InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Resource Groups

How InsightCloudSec Manages Collections of Resources

Overview

Resource groups are simply collections of resources. Creating a resource group can help simplify cloud automation, management, and permissions at scale.

By enabling the grouping of certain resources, you can apply granular permissions to a subset of your cloud footprint. This functionality has numerous implementations and is particularly useful for scoping for custom visibility and custom policy.

One example of scoping would be to create a resource group that defines specific resources to configure for automation through a specific Bot action.

Resource Groups are available under "Resource" on the main side panel navigation.

Resource GroupsResource Groups

Resource Groups

🚧

Resource Group Permissions

Only InsightCloudSec Domain Admins can create Resource Groups and give lower level users access to view Resource Groups.

Viewing and Accessing Resource Groups

From the "Resource Groups" page you can:

  • View a list of the resource groups created for your organization
    This content displays by default when you click on the Resource Group option to launch the landing page. Note that only Domain Admins can create Resource Groups, and user visibility may vary based on the permissions applied to the individual Resource Groups.

  • View details of resources within each group
    The details of the resources within the group are available by clicking on the context menu next to the name of the target resource group.

  • Create and delete resource groups

    • Users can create a resource group using the button on the top right of the main landing page.
    • With the appropriate permissions, users can delete resources by selecting the checkbox to the left of the target resource group. (The delete option will appear once a selection is made).
Resource Groups - Create & DeleteResource Groups - Create & Delete

Resource Groups - Create & Delete

Some other items to note:

  • InsightCloudSec also allows the Harvesting of Cloud Service Provider "Resource Groups". This capability is increasingly a cloud-native feature. The InsightCloudSec platform displays CSP-defined resource groups (and mark them as such).

    • For example, an Azure Resource Group will be marked with an Azure icon.
    • Any InsightCloudSec-created Resource Groups will be displayed w/ an InsightCloudSec logo.
  • This visibility also applies to "curation" (which is discussed below). Curated resources will only be added to InsightCloudSec Resource Groups; our system will not change the resources included in any CSP-specific resource groups.

Creating a Resource Group

Resource Groups can be created either from the "Resource Groups" landing page or from the Resources landing page.

Prerequisites

Before you get started you will need to ensure that you have:

  • A functioning InsightCloudSec platform installation
  • The appropriate permissions (Domain Admin) to create a new Resource Group for your organization

As always if you have questions before you get started reach out to [email protected].

Creating a New Resource Group From the "Resource Groups" Page

1. From the main navigation select "Resource --> Resource Groups" and click on the "Create Resource Group" button in the top right corner of the page.

2. Give the resource group a name and a description, and select "Submit".

Creating a Resource GroupCreating a Resource Group

Creating a Resource Group

3. You can add resources to your resource group in two ways:

  • Locate your new resource group by its name on the Resource Groups landing page where you just created it, click to open and then click the "Resource" button - or,
  • Navigate to the "Resources" page via the main menu.

4. Click on the category of resources you want to include. Scroll down to the results section which lists the resources in this category (e.g., Compute, Container, Storage, etc.)

5. In the results section, check the box for those resources you wish to add to your resource group, then click the "Add to resource group" icon.
Note: Resource Groups can include multiple resource types.

Adding Resources to a Resource GroupAdding Resources to a Resource Group

Adding Resources to a Resource Group

6. Select a resource group and include dependencies if you wish. Select "Submit".

📘

Dependencies

A dependency is any resource that is linked to another. As an example, a user creates a resource group that includes instances. Selecting 'include dependencies' will also include volumes and access lists in this resource group, since those resources are linked to instances.

Add to Existing Resource GroupAdd to Existing Resource Group

Add to Existing Resource Group

7. Repeat steps 5 and 6 above until you have selected all the resources you want to include in your resource group.

  • Note: Resource Groups can include multiple resource types (storage buckets, instances, databases) from multiple resource categories (compute, network, container).

Creating a New Resource Group From the "Resources" Page

In some situations, a user may want to create a new resource group directly from the "Resources" page. To do this, complete the following steps:

1. Locate and select "Resource --> Resources" from the main navigation.

2. Click on the category of resources you want to use and scroll down to the results section which lists the resources in this category.

3. Check the box for those resources you wish to add to your resource group and click the "Add to resource group" icon.

4. On the form that opens, click on the tab labeled "Create New" (the form defaults to "Add to Existing").

5. Create a new resource group by providing a "Name" and "Description" and selecting "Submit".

6. Add dependencies, if applicable, and repeat the steps to add new resources as described above until you have added all of the desired resources for your new resource group.

Creating a New Resource GroupCreating a New Resource Group

Creating a New Resource Group

View Your New Resource Group Details

1. To view your new resource group, navigate to the "Resource Groups" page from the main menu.

2. Click on the name of your resource group to display an overview of the resources in the group. The overview includes:

  • A percentage breakdown of your resource group by resource type
  • A breakdown of resources in your group by region
Resource Group SummaryResource Group Summary

Resource Group Summary

3. You can view details of the resources within the resource group by selecting the icon under the "Go to Resources" column on the "Resources Group" page.

