Badges

Badges are key-value pairs that allow you to customize the organization of your cloud accounts within InsightCloudSec. Most badge features require appropriate permissions. Learn more about required permissions in our Users, Groups, and Roles (Administration) documentation.

Badges, as key-value pairs, are similar to AWS tags or GCP labels. However, where tags and labels are applied to resources, badges are applied to entire cloud accounts. For example, one badge might have a key of environment and a value of production and another might use environment with the value testing, allowing your organization to group cloud accounts based on usage.

Accessing Badges

The Badges functionality is accessible for configuration in a number of ways: on the Clouds Listing page, through the configuration of Insights, via Resources, and when configuring a Bot.

Go to Cloud > Clouds to display the Clouds Listing page, and locate the Badges column for access to add, modify, and edit Badges.

Understanding Badging Implementation

Badging within InsightCloudSec is a very powerful system that allows you to establish a taxonomy across your cloud and Kubernetes footprint. It can be used for reporting and automation purposes as well as authorization within the Role Based Access Control (RBAC) system. There are three types of badges outlined below:

System Generated Badges

System Generated badges are automatically applied when services such as AWS, Microsoft Azure, Google Cloud Platform (GCP), and Kubernetes are connected to the product. There are two badges that fall into this category which are always assigned: system.cloud_type and system.resource_type. These badges cannot be modified and remain in a fixed state within the database.

system.cloud_type

Example values:

  • system.cloud_type: amazon web services
  • system.cloud_type: microsoft azure
  • system.cloud_type: google cloud platform

Example use case:

You can use system.resource_type: cloud to ensure that a Bot automation remains in scope for all cloud accounts, including ones that will be added in the future.

  • For example, you can configure a Bot to alert your SecOps team when a critical AWS GuardDuty finding is observed across their entire AWS fleet of accounts. As InsightCloudSec automatically onboards additional accounts and assigns the system.cloud_type: amazon web services system badge the new accounts will be incorporated into the scope of this existing Bot. This is a great maintenance-free way to scale your Bot automation alongside the growth of your cloud footprint
system.resource_type

Example values:

  • system.resource_type: cloud
  • system.resource_type: k8s cluster

Example use case:

You can use system.resource_type: cloud for automation via a Bot that you want to scope to include every cloud account to monitor for public object storage such as AWS S3, Google Cloud Storage, or Azure Blob Containers. Any time one of these resources is exposed to the public and puts an organization's data at risk, the Bot can respond. This particular badge can be configured to monitor accounts that exist in the InsightCloudSec platform today as well as those that are added in the future.

Auto-Generated Badges

Auto-Generated badges are similar to System Badges in that they cannot be modified (or deleted) within the product; however, they are inherited from the tags/labels associated with the top-level account within the cloud itself. If you associate tags with your AWS Cloud Accounts (this requires AWS Organizations), labels on your GCP Projects, or tags on your Azure Subscriptions they will automatically funnel into the system as auto-generated badges.

This capability is only supported when connecting InsightCloudSec to the top level of your AWS, Microsoft Azure, or Google Cloud Platform organization. Documentation on this capability for each provider can be found here:

Customer Supplied Badges

Customer supplied badges are defined within InsightCloudSec. They can be created, modified, and deleted by any user with administrative privileges. If your organization does not have a pre-built taxonomy which can be auto-inherited from your cloud accounts or Kubernetes clusters using the Auto-Generated Badges outlined above, then these can be used as alternative.

  • There's no limit to the number of customer supplied badges that can be associated; however, the maximum length for both the key and value is 255 characters.
  • InsightCloudSec customers regularly leverage this badge type to apply the following metadata to their fleet of Cloud accounts and Kubernetes clusters:

Example values:

  • owner: joe.smith@acmecorp.com
  • risk: high
  • environment: production
  • slack_channel: #acmecorp-ics-alerts

In the example above, the badges can be used to organize reporting to identify alerts and vulnerabilities associated with resources that are owned by Joe Smith or those associated with accounts that are high risk based on the classification of data.

Badges also enable customers who leverage InsightCloudSec's automation through Bots to dynamically route alerts and notifications to any number of integration options including Slack, Microsoft Teams Channels, email distribution lists and more based on the value of a target badge.

Reviewing Default Badges and Badge Requirements

  • When a cloud account is added, InsightCloudSec automatically assigns it two system badges: system.cloud_type and system.resource_type.
  • In addition, no user-specified badge may begin with system.
  • Badge keys and values are case sensitive.
  • You must use shift + space to add a space when adding badges.

Add or Modify a Badge

  1. Go to Cloud > Clouds.
  2. Locate the Cloud Account in which you want to make changes to Badges, and in the row for that cloud account, locate the column labelled Badges and click on the linked number of badges displayed.
  3. In the Add Cloud Badges window, click the plus icon (+) to create a line for your new badge.
  4. For new badges, add the key and value as desired. Repeat this process for as many new badges as you want to add:
    • Badge keys may not begin with the string system
    • Both badge keys and badge values are case-sensitive For existing badges, edit as desired. Repeat this process for as many existing badges as you want to revise.
  5. When you are finished adding or modifying badges, click Submit to save your changes.

Remove a Badge

  1. Go to Cloud > Clouds.
  2. Locate the Cloud Account for which you want to make changes to Badges, and in the row for that cloud account, locate the column labelled Badges and click on the linked number that displays.
  3. To remove any user-created badges, click the minus icon (-) next to each entry you want to remove. System Generated badges are identified with a checkmark.
  4. When you are done removing badges click Submit to save your changes.

