Resource groups are simply collections of resources. Creating a resource group can help simplify cloud automation, management, and permissions at scale.
By enabling the grouping of certain resources, you can apply granular permissions to a subset of your cloud footprint. This functionality has numerous implementations and is particularly useful for scoping for custom visibility and custom policy.
One example of scoping would be to create a resource group that defines specific resources to configure for automation through a specific Bot action.
Resource Groups are available under "Resource" on the main side panel navigation.
Resource Group Permissions
Only InsightCloudSec Domain Admins can create Resource Groups and give lower level users access to view Resource Groups.
From the "Resource Groups" page you can:
View a list of the resource groups created for your organization
This content displays by default when you click on the Resource Group option to launch the landing page. Note that only Domain Admins can create Resource Groups, and user visibility may vary based on the permissions applied to the individual Resource Groups.
View details of resources within each group
The details of the resources within the group are available by clicking on the context menu next to the name of the target resource group.
Create and delete resource groups
- Users can create a resource group using the button on the top right of the main landing page.
- With the appropriate permissions, users can delete resources by selecting the checkbox to the left of the target resource group. (The delete option will appear once a selection is made).
Some other items to note:
InsightCloudSec also allows the Harvesting of Cloud Service Provider "Resource Groups". This capability is increasingly a cloud-native feature. The InsightCloudSec platform displays CSP-defined resource groups (and mark them as such).
- For example, an Azure Resource Group will be marked with an Azure icon.
- Any InsightCloudSec-created Resource Groups will be displayed w/ an InsightCloudSec logo.
This visibility also applies to "curation" (which is discussed below). Curated resources will only be added to InsightCloudSec Resource Groups; our system will not change the resources included in any CSP-specific resource groups.
Resource Groups can be created either from the "Resource Groups" landing page or from the Resources landing page.
Before you get started you will need to ensure that you have:
- A functioning InsightCloudSec platform installation
- The appropriate permissions (Domain Admin) to create a new Resource Group for your organization
As always if you have questions before you get started reach out to [email protected].
1. From the main navigation select "Resource --> Resource Groups" and click on the "Create Resource Group" button in the top right corner of the page.
2. Give the resource group a name and a description, and select "Submit".
3. You can add resources to your resource group in two ways:
- Locate your new resource group by its name on the Resource Groups landing page where you just created it, click to open and then click the "Resource" button - or,
- Navigate to the "Resources" page via the main menu.
4. Click on the category of resources you want to include. Scroll down to the results section which lists the resources in this category (e.g., Compute, Container, Storage, etc.)
5. In the results section, check the box for those resources you wish to add to your resource group, then click the "Add to resource group" icon.
Note: Resource Groups can include multiple resource types.
6. Select a resource group and include dependencies if you wish. Select "Submit".
A dependency is any resource that is linked to another. As an example, a user creates a resource group that includes instances. Selecting 'include dependencies' will also include volumes and access lists in this resource group, since those resources are linked to instances.
7. Repeat steps 5 and 6 above until you have selected all the resources you want to include in your resource group.
- Note: Resource Groups can include multiple resource types (storage buckets, instances, databases) from multiple resource categories (compute, network, container).
In some situations, a user may want to create a new resource group directly from the "Resources" page. To do this, complete the following steps:
1. Locate and select "Resource --> Resources" from the main navigation.
2. Click on the category of resources you want to use and scroll down to the results section which lists the resources in this category.
3. Check the box for those resources you wish to add to your resource group and click the "Add to resource group" icon.
4. On the form that opens, click on the tab labeled "Create New" (the form defaults to "Add to Existing").
5. Create a new resource group by providing a "Name" and "Description" and selecting "Submit".
6. Add dependencies, if applicable, and repeat the steps to add new resources as described above until you have added all of the desired resources for your new resource group.
1. To view your new resource group, navigate to the "Resource Groups" page from the main menu.
2. Click on the name of your resource group to display an overview of the resources in the group. The overview includes:
- A percentage breakdown of your resource group by resource type
- A breakdown of resources in your group by region
3. You can view details of the resources within the resource group by selecting the icon under the "Go to Resources" column on the "Resources Group" page.
- This takes you to the "Resources" page, which displays the resources that are already scoped for your resource group.
