Cloud Security & Monitoring

Monitor AWS, GCP, Azure, Hetzner, DO, and Vultr from one dashboard

Paste a credential. We auto-discover every resource, run 18 CIS-aligned security checks, correlate findings with real port scans, and route alerts through 12 notification channels. All in under 60 seconds.

Start Free Trial View Pricing

Six providers. One control plane.

Connect any combination. Dashboards, alerts, silence windows, and security findings work identically across all of them.

AWS
Amazon Web Services

EC2, RDS, ELB/ALB, S3, ElastiCache; CloudTrail audit log; CloudWatch metrics

GCP
Google Cloud

Compute Engine, Cloud SQL, GCS, Load Balancers, Cloud DNS; Cloud Audit Logs; Cloud Monitoring

Azure
Microsoft Azure

VMs, SQL, Storage Accounts, NSGs, Load Balancers, Redis, DNS; Azure Monitor; Activity Log

HCL
Hetzner Cloud

Servers, load balancers, volumes, firewalls, DNS; native server metrics (CPU/disk/network)

DO
DigitalOcean

Droplets, managed DBs, load balancers, firewalls, Spaces; DO Monitoring API

Vultr
Vultr

Instances, managed DBs, load balancers, firewalls, block storage; bandwidth metrics; S3-compatible object storage

Read-only access

We never modify your infrastructure. Ever.

Minimal permissions

Read-only API tokens, IAM roles, or service accounts, scoped to what we actually need.

All regions, no config

Auto-discovery sweeps every active region. No manual region lists required.

Encrypted at rest

AES-256 credential storage. Short-lived tokens cached, rotated on every sync.

60-Second Setup

Pick your provider. Paste your credentials. Done.

Choose a provider, paste an API token, a service-account JSON, or a client secret. Discovery, security assessment, and audit-log ingestion start automatically while you watch.

metrictower.com/onboarding
Connecting your cloud account…
First sync usually takes under 60 seconds.
Validating credentials
Connection OK · 0.4s
Discovering resources across all regions
52 resources · 4 regions · 11s
Running security checks
18 checks · 3 findings
Ingesting audit log events
Last 24h · 127 events
Running
Auto-enabling monitoring on top resources

All your cloud infrastructure at a glance

Real-time triage bar, per-resource metrics, and direct links into scan results. Same dashboard regardless of provider.

metrictower.com/monitoring/cloud
42 OK
3 Warning
1 Critical
All providers
Last sync: 4 min ago
Resource Type Provider / Region Status Findings
api-prod-alb Load Balancer AWS us-east-1 OK 0
staging-db (MySQL 8.0) Managed DB DO nyc3 Critical 3
prod-web-01 Server Hetzner eu-central Warning 1
assets-bucket (public) Object Storage GCP us-central1 OK 0
Actionable Findings

Other tools flag a misconfig. We tell you it's exploitable.

Every finding links to the exact console page, a copy-pasteable CLI remediation, and (where relevant) a port scan that proves the exposure is real.

Typical tool
[HIGH] Database is publicly accessible
Resource: db-staging-01
Rule: CLOUD-DB-002
Remediation: Disable public access.

Useful, but leaves you to figure out the blast radius, the fix command, and whether anyone has actually reached it from the internet.

Metric Tower
Critical · Public DB, reachable from internet
db-staging-01 · DigitalOcean nyc3 · MySQL 8.0
Port 3306 confirmed open Firewall: 0.0.0.0/0 on 3306
Open in cloud console → 
doctl databases firewalls replace db-staging-01 \
  --rule ip:<your-office-ip>

Three layers of evidence: the firewall rule, a live port scan, and a one-click fix. Triage takes seconds, not hours.

Security Assessment

18 CIS-aligned checks across 4 categories

Every check runs against all supported providers. Each category can be toggled per-team; findings are deduplicated by fingerprint.

Network Exposure

4 checks
  • Firewall / security-group rules open to 0.0.0.0/0 on sensitive ports (SSH, RDP, MySQL, Postgres, Redis, MongoDB, Elasticsearch, VNC)
  • Publicly accessible managed databases
  • Public compute instances with high-risk ports exposed
  • Load balancers without hardened listener policies

Storage & Data

4 checks
  • Public object storage buckets (ACL or bucket policy): AWS S3, GCS, Azure Blob, DO Spaces, Vultr object storage
  • Object storage buckets without default encryption
  • Public volume snapshots or disk images
  • Managed databases missing encryption at rest

Identity & Access

5 checks
  • Root / admin account API keys present (AWS, GCP)
  • MFA disabled on privileged accounts where provider exposes this
  • Long-lived access keys (over 90 days old)
  • Overly broad IAM policies (wildcard actions on wildcard resources)
  • Service accounts with owner-level or editor-level roles (GCP, Azure)

Logging & Audit

4 checks
  • Audit log disabled or restricted to a single region. Covers AWS CloudTrail, GCP Audit Logs, and Azure Activity Log.
  • No VPC / network flow logs on production networks
  • Threat-detection service disabled (e.g. GuardDuty on AWS)
  • Hetzner / DigitalOcean / Vultr: firewall-rule and exposure checks replace audit-log checks (those providers do not expose a cloud audit API)
6
cloud providers
18
CIS-aligned checks
60s
from credential to dashboard
12
unified alert channels
Operational Monitoring

Cloud metrics, unified across providers

CPU, memory, disk, and connection metrics pulled from CloudWatch, Cloud Monitoring, Azure Monitor, and native provider APIs. Configurable thresholds, flapping detection, and silence windows are built in.

Configurable thresholds

Per-resource and team-wide warning/critical thresholds. Out-of-the-box defaults are battle-tested (CPU 85/95, DB connections 80%/95%, memory 70%/92%).

Flapping detection

If a metric bounces between OK and alert repeatedly, Metric Tower suppresses per-transition notifications and sends consolidated summaries instead. No alert fatigue.

Silence windows

Know a database is under maintenance? Silence alerts by resource, metric group, or alert type for 1h, 4h, 24h, 7d or permanently. Cascading specificity, full audit trail.

Dashboard

Built for ops teams, not just security engineers

The same unified view works whether you're triaging a finding or watching the NOC screen from across the room.

Wallboard view

Large-format display mode readable from 3 metres. Perfect for ops rooms and NOC screens.

Leaderboards

Breach Scoreboard, Top CPU, Top Throughput: rank every resource across all providers at a glance.

Smart chart grouping

Auto-groups prod-web-01..12 into prod-web-*. Fleets become single chart lines.

Security findings triage

Assign, acknowledge, or suppress findings. Track remediation state across the team with a full audit trail.

Audit log timeline

CloudTrail, GCP Audit Logs, and Azure Activity Log events surfaced in a single searchable timeline (for providers that expose one).

Alert routing

Route findings by provider, severity, or resource tag to any of channels. Escalation and on-call support built in.

Included on every plan

Start on Free with a single cloud account on any provider. Scale limits with your plan.

Free
1
account · 2 monitored
Pro
2
accounts · 100 monitored
Business
5
accounts · 500 monitored
Enterprise
unlimited

Metric retention scales with plan (7 / 30 / 90 / 365 days). See full comparison →

From credential to live alerts in 60 seconds

Connect AWS, GCP, Azure, Hetzner, DigitalOcean, or Vultr. Auto-discover every server, database, load balancer, and storage bucket. Cross-reference firewall rules with real port scans. Route alerts through any of 12 channels with escalation and on-call support.

Start Free Trial View Pricing