How InsightCloudSec Manages Collections of Resources
Resource groups are user-created collections of resources. Defining a resource group can help simplify automation, management, and permissions at scale.
By enabling the grouping of certain resources, you can apply granular permissions to a subset of your cloud footprint. This functionality has numerous implementations and is particularly useful for scoping for custom visibility and custom policy. For example, a resource group can be used identify specific resources to configure for automation through a certain Bot action.
The Resource Groups capability is available under "Inventory --> Resource Groups" on the main navigation.
Resource Group Permissions
Only InsightCloudSec Domain Admins can create Resource Groups and give lower level users access to view Resource Groups. Refer to our User Entitlements Matrix for additional details on permissions.
Viewing and Accessing Resource Groups
From the "Resource Groups" page you can:
View a List of Resource Groups
This content displays by default when open the Resource Groups landing page.
Note that only Domain Admins can create Resource Groups, and user visibility may vary based on the permissions applied to the individual Resource Groups.
Create a Resource Group
Click on the "Create Resource Group" button at the top of the Resource Group landing page.
Enqueue Group Refresh
Allows a user to manually trigger a refresh of Resource Groups.
View Details of Resources within Each Group
The details of the resources within the group are available by clicking on the "Go To Resources" option under the Actions items listed with each individual resource group. Clicking on this option launches a filtered Resources view applicable to the selected group.
- Delete and Edit Resource Groups
- Users can edit the name and description of a resource group by using the Edit icon (pencil) under Actions.
- Users can delete resource groups by selecting the Delete icon (trashcan) under Actions. (Appropriate permissions are required.)
Additional Resource Group Functionality
Some additional functionality that is associated with Resource Groups worth noting:
Cloud Service Provider "Resource Groups"
- InsightCloudSec also allows the Harvesting of Cloud Service Provider "Resource Groups". This capability is increasingly a cloud-native feature. The InsightCloudSec platform displays CSP-defined resource groups (and identifies them as such).
- For example, an Azure Resource Group will be marked with an Azure icon.
- Any InsightCloudSec-created Resource Groups will be displayed w/ an InsightCloudSec logo.
Curated Resources & Resource Groups
- This visibility also applies to "curation" (which is discussed below). Curated resources will only be added to InsightCloudSec Resource Groups; our system will not change the resources included in any CSP-specific resource groups.
Creating a Resource Group
Resource Groups can be created either from the "Resource Groups" landing page or from the Resources landing page.
Before you get started you will need to ensure that you have:
- A functioning InsightCloudSec platform installation
- The appropriate permissions (Domain Admin) to create a new Resource Group for your organization. To learn more about permissions refer to our Users, Groups, and Roles (Identity Management) or view a matrix of permissions through the User Entitlements Matrix
As always, if you have questions before you get started reach out to the team through the Customer Support Portal.
Creating a New Resource Group Starting with the "Resource Groups" Page
1. From Resource Groups page click on the "Create Resource Group" button to launch the modal.
2. Give the resource group a name and a description, and select "Ok".
3. Locate your new resource group (search for the name) on the Resource Groups landing page.
4. Click on the name of the Resource Group and select the "Resources" tab/button. From this view you will need to select Scopes and/or Query Filters to narrow/enable the selection of resources you want to include in the Resource Group.
5. Select the Category of Resources you want to include (Compute, Storage, Container, etc.), select a resource type (e.g. Database Analytics Workspace) and then select the specific resources to enable the "Add to resource group" option.
6. When the "Add to InsightCloudSec Resource Group" window appears select the resource group you want to add resources to (include dependencies if you desired) and select "Submit".
A dependency is any resource that is linked to another. As an example, a user creates a resource group that includes instances. Selecting 'include dependencies' will also include volumes and access lists in this resource group, since those resources are linked to instances.
7. Repeat the previous steps until you have selected all the resources you want to include in your resource group.
- Note: Resource Groups can include multiple resource types (storage buckets, instances, databases) from multiple resource categories (compute, network, container).
Creating a New Resource Group From the "Resources" Page
In some situations, a user may want to create a new resource group directly from the "Resources" page. To do this, complete the following steps:
1. Locate and select "Resources" from the main navigation.
2. Click on the category of resources you want to use and scroll down to the results section which lists the resources in this category.
3. Check the box for those resources you wish to add to your resource group and click the "Add to resource group" icon.
4. On the form that opens, click on the tab labeled "Create New" (the form defaults to "Add to Existing").
5. Create a new resource group by providing a "Name" and "Description" and selecting "Submit".
6. Add dependencies, if desired, and repeat the steps to add new resources until you have added all of the desired resources for your new resource group.