Resource groups are designed for scoping resources, Insights, and Bots. Resource groups can scope based on any number of criteria, including permissions, automation, and compliance. Only administrators can create resource groups.
Some examples of scoping include:
- A permission-based resource group, where an administrator can specify resources to narrow the visibility of resources that don't apply to certain users. For example, database admins don't need to see every instance or web server; they are only interested in viewing database resources.
- In an automation-based example, an administrator can use a resource group to only display resources that are monitored based on certain configured actions. Again, a resource group can be set up so that only database administrators can see where changes are being made to database resources.
An additional resource group capability is referred to as "resource group curation". Bot actions (or automation) can be applied to resource groups for curation in one of two ways:
- To add resources to a resource group, or
- To curate a new resource group
Add to Resource Group
On occasion, users may want to use multiple Bots to add resources to a group. You can do this using the Bot action "Add To Resource Group".
- As the name implies, this action will only add resources to a group and will not automatically remove resources that no longer apply.
Curate Resource Group
InsightCloudSec includes a Bot action named "Curate Resource Group", which, when added to a Bot’s instruction set, assumes responsibility for maintaining the state of the resource group.
- This action can be used only as a one-to-one relationship between a single Bot and a single resource group.
- The Bot will automatically move resources in and out of the group as needed, based on the configured policy.
In the following example, we show the steps required to create a sample resource group named
Production Resources. This group includes resources with the tag key “environment” and a tag value of “production”. The scope of the Bot will be set to look for appropriately tagged resources across Microsoft Azure, Amazon Web Services, and Google Compute Engine.
Curation - Supported Resources
The Curate Resource Group action only supports resources displayed within the InsightCloudSec Platform.
1. Navigate to "Resource --> Resource Groups" create a new resource group. The example uses the name “Production Resources”.
2. Next, you will need to create a new Bot. Navigate to "Automation --> BotFactory". Click on the "Create Bot" button.
3. Enter the details for your new Bot.
- Provide a name, description, and category (in this example "Security").
- Configure the Bot's scope. The scope defines the resource(s) and cloud account(s) to be inspected.
- For this example, scope includes billable resource types--such as instances, database instances (e.g., AWS RDS), volumes, and snapshots--across three cloud accounts. Note: Choosing the "Select All Clouds" option configures the Bot to scan every configured cloud account.
4. Configure the Bot's filters. For this example, the Bot uses a single filter that inspects resource tags and looks for a single key
Environment with a single value
5. Configure the Bot's actions. The action used for this example is "Curate Resource". Select that action from the listing and then use the drop-down to select the desired group, "Production Resources".
6. Choose when the Bot will run. For this type of Bot, we recommend using "Resource Created" and "Resource Modified". This configures the Bot to act any time a new resource is configured in the cloud, or when its tags are modified.
To Run Your Bot Immediately
Bots are created in a paused state. This is done to allow you to review your Bot first--an InsightCloudSec best practice--before running your Bot.
You can review your Bot using the Bot Overview window (see Overview of Your Bot below). When you are ready to run your Bot, go to the Bot "Listing" tab, and select "Enable" from the action icon next to the name of your Bot. Then return to the action icon and select 'On-demand Scan'.
7. Save the Bot. Once done, you can perform a retroactive scan and, if you have resources that meet the configured filters, they should show up in the "Production Resources" group.
In previous versions of InsightCloudSec, many users relied on Resource Groups as a method of creating and managing Insight and Bot exemptions. With versions 20.1 and greater this functionality has been dramatically improved through dedicated exemptions functionality. Exemptions now incorporate improved functionality, including context, point of contact details, expiration dates, and more.
Review our documentation on Exemptions for more information.
After familiarizing yourself with resource groups and viewing the information available here, why not check out more information on:
Tag Explorer - The Tag Explorer feature of InsightCloudSec allows you to audit and identify resources that contain (or do not contain) tag keys. Effective tagging can help identify resources for automation activities.
Filters - In InsightCloudSec, filters specify conditions to identifying matching resources, e.g., the filter ‘Resource is not encrypted’. Filters are used in Insights and Bots to assist with scoping, reporting, and actions.
Updated 2 days ago