Discovery Guardrails
Overview
The Discovery control is tasked with identifying instances for a particular
resource. If there are any resources that are not captured in the CMDB as part
of the events that AWS triggers, Guardrails will capture them through the Discovery
controls.
A Discovery control is run on the parent resource (e.g. an AWS Region) to periodically search for new target resources (e.g. S3 Buckets) and save them to the Guardrails CMDB.
Once discovered, the resource is then responsible for tracking changes to itself through the CMDB control.
AWS > SQS > Queue defines a Control AWS > SQS > Queue > Discovery with a target Resource Type of AWS > Region.Policies to control Discovery
Discovery controls are enforced or skipped based on the associated CMDB policy.
AWS > S3 > Bucket > Discovery control relies on the value of the AWS > S3 > Bucket > CMDB policy for its configuration. AWS > S3 > Bucket > CMDB may be set to `Skip` or `Enforce: Enabled`Discovery controls also use the Region policy associated with the resource. If
region is not in Regions policy, the CMDB control should delete the resource
from the CMDB (since we don’t want to capture any resources in that region, we
should also cleanup).
AWS > S3 > Bucket > Discovery control will search for S3 buckets in a the regions specified in AWS > S3 > Bucket > Regions, and will add any buckets it finds to the CMDB as AWS > S3 > Bucket resources.