Discovery Guardrails
Overview
The Discovery
control is tasked with identifying instances for a particular
resource. If there are any resources that are not captured in the CMDB as part
of the events that AWS triggers, Guardrails will capture them through the Discovery
controls.
A Discovery control is run on the parent resource (e.g. an AWS Region) to periodically search for new target resources (e.g. S3 Buckets) and save them to the Guardrails CMDB.
Once discovered, the resource is then responsible for tracking changes to itself through the CMDB control.
AWS > SQS > Queue
defines a Control AWS > SQS > Queue > Discovery
with a target Resource Type of AWS > Region
.Policies to control Discovery
Discovery controls are enforced or skipped based on the associated CMDB policy.
AWS > S3 > Bucket > Discovery
control relies on the value of the AWS > S3 > Bucket > CMDB
policy for its configuration. AWS > S3 > Bucket > CMDB
may be set to `Skip` or `Enforce: Enabled`Discovery controls also use the Region
policy associated with the resource. If
region is not in Regions
policy, the CMDB control should delete the resource
from the CMDB (since we don’t want to capture any resources in that region, we
should also cleanup).
AWS > S3 > Bucket > Discovery
control will search for S3 buckets in a the regions specified in AWS > S3 > Bucket > Regions
, and will add any buckets it finds to the CMDB as AWS > S3 > Bucket
resources.