Review Details for a Single Cloud Account

The Cloud Account Detail Page is the dedicated page for an individual cloud account.

Review details for a cloud account

  1. Go to Cloud > Cloud Accounts and click on the cloud account for which you want to view details.
  2. (Optional) Click a target to review curated details for the selected cloud account.

Browsing Options

From the Overview page to browse other cloud accounts:

  • Use the drop-down at the top of the page, or
  • Use the arrows to navigate through all Cloud accounts alphabetically (the overview page will update to display details for the next Cloud account in the list)

Status Details

Each Cloud Overview page includes high-level status information including:

  • Cloud Type (icon)
  • Cloud Name
  • Harvesting status (active/inactive)
  • Harvesting permissions (has all permissions/permissions missing). If harvesting is missing specific permissions an active link provides access to missing permissions details.
  • For Cloud accounts that contain missing permissions, clicking on the active text opens a module with details about each individual missing permission/ associated resource.
  • Account Details
    • Account Number associated with the selected Cloud Account
    • Payer ID & email associated with the Cloud Account (AWS-Only)

Missing Permissions

Customers using AWS, GCP, or Microsoft Azure get visibility on missing permissions for their installation. You can identify what permissions are missing and what the impact of those missing permissions has on visibility into that cloud account. Permission issues prevent harvesting and data retrieval of your cloud resources.

This data refreshes every two hours. If you've recently made changes to your cloud permissions for this account, please check back in two hours.

For AWS accounts there may be Service Control Policies that disable some resources.

Overview Display Details

Overview Display Details

The Overview Display provides data on the cloud account:

  • Total Resources Displays the total resource count for the selected Cloud account. Clicking on the number in blue above the field navigates to a Resources view filtered to display all resources for the selected Cloud account
  • Automation Bots Displays the total count of Bots associated with the selected Cloud Account
  • Total Instance Cores Displays the total number of Instance Cores.
  • Total Instance Memory Displays the total amount of instance memory in GB/TB
  • Total Object Storage Displays the total amount of object storage in GB/TB
  • Total Block Storage Displays the total amount of block storage in GB/TB

Summary Details for Compute/Container, Storage, Identity

While InsightCloudSec contains 5 Resource Type categories, the Cloud Overview page only features three categories: Compute/Container, Storage, and Identity.

For each of the featured subsection users can view at-a-glance information about a handful of individual resources including:

  • Data about the last 30 days
  • The total resource count
  • Access a link to a filtered resource view for the individual resource

To view of all available resources, click View All of This Cloud's Resources.

Best Practices & Recommendations

This section of the page includes a list of curated Insights that reflect common security issues and high-impact concerns.

The list of Best Practices and Recommendations varies by Cloud Server Provider. For each Insight listed, you can click to view a filtered set of resources based on the selected cloud and specific Insight.

Best Practices & Recommendations window

Harvest Results

Displays results of harvesting for the last 14 days for the Cloud selected.

Discovered/Modified Resources

Displays results around discovered or modified resources for the last 30 days for the Cloud selected.

Harvest Info

The "Harvest Info" tab from the overview page of the individual cloud provides details (e.g., resource type, region, etc.) from the last known harvest. This is useful in understanding when a particular resource was last harvested, failures and context, the next scheduled harvest, or when a Bot action was last run.

In addition this is where users can manually trigger harvesting of a job, either through "Enqueue Now" for an individual job/resource type, or via "Enqueue Selected" to trigger manual harvesting for multiple jobs under a single Cloud Account.

Clouds Overview Page - Harvest Info

Settings

The Cloud Settings tab allows you to explore the settings for your clouds accounts.

Viewing Cloud Settings

Considerations for Cloud Account Settings

  • Permissions. For all of the actions outlined below, appropriate permissions are required. If you are not able to view certain details or make changes, reach out to your administrator or contact us via the Customer Support Portal.
  • Removing Cloud Accounts. Removing a cloud account from InsightCloudSec does not remove or delete the cloud itself from the cloud service provider. Removing a cloud account from InsightCloudSec removes the ability to provide you with complete and accurate visibility into your cloud operations.
  • Organization Child Accounts. This page will look slightly different (with certain aspects being locked down) for accounts that are part of a Cloud Organization.

Update settings

You can manage the following settings:

  • Updating the Account information
  • Configuring Billing information (which also including configuration of a billing bucket for AWS or GCP)
  • Updating the EKS Scanner Role associated with the account for Kubernetes Security Guardrails
  • Removing a Cloud Account
  • Assign Harvesting Strategy
  • Setting Custom Properties
    • With appropriate permissions, you can view and add custom properties to your cloud account. These can be used as metadata or to otherwise extend the functionality of your work within InsightCloudSec.

Configuring a Billing Bucket (Currently AWS Only)

The Billing Bucket Configuration pane is at the bottom of the Settings page for the individually selected Cloud.

For AWS accounts, your system administrator can configure the billing bucket for the selected cloud account. Billing information will be pulled from this location periodically.

This feature is currently only available for AWS. For more information, see AWS Billing Bucket

APIs (GCP-Only)

For GCP-based Cloud accounts, an additional tab is available that displays all the GCP APIs that InsightCloudSec uses with details on their status (enabled or disabled). Check out the content we have on Projects for (GCP) for additional details on configuration.

