Resource Groups

Resource groups are collections of resources, which can help simplify automation, management, and permissions at scale. By grouping resources, you can apply granular permissions to a subset of your cloud footprint; this functionality has numerous implementations and is particularly useful for scoping for custom visibility and custom policy. For example, a resource group can be used to identify specific resources to configure for automation through a certain Bot action. Resource groups can be user-created or harvested from Cloud Service Provider's Resource Group equivalent. For example, an Azure Resource Group will be marked with an Azure icon.

Prerequisites

Before you get started with Resource Groups you will need to ensure that you have:

  • A functioning InsightCloudSec platform installation
  • The appropriate permissions to create and/or manage Resource Groups for your InsightCloudSec Organization

Explore Resource Groups

In InsightCloudSec, navigate to Inventory > Resource Groups to start exploring, creating, and managing resource groups.

Display

From the main display for Resource Groups you can:

FeatureDescription
Create a Resource GroupClick on the Create Resource Group button at the top of the Resource Group landing page.
Enqueue Group RefreshAllows a user to manually trigger a refresh of Resource Groups.
SearchType into the search bar and the list of Resource Groups will automatically filter to match the criteria.
Open Resource Group SummaryClick a Resource Group's name to open its Summary where you can review a resource type breakdown and a resource by region breakdown for the Group. If you created the group, you can also update the Group's name and description or delete it from the Settings tab.
ActionThe Action column contains actions related to Resource Groups:
  • Click** Action > Go To Resources next to a Resource Group to launch the Resources page scoped to the specific Resource Group.
  • Click Action > Delete Resource Group to remove the resource group. You can only delete Resource Groups that you have created.
  • Click Action > Edit Group to edit a Group's name and description. You can only edit Resource Groups that you have created.

Managing Resource Groups

Creating a Resource Group

The best way to create a Resource Group is directly from a selection on the Resources page.

  1. Navigate to Inventory > Resources.
  2. Scope the data as necessary. For more information on using this feature, see Resources.
  3. Navigate to a resource type using the tabs at the top.
  4. Click the resource type name.
  5. When the table loads, check the box next to resources you wish to add to your resource group and click the Add to resource group icon.
  6. On the form that opens, click the Create New tab.
  7. Provide a name and description for the group, then click Submit
  8. Add dependencies, if desired, and repeat the steps to add new resources until you have added all of the desired resources for your new resource group.
Updating a Resource Group's Scope

If you need to update the scope of an existing Resource Group, it is easiest to do this directly from a selection on the Resources page.

  1. Navigate to Inventory > Resources.
  2. Scope the data as necessary. For more information on using this feature, see Resources.
  3. Navigate to a resource type using the tabs at the top.
  4. Click the resource type name.
  5. When the table loads, check the box next to resources you wish to add to your resource group and click the Add to resource group icon.
  6. On the form that opens, click the Add to Existing tab.
  7. From the Select Resource Group(s) drop-down menu, select all Resource Groups' scope you would like to update.
  8. Optionally, select Include Dependencies? to also include the selected Resource(s) dependencies.
  9. Click Submit.

Using Resource Groups

Resource groups are designed for scoping resources, Insights, and Bots. Resource groups can scope based on any number of criteria, including permissions, automation, and compliance. Some examples of scoping include:

  • A permission-based resource group, where an administrator can specify resources to narrow the visibility of resources that don't apply to certain users. For example, database administrators don't need to see every instance or web server; they are only interested in viewing database resources.
  • A reactive resource group, where an administrator can use a resource group to only display resources that are monitored based on certain configured actions. For example, a resource group can be set up so that only database administrators can see where changes are being made to database resources.
  • Resource group curation using Bot actions (or automation) in one of two ways:
    • Add to Resource Group. On occasion, users may want to use multiple Bots to add resources to a group. You can do this using the Bot action Add To Resource Group.
      • This action will only add resources to a group and will not automatically remove resources that no longer apply.
    • Curate Resource Group. InsightCloudSec includes a Bot action named Curate Resource Group, which when added to a Bot’s instruction set, assumes responsibility for maintaining the state of the resource group.
      • This action can be used only as a one-to-one relationship between a single Bot and a single resource group.
      • The Bot will automatically move resources in and out of the group as needed based on the configured policy.
Curating a Resource Group Example

In the following example, we show the steps required to create a sample resource group named Production Resources. This group includes resources with the tag key environment and a tag value of production. The scope of the Bot will be set to look for appropriately tagged resources across Microsoft Azure, Amazon Web Services, and Google Compute Engine. Check out our documentation on BotFactory & Automation for additional details on working with Bots and automation.

To Create a Curation Bot:

  1. Go to Resource > Resource Groups and create a new resource group. This example uses the name Production Resources.
  2. Create a new Bot. Go to Automation > BotFactory and click Create Bot.
  3. Enter the Bot details.
    1. Enter a name, description, and category. This example uses Security.
    2. Configure the Bot's scope. The scope defines the resource(s) and cloud account(s) to be inspected. The scope of this example includes billable resource types across three cloud accounts--such as instances, database instances, volumes, and snapshots.
    3. (Optional) To configure the Bot to scan every configured cloud account, click Select All Clouds.
  4. Configure the Query Filters. For this example, the Bot uses a single Query Filter that inspects resource tags and looks for a single key Environment with a single value Production.
  5. Configure the Bot's actions. The action used for this example is Curate Resource. Select that action from the listing and then use the drop-down to select the desired group, Production Resources.
  6. Choose when the Bot will run. For this type of Bot, we recommend against using any of the Reactive options and instead relying on a set schedule (hourly, daily, etc.).
  7. Save the Bot. When done, you can perform a retroactive scan, and if you have resources that meet the configured filters, they should show up in the "Production Resources" group.

To Run Your Bot Immediately

Bots are created in a paused state. This is done to allow you to review your Bot first--an InsightCloudSec best practice--before running your Bot.

You can review your Bot using the Bot Overview window (see Overview of Your Bot below). When you are ready to run your Bot, go to the Bot Listing tab, and select Enable from the action icon next to the name of your Bot. Then return to the action icon and select 'On-demand Scan'.