An Application is a collection of resources/infrastructure that’s dynamically built and maintained as customer infrastructure scales up/down to support their workloads. These collections are built based on the presence of a specific tag key that is configured within InsightCloudSec.
There are similarities between Resource Groups vs Applications. They are not mutually exclusive and the customer can absolutely have both. There are several limitations of Resource Groups where Applications shine:
- Resource Groups need to be manually built and maintained. They cannot be dynamically created based on tagging, etc.
- Resource Groups cannot easily be kept in sync as resources change. Doing so requires customers to maintain Bots which presents scaling challenges since a Bot can only curate into a single group. If a customer wanted this for 100 groups they'd need 100 bots.
- Resource Groups do not support custom attributes such as criticality, business critical ("crown jewel"), POC, category, etc.
This capability is additive and is not required within InsightCloudSec. While strongly encouraged, customers can skip this set up and continue leveraging all of the great capabilities. We recommend reading up on Tagging Best Practices as proper tagging not only enriches the capabilities within InsightCloudSec, but within your CSP as well.
Applications can be used in the following sections of the tool:
- Compliance Scorecard
- Layered Context
- Host Vulnerabilities
There are plans to expand this to other areas in the coming months.
At this time Applications is not a supported permission scoping mechanism. Customers can scope by badges, clouds and/or resource groups.
Yes. Applications currently support User Entitlements Matrix, making it easy to turn off the capability for customers who are not interested in using it.
For the initial launch of Applications, the metadata fields can be used to help customers create different perspectives on compliance violations, inventory, vulnerabilities, threat findings. In the coming months, we will be leveraging this metadata as a way to better categorize risk.
At this time, Bots cannot use Applications as a scoping mechanism.
Domain/Organization Administrators have full control over Application management. This includes updating settings, modifying business critical status, and modifications to other metadata properties. When given the proper entitlements, basic users can view Applications, but can only see the infrastructure/resources within the application that are located in Cloud Accounts they have view/read access to. Basic users with editor permissions can update Application metadata/properties.
The UI currently does not have bulk update capabilities; however, the API allows for bulk updating. See our API documentation for more information.
At this time we only allow customers to input a single tag key. They can support multiple permutations of the tag key by selecting
Case Insensitive in the Application Settings screen. In future releases we will look to support multiple tag keys.
As one expects with tags, end-users can mistakenly add leading/trailing whitespace in their tag. As an example, instead of the application
“ ProductionApp “ it would become
A processor runs every six hours to baseline and aggregate Applications across InsightCloudSec. As resources are harvested, their tags are analyzed and assessed to keep Application association in sync in real time.
At this time automation actions cannot be taken from the Application Context. We plan on adding this capability in Q2.
At this time we do not support historical analysis of Compliance/Insight results scoped by Application.
Scope combinations can be done within both the Layered Context and Host Vulnerability sections of the product. You cannot combine scopes within Insights, Resources, or the Compliance Scorecard.
Yes. Over the next few months, we will look to expand this construct to other tagging categories (Owner, Location, etc.).
Updated 11 months ago