Scoping With Badges

Badges can be used to scope clouds, Insights, resources, Bots, and user roles. The steps below outline the process to scope or narrow your clouds using badges.

Scope Clouds With Badges

  1. To narrow your list of clouds by badge, go to Cloud > Clouds from the main navigation to open the Clouds Listing page.
  2. Click on the Search Badge(s) text box to display a drop-down list of existing badges.
  3. Select the badges you want to use to scope your clouds.
    • For example, searching for/selecting the badge environment:production will produce a list containing only clouds with badges matching environment:production.
  4. You can choose multiple badges to narrow your resulting list of clouds. By default, results shown match at least one badge in your provided criteria.
  5. To show only those results that match all selected badges, check the Must Have All Badges checkbox.
    • In addition, badges are sortable and included in any export from the Clouds page.

Scope Insights With Badges

Badges can be used to enhance the functionality of Insights by allowing you to filter how you view your Insights’ results.

  1. Go to Security > Insights.
  2. Select an Insight pack from the Insights Library by clicking the checkbox next to the name and then clicking the Scopes option. Scopes will appear as an overlay menu.
  3. Click on the Select Badges text box and a drop-down list will appear with all available badges from your list of clouds.
  4. As you select badges, both the list of clouds below your selections and the grayed-out results in the center of the window will dynamically change.
    • By default, the results that appear are those that match at least one of the badges you select.
    • To require that all badges must be matched for a result to appear, select Must Have All Badges.
  5. When you are finished filtering your Insights, click the X at the top-right navigation of the Scopes menu.

Scope Resources With Badges

As with Insights, resources may also be filtered by badges. The process by which you filter resources is identical to that by which you filter Insights.

Go to Inventory > Resources, select your target resources, and then open the Scopes option.

Scoping Resources with Badges

Scope Bots With Badges

As with Insights and resources, Bots can be more precisely defined using badges. Administrators and basic users with an admin or editor entitlement can configure this feature.

The process is similar to that used for scoping Insights and resources with badges. Go to Automation > BotFactory to access Bot details.

When creating or editing Bots, the second step in this process (2. RESOURCE TYPES & GROUPS) allows you to specify scope, including badges.

  • You will see a text box with drop-down selection and a Must Have All Badges checkbox identical to those seen in Insights and Resources. Select the badges you would like to limit your Bot’s scope.
  • You can check the Must Have All Badges checkbox to require that each included cloud have all selected badges rather than at least one.
  • If Select All Clouds is checked, then the Exclusion Badges field becomes available. Any cloud with one or more of the selected badges will be excluded from the Bot's scope.

Refer to the complete BotFactory documentation for details on creating and modifying Bots.

Viewing Badges on Bots

To view which badges, if any, are in use for a given Bot, go to Automation > BotFactory and select the Bot of interest from your list of Bots to display details for that individual Bot. If you scroll to the bottom half of those details, you can view the badges in the Bot Scope panel details.

Scope User Roles With Badges

Role scopes may be associated with specific badges. Go to Administration > Identity Management and select Basic User Roles from the pages/tabs.

This view provides a list of roles, which includes a column that references the number of associated badges (as shown in the example below).

  1. To add/remove a badge to/from a role, find the # Badges column for the role of interest and click on the number in that column.
  2. Use the context menu to the left of the name of the Role you want to modify and select Modify Badge Scope to view the list of badges associated with that role.
    • Click into the content box to enable to drop-down menu and select the badges you want to add.
    • If badges already are associated with this role, click on any white space in the text box to bring up the list of additional badges.
    • To remove an existing badge from the role, click on the small x next to the badge name.
  3. When you finish adding and removing badges, click Submit.

Using Badges in Notification Messages

You can include badges and badging information in messages associated with any of the following Bot actions: Send Bulk Email, Send Delayed Email, Send Slack Message, Post Request to URL, and Set Container Policy. To do so you will need to use Jinja2 Templating.

An Example Message

The following message uses Jinja2 templating and Slack formatting to send an alert via Slack when a resource is created without tags mandated by policy:

text
1
A resource of type `{{event.resource.get_resource_type()}}` was discovered
2
at `{{event.resource.common.creation_timestamp}}` without the required _owner_
3
or _contact-email_ tags. The resource name is `{{event.resource.get_resource_name()}}`.
4
It lives in account `{{event.resource. get_organization_service_name()}}`,
5
which is owned by {{event.resource.get_badge_value_by_key_for_parent_cloud('owner')}}`.\n---

As an example, a given cloud has a badge of owner and the owner for this cloud is Jane Doe. The value returned in the example above for {{event.resource.get_badge_value_by_key_for_parent_cloud('owner')}} will be jane.doe@acme.com

For more information on Jinja2 templating, click here.

Viewing the Badges Summary Report

With Viewing permissions, you can view Total Badges by Cloud Account by navigating to Cloud > Clouds > Badges, as shown in the example below.

You must have Domain Admin privileges to view the summary of badges by cloud account.

This view summarizes your top 10 badges by cloud account in a bar graph and details all badges in use in the table below the bar graph. Together, these two displays effectively provide a dictionary of your top badges. A Domain Admin can use these displays to manage available badges.

Top Badges by Cloud Count

Access to the Top Badges by Cloud report (as well as the listing of all Badges) is through the Badges option on the Clouds main page (Cloud, then Clouds from the left-side menu). This information is available only to users with appropriate permissions.