring and Incident Response A large e-commerce company needs to detect unauthorized changes to production resources. They set up Cloud Asset Inventory to stream changes to Pub/Sub. A Cloud Function subscribes to the topic and alerts the security team when a new Compute Engine instance is created outside of approved regions or when an IAM policy adds a new user with owner permissions. This real-time monitoring reduces the mean time to detection from hours to seconds. Performance considerations: high-volume environments may require batching Pub/Sub messages to avoid exceeding quota.
3. Resource Discovery for Migration A company migrating from on-premises to Google Cloud uses Cloud Asset Inventory to discover all existing resources. They run a full export to Cloud Storage and parse the JSON to generate a migration plan. Without inventory, they would have to manually query each service's API. The inventory also reveals orphaned resources (e.g., unattached disks) that can be cleaned up. Misconfiguration: if the inventory scope is set only at the project level, resources in other projects are missed. Always set the scope at the organization level for full visibility.
ACE Exam Focus on Cloud Asset Inventory
Objective 5.1: Managing Security and Compliance – The exam tests your ability to use Cloud Asset Inventory to monitor and audit resources. Key exam topics:
Enabling the API and granting IAM roles.
Exporting inventory to BigQuery, Cloud Storage, or Pub/Sub.
Querying historical state for compliance.
Understanding the difference between standard and premium tiers (35 days vs. 5 years).
Using --content-type flag to specify RESOURCE, IAM_POLICY, or ORG_POLICY.
Common Wrong Answers
1. 'Cloud Asset Inventory can be used to delete resources.' – It is read-only; you cannot delete resources through it.
2. 'It automatically remediates non-compliant resources.' – It only provides data; you must build separate automation.
3. 'History is available for 90 days by default.' – Standard tier is 35 days; premium is 5 years.
4. 'You need to create a custom role to view assets.' – The predefined role roles/cloudasset.viewer is sufficient.
Specific Numbers and Terms - Default history retention: 35 days (standard). - Premium tier: 5 years (additional cost). - Supported asset types: >200. - API rate limit: 1,000 requests per 100 seconds. - Export limit: 10,000 assets per API call.
Edge Cases
- If you export to BigQuery and the table already exists, the export fails by default unless you use --output-bigquery-force.
- Inventory does not include resources in deleted projects; those are removed after the project is deleted.
- Some resource types (e.g., Cloud Functions) are not supported; check the documentation for the complete list.
How to Eliminate Wrong Answers - If an answer mentions modifying resources, eliminate it. - If it mentions 90-day history, eliminate it (unless premium tier is explicitly stated). - If it requires a custom role, eliminate it; predefined roles exist. - If it mentions real-time remediation, eliminate it; inventory is read-only.
Cloud Asset Inventory is a read-only metadata service for discovering and monitoring Google Cloud resources.
Standard tier retains history for 35 days; premium tier retains for 5 years (paid).
Enable the Cloud Asset API and grant `roles/cloudasset.viewer` for read access.
Use `gcloud asset list` to view current assets, and `--snapshot-time` for historical queries.
Export inventory to BigQuery, Cloud Storage, or Pub/Sub for analysis and automation.
The service supports over 200 resource types, but not all services are included.
Cloud Asset Inventory integrates with Security Command Center for security insights.
It does not provide automated remediation; it only supplies data.
These come up on the exam all the time. Here's how to tell them apart.
Cloud Asset Inventory
Provides a unified view of all resources across projects, folders, and organizations.
Supports historical snapshots up to 35 days (standard) or 5 years (premium).
Exports to BigQuery, Cloud Storage, or Pub/Sub.
Monitors over 200 resource types including IAM policies and org policies.
Requires Cloud Asset API to be enabled.
Cloud Resource Manager
Manages project, folder, and organization hierarchy.
Does not track individual resources like instances or buckets.
Provides lifecycle management (create, delete, update) for projects.
Focuses on resource hierarchy and IAM policies at the project level.
Does not require additional API enablement beyond core services.
Mistake
Cloud Asset Inventory can automatically fix security issues.
Correct
It is a read-only service that provides resource metadata and history. It does not perform any remediation actions. You must use other services like Cloud Functions or Security Command Center to act on the data.
Mistake
Historical data is retained for 90 days by default.
Correct
The default standard tier retains history for 35 days. The premium tier extends this to 5 years, but it requires an additional subscription and incurs costs.
Mistake
You need to be a project owner to view assets.
Correct
The predefined IAM role `roles/cloudasset.viewer` provides read-only access to inventory data. You do not need owner or editor roles.
Mistake
Cloud Asset Inventory covers all Google Cloud resource types.
Correct
It supports over 200 resource types, but not all services are covered. For example, Cloud Functions and App Engine resources may not be included. Always verify the supported types in the documentation.
Mistake
Exporting to BigQuery is the only way to analyze inventory data.
Correct
You can also export to Cloud Storage (JSON/CSV) or stream to Pub/Sub for real-time analysis. BigQuery is just one option, suitable for SQL-based queries.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You must enable the Cloud Asset API at the project level or organization level using `gcloud services enable cloudasset.googleapis.com`. For organization-wide use, enable it in the organization's admin project. Then grant IAM roles such as `roles/cloudasset.viewer` to users who need access. The service automatically starts collecting data after enablement.
The standard tier is free and retains asset history for up to 35 days. The premium tier retains history for up to 5 years and costs additional fees. Premium tier is useful for long-term compliance audits. You can switch between tiers, but data retention is not retroactive.
No, Cloud Asset Inventory is a read-only service. It only provides metadata and history. To delete resources, you must use the respective resource's API or console (e.g., `gcloud compute instances delete`).
Use the command `gcloud asset export --project=PROJECT_ID --content-type=RESOURCE --bigquery-table=PROJECT:DATASET.TABLE`. You can also specify `--content-type=IAM_POLICY` or `ORG_POLICY`. The export overwrites the table by default; use `--output-bigquery-force` to overwrite an existing table.
Over 200 resource types are supported, including Compute Engine instances, Cloud Storage buckets, Cloud SQL databases, VPC networks, IAM policies, and organization policies. Some services like Cloud Functions and App Engine may not be fully supported. Check the official documentation for the complete list.
Use the `--snapshot-time` flag with `gcloud asset list`. For example: `gcloud asset list --project=my-project --snapshot-time=2023-01-01T00:00:00Z`. This returns the state of assets at that exact time. The history is available up to 35 days (standard) or 5 years (premium).
The minimum role for reading assets is `roles/cloudasset.viewer`. For exporting, you need additional permissions on the destination (e.g., BigQuery data editor). The role `roles/cloudasset.owner` provides full access including export and configuration. Avoid using overly broad roles like `roles/editor`.
You've just covered Cloud Asset Inventory — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?