AWS Autodiscovery

Device42’s AWS Autodiscovery ensures you have full visibility into your AWS environments. This visibility gives you insights into your total AWS consumption – allowing you optimize on spend and services consumed. We are adding new discoveries all the time, specifically based on customer need.

Getting Started with AWS Autodiscovery

To create an AWS Autodiscovery job, you will need to:

  1. Prepare your AWS Account – you can use the policy example shown below.
  2. Device42 utilizes your AWS Access Key and Secret Key to perform discovery; please have these handy.

Note: Device42 encourages customers to follow AWS best practices for managing your IAM credentials, including using strong passwords, regular password rotation, applying the principle of least privilege to users and their passwords, etc.

For more information, see the article Best Practices for Managing AWS Access Keys at https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.

Initiating an AWS Discovery

  • Select Discovery > Cloud from the main menu and then click Add Cloud Autodiscovery at the top right of the Cloud Autodiscovery list page.
  • Enter a Name for the job.
  • Select the Cloud Type > Amazon AWS from the drop-down menu.
  • Select the Remote Collector for the job.
  • Add your Amazon Access Key ID and your Secret Key for the account(s) to be discovered. (Do this by clicking the magnifying glass, and then clicking Add Password in the upper right corner. Enter your Access Key ID or Secret Key in the field labeled Password.  Device42 will store the keys encrypted.)
  • Select Discover Main Account to have the job discover the main AWS account in addition to any AWS Roles accounts you select.
  • Select the Available AWS Roles whose account(s) you want to discover and use the arrow to add them to the Chosen AWS Roles list.

Note: See Defining AWS Roles below for instruction for creating the AWS Roles that Devices42 displays for AWS cloud autodiscovery jobs.

  • Choose one or more Amazon regions to search.
  • You can also select options for adding vendor metadata, choose how to  handle instances not found in subsequent discovery vendor, select device name format options, add tags for discovered devices, etc.
  • Check Kubernetes Discovery to discover Kubernetes clusters hosted on your cloud platform.
  • Add object categories, tags, and a customer for discovered devices, etc.
  • Scroll down the page and click the Advanced Features (Show) tab to select the different types of resources you want the job to discover (Route53, S3, EBS, Databases, etc.).
  • Add an Autodiscovery Schedule to schedule the job if wanted or add Admin Groups for the job.
  • Click Save or Save and continue editing to save the discovery job.
  • When you return to the Cloud Discovery list page, you can click Run Now to run the job immediately.

AWS Discovery Items

Note that some Discovery items require enabling the feature and cannot be discovered otherwise.

Cloud Service/Object Name Where to locate in D42 Accessed API Information Generated
DynamoDB Resources –> All Resources dynamodb._region_.amazonaws.com Backup details, contributor insights, tables, limits, etc.
EC2 Instances Resources –> All Devices ec2._region_.amazonaws.com Service name, instance id, status, location, etc.
Elastic Block Storage (EBS) Resources –> All Devices Same as EC2 Lists, rules, tags, etc.
ElastiCache Nodes Resources –> All Devices elasticache._region_.amazonaws.com Account info, status, location, etc.
Elastic Load Balancer Resources –> All Devices elasticloadbalancing._region_.amazonaws.com Attributes, description, rules, tags, target groups, etc.
Lambda Resources –> All Resources lambda._region_.com Name, ARN, code size, memory, runtime, etc.
Kubernetes (EKS) Resources –> All Resources eks._region_.amazonaws.com Containers, nodes, clusters, etc.
RDS Instances   rds._region_.amazonaws.com Account info, status, location, etc.
Redshift Resources –> All Resources redshift._region_.amazonaws.com Backup details, contributor insights, tables, limits, etc.
Route 53   route53.amazonaws.com Type, content, tags, etc.
S3   *.s3._region_.amazonaws.com s3._region_.amazonaws.com *.s3.amazonaws.com s3.amazonaws.com  
Subnets Network –> Subnets    

Additional Endpoint Information

Regular Discovery

K8s cluster endpoints access per K8s RBAC setup

  • /api/v1/namespaces/kube-system
  • /api/v1/nodes?watch=False
  • /api/v1/services?watch=False
  • /apis/apps/v1/deployments?watch=False OR /apis/extensions/v1beta1/deployments?watch=False (depends on k8s version)
  • /apis/networking.k8s.io/v1beta1/ingresses?watch=False OR /apis/extensions/v1beta1/ingresses?watch=False (depends on k8s version)

Example of minimum policy (except for K8s cluster endpoints, since it is controlled by K8s RBAC).