View Your New Resource Group Details
1. To view your new Resource Group, navigate to "Resource Groups" from the main menu.
2. Locate your Resource Group and click on the name to display an overview of the resources in the group. The individual Resource Group view includes three tabs (Overview, Resources, and Settings)
3. The Tabs for an individual Resource Group include:
- A percentage breakdown of your resource group by resource type
- A breakdown of resources in your group by region
- Opens a filtered Resources page view that displays the resources that are already scoped for your resource group.
- Allows you to revise the name, description, or "Delete Group" (with appropriate permissions)
Using Resource Groups
Resource groups are designed for scoping resources, Insights, and Bots. Resource groups can scope based on any number of criteria, including permissions, automation, and compliance. Only administrators can create resource groups.
Some examples of scoping include:
- A permission-based resource group, where an administrator can specify resources to narrow the visibility of resources that don't apply to certain users. For example, database admins don't need to see every instance or web server; they are only interested in viewing database resources.
- In an automation-based example, an administrator can use a resource group to only display resources that are monitored based on certain configured actions. Again, a resource group can be set up so that only database administrators can see where changes are being made to database resources.
Resource Group Curation
An additional resource group capability is referred to as "resource group curation". Bot actions (or automation) can be applied to resource groups for curation in one of two ways:
- To add resources to a resource group, or
- To curate a new resource group
Add to Resource Group
On occasion, users may want to use multiple Bots to add resources to a group. You can do this using the Bot action "Add To Resource Group".
- As the name implies, this action will only add resources to a group and will not automatically remove resources that no longer apply.
Curate Resource Group
InsightCloudSec includes a Bot action named "Curate Resource Group", which, when added to a Bot’s instruction set, assumes responsibility for maintaining the state of the resource group.
- This action can be used only as a one-to-one relationship between a single Bot and a single resource group.
- The Bot will automatically move resources in and out of the group as needed, based on the configured policy.
Example - Curating a Resource Group
In the following example, we show the steps required to create a sample resource group named
Production Resources. This group includes resources with the tag key “environment” and a tag value of “production”. The scope of the Bot will be set to look for appropriately tagged resources across Microsoft Azure, Amazon Web Services, and Google Compute Engine.
- Check out our documentation on BotFactory & Automation for additional details on working with Bots and automation.
Curation - Supported Resources
The Curate Resource Group action only supports resources displayed within the InsightCloudSec Platform.
1. Navigate to "Resource --> Resource Groups" create a new resource group. The example uses the name “Production Resources”.
2. Next, you will need to create a new Bot. Navigate to "Automation --> BotFactory". Click on the "Create Bot" button.
3. Enter the details for your new Bot.
- Provide a name, description, and category (in this example "Security").
- Configure the Bot's scope. The scope defines the resource(s) and cloud account(s) to be inspected.
- For this example, scope includes billable resource types--such as instances, database instances (e.g., AWS RDS), volumes, and snapshots--across three cloud accounts. Note: Choosing the "Select All Clouds" option configures the Bot to scan every configured cloud account.
4. Configure the Query Filters. For this example, the Bot uses a single Query Filter that inspects resource tags and looks for a single key
Environment with a single value
5. Configure the Bot's actions. The action used for this example is "Curate Resource". Select that action from the listing and then use the drop-down to select the desired group, "Production Resources".
6. Choose when the Bot will run. For this type of Bot, we recommend using a reactive setup wit "Resource Created" and "Resource Modified". This configures the Bot to act any time a new resource is configured in the cloud, or when its tags are modified.
To Run Your Bot Immediately
Bots are created in a paused state. This is done to allow you to review your Bot first--an InsightCloudSec best practice--before running your Bot.
You can review your Bot using the Bot Overview window (see Overview of Your Bot below). When you are ready to run your Bot, go to the Bot "Listing" tab, and select "Enable" from the action icon next to the name of your Bot. Then return to the action icon and select 'On-demand Scan'.
7. Save the Bot. Once done, you can perform a retroactive scan and, if you have resources that meet the configured filters, they should show up in the "Production Resources" group.
After familiarizing yourself with resource groups and viewing the information available here, why not check out more information on:
Exemptions (Insights) - InsightCloudSec's exemptions functionality is configured through Insights, In previous versions, InsightCloudSec offered the ability to exempt resources from Insight findings using the Resource Groups functionality. While this option worked well in certain scenarios, it did not provide a great overall user experience. The revised Exemptions functionality includes enhanced approval logic, expiration functionality, and bulk edit and delete capabilities for exempted resources.
Tag Explorer - The Tag Explorer feature of InsightCloudSec allows you to audit and identify resources that contain (or do not contain) tag keys. Effective tagging can help identify resources for automation activities.
Updated about 1 month ago