GCP APIs

Auto-Enabling APIs

You can activate API Auto-Enablement if you want InsightCloudSec to automatically enable and harvest from every API, but this requires you to manually enable the Service Usage API.

In general, auto-enabling is not recommended; InsightCloudSec recommends only enabling APIs that you use for performance, cost, and security benefits.

Frequently Asked Questions (FAQ)

What is an application?

What is an Application?

An Application is a collection of resources/infrastructure that’s dynamically built and maintained as customer infrastructure scales up/down to support their workloads. These collections are built based on the presence of a specific tag key that is configured within InsightCloudSec.

What’s the difference between Applications and Resource Groups?

What’s the difference between Applications and Resource Groups?

There are similarities between Resource Groups vs Applications. They are not mutually exclusive and the customer can absolutely have both. There are several limitations of Resource Groups where Applications shine:

  • Resource Groups need to be manually built and maintained. They cannot be dynamically created based on tagging, etc.
  • Resource Groups cannot easily be kept in sync as resources change. Doing so requires customers to maintain Bots which presents scaling challenges since a Bot can only curate into a single group. If a customer wanted this for 100 groups they'd need 100 bots.
  • Resource Groups do not support custom attributes such as criticality, business critical ("crown jewel"), POC, category, etc.
What if I don’t have a tag key that defines an application?

What if I don’t have a tag key that defines an application?

This capability is additive and is not required within InsightCloudSec. While strongly encouraged, customers can skip this set up and continue leveraging all of the great capabilities. We recommend reading up on Tagging Best Practices as proper tagging not only enriches the capabilities within InsightCloudSec, but within your CSP as well.

Where can Applications be used within the product?

Where can Applications be used within the product?

Applications can be used in the following sections of the tool:

  • Resources
  • Compliance Scorecard
  • Insights
  • Layered Context
  • Host Vulnerabilities
  • Exemptions
  • Filters

There are plans to expand this to other areas in the coming months.

Can I leverage Applications as a way to scope user visibility across the product?

Can I leverage Applications as a way to scope user visibility across the product?

At this time Applications is not a supported permission scoping mechanism. Customers can scope by badges, clouds and/or resource groups.

Can I turn off Applications for basic users if I don’t want to use them?

Can I turn off Applications for basic users if I don’t want to use them?

Yes. Applications currently support User Entitlements Matrix, making it easy to turn off the capability for customers who are not interested in using it.

What’s the purpose of metadata fields such as Business Critical, Criticality, etc.?

What’s the purpose of metadata fields such as Business Critical, Criticality, etc.?

For the initial launch of Applications, the metadata fields can be used to help customers create different perspectives on compliance violations, inventory, vulnerabilities, threat findings. In the coming months, we will be leveraging this metadata as a way to better categorize risk.

Can I scope one or more Bots based on Application membership?

Can I scope one or more Bots based on Application membership?

At this time, Bots cannot use Applications as a scoping mechanism.

How do permissions work with Applications?

How do permissions work with Applications?

Domain/Organization Administrators have full control over Application management. This includes updating settings, modifying business critical status, and modifications to other metadata properties. When given the proper entitlements, basic users can view Applications, but can only see the infrastructure/resources within the application that are located in Cloud Accounts they have view/read access to. Basic users with editor permissions can update Application metadata/properties.

Can I bulk edit Application metadata?

Can I bulk edit Application metadata?

The UI currently does not have bulk update capabilities; however, the API allows for bulk updating. See our API documentation for more information.

Can a customer input multiple tag keys/permutations for defining Applications?

Can a customer input multiple tag keys/permutations for defining Applications?

At this time we only allow customers to input a single tag key. They can support multiple permutations of the tag key by selecting Case Insensitive in the Application Settings screen. In future releases we will look to support multiple tag keys.

What is the Trim Whitespace Application setting used for?

What is the Trim Whitespace Application setting used for?

As one expects with tags, end-users can mistakenly add leading/trailing whitespace in their tag. As an example, instead of the application “ ProductionApp “ it would become “ProductionApp”.

How are the Applications kept in sync?

How are the Applications kept in sync?

A processor runs every six hours to baseline and aggregate Applications across InsightCloudSec. As resources are harvested, their tags are analyzed and assessed to keep Application association in sync in real time.

Can I propagate lifecycle actions such as tagging for all resources within an Application?

Can I propagate lifecycle actions such as tagging for all resources within an Application?

At this time automation actions cannot be taken from the Application Context. We plan on adding this capability in Q2.

Can I view historical compliance results by Application in the Summary/Insight views?

Can I view historical compliance results by Application in the Summary/Insight views?

At this time we do not support historical analysis of Compliance/Insight results scoped by Application.

Can I combine Application scoping with other scoping methods (e.g., Badges)?

Can I combine Application scoping with other scoping methods (e.g., Badges)?

Scope combinations can be done within both the Layered Context and Host Vulnerability sections of the product. You cannot combine scopes within Insights, Resources, or the Compliance Scorecard.

Are there plans to support additional scoping by tags?

Are there plans to support additional scoping by tags?

Yes. Over the next few months, we will look to expand this construct to other tagging categories (Owner, Location, etc.).