Add Nodes in Bulk via AWS

Cloudhouse Guardian (Guardian) offers the ability to import nodes in bulk from a number of sources, including AWS, Azure, CSV files, and more. This topic describes how to add nodes in bulk by importing them into your Guardian instance via Amazon Web Services (AWS).

To add AWS nodes in bulk, you can choose to use an Existing integration, or Manually enter credentials for a temporary connection to the AWS source. For more information on each method, see below.

Note: Any existing nodes that are detected are not re-added to your Guardian instance. If any changes have occurred on the node since the last import, the existing node is updated accordingly.

Existing Integration

If you have set up a Guardian integration with AWS previously, you can use the existing credentials to authenticate Guardian’s access.

Dependencies

To import nodes in bulk via AWS, a Linux Connection Manager configured within your Guardian instance is required. For more information, see Linux Connection Manager.

To add nodes in bulk using an existing AWS integration, complete the following steps:

Warning: This method only supports Agentless scanning via a Connection Manager. The following process assumes that you already have a Connection Manager configured within your Guardian instance. For more information, see Connection Managers.

  1. In the Guardian web application, navigate to the Add Nodes tab (Inventory > Add Nodes).

  2. Click the AWS button. The Add Nodes via AWS page is displayed.

  3. Select the Existing integration radio button to display the following options:

    Option

    Description

    AWS Integration credentials drop-down list

    Existing AWS Integration credentials. Select an integration from the drop-down list to use the stored credentials for authentication. For more information on how to setup an integration to AWS, see AWS Integration.

    Check things you want to detect checkboxes

    The option(s) you want to add to Guardian for monitoring. Select the checkbox(es) you want to detect. For example, ‘Auto Scaling Groups’. For more information on the AWS services supported by Guardian, see Supported AWS Services.
    Ignore Ephemeral Nodes checkbox Option to ignore ephemeral nodes. If selected, ephemeral nodes are not imported and not included in node scans.
    Remove Ephemeral Nodes checkbox Option to remove ephemeral nodes. If selected, ephemeral nodes are removed from the Guardian import list.

  4. Once you have set the correct values for each of the options displayed, click Sync Now to add the AWS nodes to your Guardian instance.

Once complete, any nodes that are detected within AWS are automatically added to the Detected tab (Inventory > Detected). Here, you can choose which nodes you'd like to promote to the Monitored tab (Inventory > Monitored) for regular scanning. For more information, see Detected Nodes.

Manually Enter Credentials

Alternatively, you can manually enter the credentials required to authenticate Guardian’s access to the specified AWS region(s). Then, you can (optionally) create an integration using those details to continuously sync Guardian with your AWS region(s), meaning that you don't have to re-import your node set once they've been updated, as Guardian will automatically detect any new or updated nodes.

Dependencies

To import nodes in bulk via AWS, the following dependencies must be met:

  • Linux Connection Manager – Configured within your Guardian instance. For more information, see Linux Connection Manager.

  • AWS Scan User Account – Set up with the permissions required for scanning. For more information, see AWS Scan User Account.

  • Service Permissions – Permissions set for the service intended to be scanned. This is only required for adding a service node type. For more information, see Supported AWS Services.

To add nodes in bulk from AWS without using an existing integration, you can manually enter credentials by completing the following steps:

  1. In the Guardian web application, navigate to the Add Nodes tab.

  2. Click the AWS button. The Add Nodes via AWS page is displayed.

  3. Select the Manually enter credentials radio button to display the following options:

    Option

    Description

    Connection manager group drop-down list

    The Connection Manager group that is responsible for scanning your AWS node(s). Select a Connection Manager group from the drop-down list.

    AWS access key field

    The unique IAM account identifier. For more information on how to source this, see AWS Scan User Account.

    AWS secret key field

    The secret access key that is required to sign the request. For more information on how to source this, see AWS Scan User Account.

    AWS IAM role ARN (Optional) field

    The Amazon resource name that specifies the role of the IAM account holder. For more information on how to source this, see AWS Scan User Account.

    Enable Multi-Account Detection checkbox

    Option to enable multi-account detection. If selected, discovery across multiple accounts using one set of credentials is enabled. For more information on this feature, contact your Cloudhouse Representative.

    AWS Regions (Optional) field

    The region your AWS account is using. This is displayed in your AWS Console login URL. For example, 'https://console.aws.amazon.com/console/home?region=us-west-1'.

    Create An Integration checkbox

    Option to store the credentials and create an AWS integration that checks for nodes in your AWS environment every two hours. For more information, see Job Schedule (Control > Job Schedule).

    Note: If you choose to Create An Integration, the integration is added to the Integrations tab (Control > Integrations), see AWS Integration for more information. Any nodes that are detected in your environment are then added to the Detected tab for processing. For more information, see Detected Nodes.

    If selected, the AWS integration name and Automatically start monitoring and scanning detected nodes options are displayed.

    AWS integration name field

    The display name for the AWS integration. Once created, the integration is displayed in the Integrations tab.

    Note: This field is only displayed if the Create An Integration checkbox is selected.

    Automatically start monitoring and scanning nodes checkbox

    Option to automatically start monitoring and scanning your nodes once the AWS integration has been created. If selected, the imported nodes are automatically added to the Monitored tab for regular scanning. Here, you can apply policies, create node groups, and schedule regular scans. For more information, see Monitored Nodes.

    If not selected, the nodes are added to the Detected tab for processing. To monitor the detected nodes, you must move them to the Monitored tab. For more information, see Nodes.

    Note: This option is only displayed if the Create An Integration checkbox is selected.

    Check things you want to detect checkboxes

    The option(s) you want to add to Guardian for monitoring. Select the checkbox(es) you want to detect. For example, ‘Auto Scaling Groups’. For more information on the AWS services supported by Guardian, see Supported AWS Services.
    Ignore Ephemeral Nodes checkbox Option to ignore ephemeral nodes. If selected, ephemeral nodes are not imported and not included in node scans.
    Remove Ephemeral Nodes checkbox Option to remove ephemeral nodes. If selected, ephemeral nodes are removed from the Guardian import list.

  4. Once you have set the correct values for each of the options displayed, click Discover Nodes to add the AWS nodes to your Guardian instance.

Once complete, any nodes that are detected within AWS are automatically added to the Detected tab. Here, you can choose which nodes you'd like to promote to the Monitored tab for regular scanning. For more information, see Detected Nodes.