LaunchApril 25, 2026·5 min read

AWS + Azure customer-installable scanners are live

Last week we shipped the /v1/ingest/cloud endpoint. Today we shipped the five remaining PRs that turn it into a one-click install in your AWS account or Azure subscription.

What landed

Real Azure Key Vault scanner— first-class Azure support on POST /v1/scans/cloud using @azure/identity, @azure/arm-keyvault, and @azure/keyvault-keys. Service principal or managed identity — both work.
AWS Lambda rewired— the CloudFormation-deployed scanner now POSTs raw inventory to /v1/ingest/cloud. Local classification logic was deleted; PostQ scores findings server-side so we can roll out classifier updates without forcing customers to redeploy the stack.
Azure container scanner— new push-mode container ( ghcr.io/postqdev/postq-azure-scanner) for Azure Container Instances. Runs as a User-Assigned Managed Identity, fetches its API key from Key Vault at startup, and ships findings via the same wire format as the AWS Lambda.
One-click installs — Launch Stack for AWS CloudFormation and Deploy to Azure for the new ARM template. Both wired into a new /settings/clouds dashboard with provider × mode tabs (CLI / Pull / Push).
postq scan cloud azure — new CLI command that mirrors the AWS one. Service-principal flags, JSON output, exit-code 2 on Critical/High for CI gates.
GitHub Actions for everything — tag postq-azure-scanner-v1.0.0 and the multi-arch image lands on GHCR automatically. No manual docker push.

Three ways to scan, same dashboard

You now have three different trust models to pick from per provider. They all write to the same scans / findings / keys / assetstables, so the dashboard doesn’t care which one fed it.

Mode	Trust given to PostQ	What runs in your account	Best for
CLI	None — CLI uses your local creds	Nothing	Evaluation, ad-hoc scans, CI gating
Pull	A read-only role / SP that PostQ uses on demand	Just an IAM role / service principal	Continuous scans without managing a Lambda
Push	None — only an outbound POST	Lambda (AWS) / ACI container (Azure)	SOC 2 / FedRAMP shops, regulated industries

Try it in five minutes

CLI (Azure)

brew install PostQDev/tap/postq
postq auth login --api-key pq_live_xxx
postq scan cloud azure --subscription <id> \
  --tenant <tenant> --client-id <sp-id> --client-secret <secret>

Push-mode (AWS)

aws ssm put-parameter --name /postq/api-key \
  --type SecureString --value pq_live_xxx

aws cloudformation deploy \
  --stack-name postq-quantum-scanner \
  --template-file deploy/aws/cloudformation/postq-kms-scanner.yaml \
  --capabilities CAPABILITY_NAMED_IAM

Push-mode (Azure)

az deployment group create \
  --resource-group rg-postq-scanner \
  --template-file deploy/azure/arm/postq-azure-scanner.json \
  --parameters postqApiKey=pq_live_xxx \
               targetSubscriptionId=$(az account show --query id -o tsv)

Or open /settings/clouds and click Launch Stack / Deploy to Azure. The buttons pre-fill the template URL and drop you straight into the AWS or Azure portal.

What’s next

GCP Cloud KMS scanner (pull + push) — same wire format, provider: "gcp".
Multi-account / management-account scans for AWS Organizations.
Continuous diff alerting — flag the moment a new RSA-2048 key shows up in any connected account.

Generate an API key at /api-keys and pick your install model at /settings/clouds.