Discovery Guardrails

Overview

The Discovery control is tasked with identifying instances for a particular resource. If there are any resources that are not captured in the CMDB as part of the events that AWS triggers, Guardrails will capture them through the Discovery controls.

A Discovery control is run on the parent resource (e.g. an AWS Region) to periodically search for new target resources (e.g. S3 Buckets) and save them to the Guardrails CMDB.

Once discovered, the resource is then responsible for tracking changes to itself through the CMDB control.

The Resource Type AWS > SQS > Queue defines a Control AWS > SQS > Queue > Discovery with a target Resource Type of AWS > Region.

Policies to control Discovery

Discovery controls are enforced or skipped based on the associated CMDB policy.

The AWS > S3 > Bucket > Discovery control relies on the value of the AWS > S3 > Bucket > CMDB policy for its configuration. AWS > S3 > Bucket > CMDB may be set to `Skip` or `Enforce: Enabled`

Discovery controls also use the Region policy associated with the resource. If region is not in Regions policy, the CMDB control should delete the resource from the CMDB (since we don’t want to capture any resources in that region, we should also cleanup).

The AWS > S3 > Bucket > Discovery control will search for S3 buckets in a the regions specified in AWS > S3 > Bucket > Regions, and will add any buckets it finds to the CMDB as AWS > S3 > Bucket resources.