{

    "Version": "2012-10-17",
    "Statement": [

        {
                   "Effect": "Allow",
                   "Action": [
                       "acm:DescribeCertificate",
                       "acm:List*",
                       "dynamodb:DescribeLimits",
                       "dynamodb:ListTables",
                       "dynamodb:ListGlobalTables",
                       "dynamodb:DescribeTable",
                       "dynamodb:DescribeGlobalTable",
                       "lambda:List*",
                       "lambda:GetFunction",
                       "lambda:GetAccountSettings",
                       "organizations:ListRoots",
                       "organizations:ListAccountsForParent",
                       "organizations:ListOrganizationalUnitsForParent",
                       "organizations:DescribeAccount",
                       "autoscaling:Describe*",
                       "logs:DescribeLogStreams",
                       "route53:ListHostedZones",
                       "cloudwatch:GetMetricStatistics",
                       "cloudwatch:Describe*",
                       "route53:ListTagsForResource",
                       "cloudwatch:ListMetrics",
                       "elasticache:Describe*",
                       "elasticfilesystem:DescribeFileSystems",
                       "elasticfilesystem:DescribeAccessPoints",
                       "elasticfilesystem:DescribeAccountPreferences",
                       "elasticfilesystem:DescribeMountTargets",
                       "ec2:Describe*",
                       "rds:Describe*",
                       "rds:ListTagsForResource",
                       "redshift:DescribeClusters",
                       "redshift:DescribeReservedNodes",
                       "s3:ListAllMyBuckets",
                       "route53:ListResourceRecordSets",
                       "logs:GetLogEvents",
                       "elasticloadbalancing:Describe*",
                       "eks:ListClusters",
                       "eks:DescribeCluster"
            ],
            "Resource": "*"
        }
    ]
}

Add/Edit AWS Roles

Device42 includes an editor you can use to define or edit the AWS Roles displayed for Amazon AWS cloud autodiscovery jobs. Follow the steps below to view and add AWS Roles.

  • Select Resources > Secrets > AWS Roles from the main menu.
  • Device42 displays the AWS Roles list page. Use the AWS Role drop-down to select a role to display or click Advanced to construct more specific searches. See the Advanced Search Feature documentation page for instructions.
  • Click Add at the top right to add a new role – click a role Name to view or edit that role.
  • Enter a Name for the role.
  • Enter the AWS Role label and an optional AWS Role Description.
  • In the Account ID and External ID section, click + Add More.
  • Add the role Account ID and the External ID – click the eye icon to show or hide the field. Click the trash can icon to remove  the entries.
  • Click Save at the top right of the page to save the role.

Device42 adds the new AWS Role to the roles list; it will also appear in the Available AWS Roles list when you create or edit an Amazon AWS cloud autodiscovery job.


Amazon API Autodiscovery

Amazon API Discovery Items

Cloud Service/Object Name Where to locate in D42 Accessed API Information Generated
EC2 Instances Devices –> All Devices   Service name, instance ID, OS platform, image ID, Status, etc.

When discovering your Amazon Cloud via the Amazon API, Device42 authenticates against the API URL with your AWS API Access Key and Secret Key. To create a discovery job, please ensure you have these available. You can find or generate new AWS API Access keys via the AWS Console -> UserName Menu –> “My Security Credentials”. Expand the “Access keys (access key ID and secret access key)” item, and “Create New Access Key” (or reference an existing one): create aws api access key

  1. Begin by setting Cloud Type: ‘Amazon AWS’ via the dropdown [pictured].
  2. Enter a ‘Name’ for your Amazon AWS API discovery job.
  3. Enter the ‘URL’ to of the AWS API endpoint you are targeting, including the port if necessary – for URLs and other information on AWS API endpoints, reference the “Endpoints” section of the AWS API documentation.
  4. Add your AWS API Key ID to the “Account ID” field, followed by the corresponding Amazon Secret Key in the “Secret Key” field for the account to be discovered: You’ll add both your API Key ID and Secret Key to Device42 as separate ‘password’ entries, and the procedure is the same as adding a new password: 
    • Click the magnifying glass to bring up the credential selection screen
    • Click the ‘Add Password’ button in the upper right-hand corner
    • Enter your Account ID in the field labeled “Password:” – The USERNAME FIELD IS NOT USED by cloud discoveries!, & click “Save”
    Repeat the process and add a second entry for your Secret Key, as well. Note that Device42 stores these values encrypted; If desired, you may also set access permissions on your AWS credentials.
  5. In the Region: box, enter the region you are targeting, e.g. us-east-1.
  6. Set a discovery schedule if desired; Save and run your AWS API discovery!

Options for AWS API Discovery:

  • Action for Instance not found: Choose how Device42 will handle the situation of an instance that was previously discovered not being found on subsequent discovery runs. Change Status will update the instance’s status, while “Delete Instance” will delete the missing instance. The best choice for you depends on how you manage your infrastructure.
  • Strip Domain Name: Strips the domain name (everything after the first period) from the name as discovered before storing in Device42
  • Object category for discovered devices: Choose a category to assign to discovered devices
  • Overwrite existing object categories: Select this option to overwrite any previously assigned categories with the current selection