Amazon Web Services (AWS) Node

Once a Connection Manager has been set up, you can add nodes for Agentless scanning and monitoring. Cloudhouse Guardian (Guardian) supports two types of AWS nodes for Agentless scanning: service and instances. The following topic describes how to add an AWS node to your instance for monitoring. To access information about the supported services that have been tested by object and node type, see Supported AWS Services.

Note: Additionally, you can import AWS nodes in bulk rather than individually, as the below process describes. For more information, see Add Nodes in Bulk via AWS.

AWS Node Types

Guardian supports two main types of AWS nodes:

Service – Service nodes provide high-level information and basic configuration data about all your EC2 assets, within one scan. For example, the scan results of an AWS EC2 service node returns a list of all the EC2 instances, as well as a list of other EC2-related assets, such as load balancers and security groups.
Instance – Instance nodes provide more details on specific EC2 instances, such as buckets, load balancers, and services. For example, the scan results of an AWS EC2 Instance node returns more in-depth configuration information, particularly around linked assets.

The method of adding both AWS nodes is the same, but the output varies according to the individual node type.

Dependencies

To add an AWS node, the following dependencies must be met:

Linux Connection Manager – Set up in Guardian. For more information, see Linux Connection Manager.
AWS Scan User Account – Set up with the permissions required for scanning. For more information, see AWS Scan User Account.
Service Permissions – Permissions set for the service intended to be scanned. This is only required for adding a service node type. For more information, see Supported AWS Services.

Add an AWS Node

Adding an AWS node to your Guardian instance lets you monitor and track the configuration of an AWS resource.

Note: This process describes how to add AWS service and instance node types. The steps required and fields displayed are the same, except for the [Node Type] Name field. This field label changes depending on the node type you select.

To add an AWS node for Agentless scanning, complete the following steps:

In the Guardian web application, navigate to the Add Nodes tab (Inventory > Add Nodes). The Add Nodes page is displayed.
Type 'AWS' in the search bar.
Select the 'AWS' node type you want to add and click the Go Agentless button to proceed. The Connect Agentlessly to [Node Type] page is displayed.

Here, complete the following options:

Option	Description
Connection Manager group drop-down list	The Connection Manager group that is responsible for scanning your AWS node. Select a Connection Manager group from the drop-down list.
[Node Type] Name field	The name of the node. The value you enter here will be used as the display name in Guardian. Note: The name of this field changes depending on the node type you selected. For example, for an 'AWS S3 Bucket' node, this field is labeled 'S3 Bucket Name'.
IAM [Node Type] ID field	The unique identifier of the IAM node type you selected (role, policy, user, or group). The value you enter here will be used to identify and display the node in Guardian. The name of this field changes depending on the node type you select. For example, for an 'AWS IAM Role' node, this field is labeled 'IAM Role ID'. Warning: This option is only available if you selected the 'AWS IAM Role, Policy, User, or Group' type. Tip: The field was introduced in V5.41.0 of Guardian. For more information, see March 2025 Monthly Release.
AWS region field	The region your AWS account is using. This is displayed in your AWS Console login URL. For example, 'https://console.aws.amazon.com/console/home?region=us-west-1'.
AWS access key field	The unique identity and access management (IAM) account identifier. For more information on how to source this, see AWS Scan User Account.
AWS secret key field	The secret access key that is required to sign the request. For more information on how to source this, see AWS Scan User Account.
AWS IAM role ARN (Optional) field	The Amazon resource name that specifies the role of the IAM account holder. For more information on how to source this, see AWS Scan User Account.
HTTP Proxy (Optional) field	The hostname and port of the HTTP proxy that is used to connect to AWS. For example, 'my.proxy.hostname:8080'. This field is only required if your Connection Manager uses a HTTP proxy to connect to AWS.

Once you've completed the above options click Scan Node to add the AWS node to your Guardian instance.

Now, Guardian performs an initial scan of the node. You can wait on this page for the scan to finish, at which point you will see a View Scan button. To view the results of this initial scan, click View Scan. However, you can also navigate elsewhere while Guardian performs its initial scan of the node. You can then view the status of the scan on the Job History page (Inventory > Job History). For more information on what to do next after adding a node, see below.

Next Steps

Once you've added nodes to Guardian, there are a few next steps you can take to get the most out of Guardian and the data it collects. Refer to the topics below for more information on where to go from here.

Node Scan Results – View and filter the data collected by Guardian every time a node is scanned.
Node Groups – Group nodes together based on similar properties like node type, location, and more.
Scan Options – Customize what is scanned on a given node during a node scan.
Configuration Differencing – View differences between two nodes, a group of nodes, two scans of the same node, and more.
Policies – Define expected configuration states and apply them to nodes or node groups.
Integrations – Bring together different systems, applications, or components to work as a unified view and perform different tasks.