  • This takes you to the "Resources" page, which displays the resources that are already scoped for your resource group.
View Resource Group Details (Resource Summary)View Resource Group Details (Resource Summary)

View Resource Group Details (Resource Summary)

Using Resource Groups

Resource groups are designed for scoping resources, Insights, and Bots. Resource groups can scope based on any number of criteria, including permissions, automation, and compliance. Only administrators can create resource groups.

Some examples of scoping include:

  • A permission-based resource group, where an administrator can specify resources to narrow the visibility of resources that don't apply to certain users. For example, database admins don't need to see every instance or web server; they are only interested in viewing database resources.
  • In an automation-based example, an administrator can use a resource group to only display resources that are monitored based on certain configured actions. Again, a resource group can be set up so that only database administrators can see where changes are being made to database resources.

Resource Group Curation

An additional resource group capability is referred to as "resource group curation". Bot actions (or automation) can be applied to resource groups for curation in one of two ways:

  • To add resources to a resource group, or
  • To curate a new resource group

Add to Resource Group
On occasion, users may want to use multiple Bots to add resources to a group. You can do this using the Bot action "Add To Resource Group".

  • As the name implies, this action will only add resources to a group and will not automatically remove resources that no longer apply.

Curate Resource Group
InsightCloudSec includes a Bot action named "Curate Resource Group", which, when added to a Bot’s instruction set, assumes responsibility for maintaining the state of the resource group.

  • This action can be used only as a one-to-one relationship between a single Bot and a single resource group.
  • The Bot will automatically move resources in and out of the group as needed, based on the configured policy.

Example - Curating a Resource Group

In the following example, we show the steps required to create a sample resource group named Production Resources. This group includes resources with the tag key “environment” and a tag value of “production”. The scope of the Bot will be set to look for appropriately tagged resources across Microsoft Azure, Amazon Web Services, and Google Compute Engine.

📘

Curation - Supported Resources

The Curate Resource Group action only supports resources displayed within the InsightCloudSec Platform.

1. Navigate to "Resource --> Resource Groups" create a new resource group. The example uses the name “Production Resources”.

Creating a "Production Resources" Resources GroupCreating a "Production Resources" Resources Group

Creating a "Production Resources" Resources Group

2. Next, you will need to create a new Bot. Navigate to "Automation --> BotFactory". Click on the "Create Bot" button.

Create a New BotCreate a New Bot

Create a New Bot

3. Enter the details for your new Bot.

  • Provide a name, description, and category (in this example "Security").
  • Configure the Bot's scope. The scope defines the resource(s) and cloud account(s) to be inspected.
  • For this example, scope includes billable resource types--such as instances, database instances (e.g., AWS RDS), volumes, and snapshots--across three cloud accounts. Note: Choosing the "Select All Clouds" option configures the Bot to scan every configured cloud account.

4. Configure the Bot's filters. For this example, the Bot uses a single filter that inspects resource tags and looks for a single key Environment with a single value Production.

5. Configure the Bot's actions. The action used for this example is "Curate Resource". Select that action from the listing and then use the drop-down to select the desired group, "Production Resources".

Configuring the Bot's ActionsConfiguring the Bot's Actions

Configuring the Bot's Actions

6. Choose when the Bot will run. For this type of Bot, we recommend using "Resource Created" and "Resource Modified". This configures the Bot to act any time a new resource is configured in the cloud, or when its tags are modified.

Choosing When the Bot Will RunChoosing When the Bot Will Run

Choosing When the Bot Will Run

📘

To Run Your Bot Immediately

Bots are created in a paused state. This is done to allow you to review your Bot first--an InsightCloudSec best practice--before running your Bot.

You can review your Bot using the Bot Overview window (see Overview of Your Bot below). When you are ready to run your Bot, go to the Bot "Listing" tab, and select "Enable" from the action icon next to the name of your Bot. Then return to the action icon and select 'On-demand Scan'.

7. Save the Bot. Once done, you can perform a retroactive scan and, if you have resources that meet the configured filters, they should show up in the "Production Resources" group.

Resource Groups & Exemptions

In previous versions of InsightCloudSec, many users relied on Resource Groups as a method of creating and managing Insight and Bot exemptions. With versions 20.1 and greater this functionality has been dramatically improved through dedicated exemptions functionality. Exemptions now incorporate improved functionality, including context, point of contact details, expiration dates, and more.

Review our documentation on Exemptions for more information.

What's Next?

After familiarizing yourself with resource groups and viewing the information available here, why not check out more information on:

  • Tag Explorer - The Tag Explorer feature of InsightCloudSec allows you to audit and identify resources that contain (or do not contain) tag keys. Effective tagging can help identify resources for automation activities.

  • Filters - In InsightCloudSec, filters specify conditions to identifying matching resources, e.g., the filter ‘Resource is not encrypted’. Filters are used in Insights and Bots to assist with scoping, reporting, and actions.

Updated 2 days ago

Resource Groups


How InsightCloudSec Manages Collections of Resources

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.