Collectors

A collector is the unit of evidence collection in the Ankos CLI. Each collector targets one cloud service (e.g. AWS IAM, GCP KMS) and produces structured JSON evidence that maps to one or more PCI DSS requirements.

Collectors are registered globally and discovered automatically — the ankos scan command runs all collectors for the selected --provider by default, or just the ones you name with --collectors.

List collectors

ankos collectors

Prints every registered collector with its PCI requirement mapping and description. This is the authoritative source — new collectors are added between releases and this list updates automatically.

Filter by provider:

ankos collectors --provider gcp

Coverage at a glance

AWS collectors by PCI domain

The CLI ships AWS collectors grouped here by PCI domain for readability. This is one way to slice them; run ankos collectors for the live, authoritative list straight from the binary.

Identity & access (Req 7, 8)

• iam — users, roles, MFA, credential report
• cognito — user pools, password policy, MFA config
• organizations — SCPs, accounts, enabled policy types

Network boundary (Req 1)

• vpc — VPCs, security groups, NACLs, flow logs
• transitgateway — TGW attachments, route tables
• networkfirewall — firewall policies, rule groups
• directconnect — dedicated connections, VIFs, DX gateways
• fms — Firewall Manager centralized policies
• route53 — hosted zones, DNS routing, DNSSEC

Encryption / data at rest (Req 3)

• kms — key inventory, rotation status
• s3 — bucket encryption, versioning, public access
• secretsmanager — secrets rotation, access policies
• ssmparams — SSM Parameter Store SecureString inventory
• macie — sensitive data discovery
• rds — DB encryption, public access, backup retention
• redshift — warehouse encryption, audit logs
• documentdb — DocDB cluster encryption + audit logs
• neptune — Neptune cluster encryption + IAM auth
• storagegateway — hybrid storage gateways

Transport encryption (Req 4)

• elb — load balancers, TLS policies
• acm — certificates, expiration
• ses — identities, DKIM, TLS policy
• transfer — AWS Transfer Family (SFTP/FTPS) endpoints

Messaging (Req 3, 4)

• sns — topic encryption, subscriptions
• sqs — queue encryption, DLQ / redrive
• eventbridge — event buses, rules, archive
• kinesis — stream encryption, retention

Vulnerability / patching (Req 5, 6, 11)

• inspector — vulnerability findings
• guardduty — threat-detection findings
• ssm — Patch Manager, Session Manager, managed instances
• ecr — repos, image scan findings
• waf — WAFv2 web ACLs, rules, IP sets
• shield — Shield Advanced protections
• securityhub — PCI DSS conformance-pack aggregation
• config — AWS Config recorders, rules, compliance

Workloads (Req 2, 6)

• ec2 — instances, EBS, SGs, IMDS
• ecs — clusters, services, task-def security
• eks — clusters, node groups, encryption
• lambda — functions, VPC config, public access
• apigateway — REST/HTTP APIs, stages, WAF
• cloudfront — distributions, HTTPS, WAF
• elasticache — Redis clusters, encryption
• opensearch — domains, encryption, audit logs
• dynamodb — tables, encryption, PITR
• efs — file systems, encryption, access points
• emr — EMR cluster security config
• stepfunctions — state machines, logging

SDLC (Req 6.2.x)

• codebuild — projects, privileged mode, log config
• codepipeline — pipelines, approval gates

Logging / audit (Req 10)

• cloudtrail — trails, log file validation
• cloudwatch — alarms, log groups, metric filters
• athena — workgroups, result encryption

Backup / recovery (Req 9, 12)

• backup — AWS Backup plans, vaults, retention

GCP collectors by PCI domain

Run with --provider gcp --gcp-project <id>. All GCP collector names are prefixed with gcp-.

Identity & access (Req 7, 8)

• gcp-iam — service accounts, policy bindings, key age

Network (Req 1, 4)

• gcp-vpc — networks, subnets, firewall rules
• gcp-load-balancer — SSL policies, TLS minimum versions, certificate inventory

Cryptography / data (Req 3)

• gcp-kms — key inventory, rotation, CMEK usage
• gcp-gcs — bucket encryption, public access, uniform access
• gcp-cloud-sql — encryption, backups, public IP, SSL
• gcp-secret-manager — secrets inventory, rotation, CMEK

Workloads / SDLC (Req 2, 6)

• gcp-compute — Compute Engine instances, shielded VM, OS Login
• gcp-gke — GKE clusters, private cluster, workload identity, shielded nodes
• gcp-cloud-functions — runtime, ingress, VPC connector
• gcp-cloud-run — services, ingress, service-account, CMEK
• gcp-cloud-armor — security policies, WAF rules, adaptive protection

Logging (Req 10)

• gcp-logging — log sinks, retention, audit configuration

Vulnerability / testing (Req 11)

• gcp-security-center — Security Command Center findings at project scope

Selecting collectors

Most users run all collectors for their cloud provider — that's the default. Use --collectors when you want a focused run:

# Just the IAM + key encryption story
ankos scan --collectors iam,kms,secretsmanager

# Just the network boundary story
ankos scan --collectors vpc,networkfirewall,transitgateway

# GCP, just the data-at-rest collectors
ankos scan --provider gcp --gcp-project acme-prod \
           --collectors gcp-kms,gcp-gcs,gcp-cloud-sql,gcp-secret-manager

The selection survives across all the regions specified by --region or --all-regions (AWS) or the single --gcp-project (GCP).

Adding a new collector

Collectors live in ankos-cli/internal/collector/ (AWS) and ankos-cli/internal/gcpcollector/ (GCP). Each is a single Go file implementing the Collector interface and registering itself via init(). The scan command discovers it automatically.

If a service you care about is missing from this list, open an issue or PR on the CLI repo. The pattern is consistent across collectors and most take less than a day to add for someone familiar with the relevant SDK.