In InsightCloudSec, the Clouds section of the platform is where you manage your connected clouds. This section of the tool allows you to add clouds, and badges, research potential gaps in coverage, monitor and adjust harvesting, and audit data.
The main Clouds page is accessible under the Cloud heading, Cloud --> Clouds.
Before getting started with the Clouds main page you will need to have the following:
- A functioning InsightCloudSec installation
- At least one connected cloud account
- the appropriate permissions to view cloud account details
For information on connecting a cloud account, refer to our page on Cloud Account Setup.
If you have other questions or concerns reach out to us through any of the options provided on our Getting Support page.
As your cloud footprint expands from dozens to hundreds of cloud accounts, this section of the tool becomes increasingly important for ensuring the quality of your data and understanding large-scale changes.
The Clouds page includes a number of tabbed sections that we explore in greater detail on our Cloud Reports page.
Initially, you will use the Clouds section to add clouds. As you do so, take advantage of the Badge functionality, which allows you to tag your cloud accounts as you would your cloud resources. InsightCloudSec automatically adds system-level badges for cloud type (e.g., AWS) and resource type (e.g., cloud account), as these are required for internal data tracking purposes.
You can add badges to reflect your business priorities. We have seen cloud-savvy customers using, as a baseline, badges for
risk level, and more. When you add badges to your clouds, you are able to aggregate your data for analysis and to take action based on badge keys and values.
The Badges column on the Clouds page can be used to sort your clouds and the column is included in any .CSV export you create.
If you have added your master AWS account, InsightCloudSec automatically downloads basic metadata about linked cloud accounts from the master account and displays that information. This information will allow you to determine if any AWS child accounts are unmanaged and unmonitored by InsightCloudSec.
If you have added your master GCP domain/organization, InsightCloudSec will automatically add all associated sub-projects. This ensures that no sub-projects remain unmanaged and unmonitored by InsightCloudSec.
InsightCloudSec continually harvests information from the cloud, looking for any changes since the previous harvest. By default, InsightCloudSec harvests resource configuration information according to a set cadence by resource type.
- The frequency of harvesting is based on institutional knowledge and general best practices.
- Harvesting cadence can be modified--decreased to reduce harvesting workload, or increased to track changes closer to real-time--on a cloud type, badge, region, or resource basis to better match harvesting resources with your needs.
Learn more about configuring your harvesting cadence by region.
An additional harvesting strategy is available for AWS clouds: Event-driven Harvesting (EDH). When choosing EDH, InsightCloudSec harvests CloudWatch events to receive notifications of resource configuration changes.
- Upon receiving notification of such changes, InsightCloudSec targets a harvest for that specific resource. This is a difference in approach between "tell me everything" and "tell me what's changed". That difference allows more efficient, real-time harvesting.
An additional benefit of the EDH approach is that the harvested data includes data about change events. That change event data allows you to conduct a more detailed audit of changes, e.g., who, what, when, and where, and allows you to do so in a global fashion, i.e., across all AWS accounts and across all AWS regions, from a single location.
- It is an extremely useful way to analyze and track individual changes across your entire AWS infrastructure.
- The following documents provide more information: Event-Driven Harvesting (AWS) and Event-Driven Harvesting Reports .
Customers using AWS, GCP, or Microsoft Azure get visibility on missing permissions for their installation. You can identify what permissions are missing and what the impact of those missing permissions has on visibility into that cloud account. Permission issues prevent harvesting and data retrieval of your cloud resources.
- This data refreshes every two hours. If you've recently made changes to your cloud permissions for this account, please check back in two hours.
- Note: For AWS accounts there may be Service Control Policies that disable some resources.
As shown in the image below, when viewing cloud permissions, you will see a display clearly identifying the missing permission(s) for each service supported by InsightCloudSec.
Warnings with False Positives - Known AWS Service Control Policy Issue
When viewing details on the Clouds Listing page, InsightCloudSec may provide false positive “Warnings” around missing permissions. In some scenarios the permissions are granted within the Service Control Policy (SCP) but falsely report as missing.
This scenario is the result of a known issue within AWS where if an Organization has an SCP with conditions based on global keys (e.g.
aws:PrincipalArn) the IAM Policy Simulator results are not accurate because it does not have context with the global keys.
If you have verified that the specific permissions identified as missing are included in your SCP, you can safely disregard these warnings; otherwise for remaining questions or concerns, contact us at [email protected].
Read more about Service Control Policies
In addition to viewing the details of your Cloud accounts through the InsightCloudSec interface, you also have the ability to download this content by selecting the "Download" button at the top of the page above the Clouds listing.
You can sort the data however you'd like before you export and these filters will be reflected in your output; this includes Badges.
Selecting "Download" from the buttons on the "Listing" tab of the Clouds section will launch the following form and enable you to include tags, or select existing data collections.
- Badges are included as a column by default (as of 21.1) so any badges specified in this optional form will be in addition to the default.
- Select "Download" on the form to export this data in a .CSV file.
Updated 2 days ago