AWS Autodiscovery

Getting Started with AWS Autodiscovery
Amazon API Autodiscovery
1. Amazon API Discovery Items

Device42’s AWS Autodiscovery ensures you have full visibility into your AWS environments. This visibility gives you insights into your total AWS consumption – allowing you optimize on spend and services consumed. We are adding new discoveries all the time, specifically based on customer need.

Getting Started with AWS Autodiscovery

To create an AWS Autodiscovery job, you will need to:

Prepare your AWS Account – you can use the policy example shown below.
Device42 utilizes your AWS Access Key and Secret Key to perform discovery; please have these handy.

Note: Device42 encourages customers to follow AWS best practices for managing your IAM credentials, including using strong passwords, regular password rotation, applying the principle of least privilege to users and their passwords, etc.

For more information, see the article Best Practices for Managing AWS Access Keys at https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.

Initiating an AWS Discovery

Select Discovery > Cloud from the main menu and then click Add Cloud Autodiscovery at the top right of the Cloud Autodiscovery list page.
Enter a Name for the job.
Select the Cloud Type > Amazon AWS from the drop-down menu.

Select the Remote Collector for the job.
Add your Amazon Access Key ID and your Secret Key for the account(s) to be discovered. (Do this by clicking the magnifying glass, and then clicking Add Password in the upper right corner. Enter your Access Key ID or Secret Key in the field labeled Password. Device42 will store the keys encrypted.)
Select Discover Main Account to have the job discover the main AWS account in addition to any AWS Roles accounts you select.
Select the Available AWS Roles whose account(s) you want to discover and use the arrow to add them to the Chosen AWS Roles list.

Note: See Defining AWS Roles below for instruction for creating the AWS Roles that Devices42 displays for AWS cloud autodiscovery jobs.

Choose one or more Amazon regions to search.
You can also select options for adding vendor metadata, choose how to handle instances not found in subsequent discovery vendor, select device name format options, add tags for discovered devices, etc.
Check Kubernetes Discovery to discover Kubernetes clusters hosted on your cloud platform.
Add object categories, tags, and a customer for discovered devices, etc.

Scroll down the page and click the Advanced Features (Show) tab to select the different types of resources you want the job to discover (Route53, S3, EBS, Databases, etc.).

Add an Autodiscovery Schedule to schedule the job if wanted or add Admin Groups for the job.
Click Save or Save and continue editing to save the discovery job.
When you return to the Cloud Discovery list page, you can click Run Now to run the job immediately.

AWS Discovery Items

Note that some Discovery items require enabling the feature and cannot be discovered otherwise.

Cloud Service/Object Name	Where to locate in D42	Accessed API	Information Generated
DynamoDB	Resources –> All Resources	dynamodb._region_.amazonaws.com	Backup details, contributor insights, tables, limits, etc.
EC2 Instances	Resources –> All Devices	ec2._region_.amazonaws.com	Service name, instance id, status, location, etc.
Elastic Block Storage (EBS)	Resources –> All Devices	Same as EC2	Lists, rules, tags, etc.
ElastiCache Nodes	Resources –> All Devices	elasticache._region_.amazonaws.com	Account info, status, location, etc.
Elastic File System (EFS)	Resources –> All Devices	elasticfilesystem.`aws-region`.amazonaws.com	File System, access points, mount targets.
Elastic Load Balancer	Resources –> All Devices	elasticloadbalancing._region_.amazonaws.com	Attributes, description, rules, tags, target groups, etc.
Lambda	Resources –> All Resources	lambda._region_.com	Name, ARN, code size, memory, runtime, etc.
Kubernetes (EKS)	Resources –> All Resources	eks._region_.amazonaws.com	Containers, nodes, clusters, etc.
RDS Instances		rds._region_.amazonaws.com	Account info, status, location, etc.
Redshift	Resources –> All Resources	redshift._region_.amazonaws.com	Backup details, contributor insights, tables, limits, etc.
Route 53	Resources –> All Resources	route53.amazonaws.com	Type, content, tags, etc.
S3	Resources –> Storage –> Cloud Storage	.s3._region_.amazonaws.com s3._region_.amazonaws.com .s3.amazonaws.com s3.amazonaws.com	Storage utilization, bucket, bucket policies, etc.
Subnets	Network –> Subnets
VPCs		vpc.aws-region.amazonaws.com	Attributes, AZs, Auth rules, etc.

Additional Endpoint Information

Regular Discovery

sts.amazonaws.com
organizations.us-east-1.amazonaws.com (Only if one of any of the available features is enabled.)

K8s cluster endpoints access per K8s RBAC setup

/api/v1/namespaces/kube-system
/api/v1/nodes?watch=False
/api/v1/services?watch=False
/apis/apps/v1/deployments?watch=False OR /apis/extensions/v1beta1/deployments?watch=False (depends on k8s version)
/apis/networking.k8s.io/v1beta1/ingresses?watch=False OR /apis/extensions/v1beta1/ingresses?watch=False (depends on k8s version)

Example of minimum policy (except for K8s cluster endpoints, since it is controlled by K8s RBAC).

{

    "Version": "2012-10-17",
    "Statement": [

        {
                   "Effect": "Allow",
                   "Action": [
                       "acm:DescribeCertificate",
                       "acm:List*",
                       "dynamodb:DescribeLimits",
                       "dynamodb:ListTables",
                       "dynamodb:ListGlobalTables",
                       "dynamodb:DescribeTable",
                       "dynamodb:DescribeGlobalTable",
                       "lambda:List*",
                       "lambda:GetFunction",
                       "lambda:GetAccountSettings",
                       "organizations:ListRoots",
                       "organizations:ListAccountsForParent",
                       "organizations:ListOrganizationalUnitsForParent",
                       "organizations:DescribeAccount",
                       "autoscaling:Describe*",
                       "logs:DescribeLogStreams",
                       "route53:ListHostedZones",
                       "cloudwatch:GetMetricStatistics",
                       "cloudwatch:Describe*",
                       "route53:ListTagsForResource",
                       "cloudwatch:ListMetrics",
                       "elasticache:Describe*",
                       "elasticfilesystem:DescribeFileSystems",
                       "elasticfilesystem:DescribeAccessPoints",
                       "elasticfilesystem:DescribeAccountPreferences",
                       "elasticfilesystem:DescribeMountTargets",
                       "ec2:Describe*",
                       "rds:Describe*",
                       "rds:ListTagsForResource",
                       "redshift:DescribeClusters",
                       "redshift:DescribeReservedNodes",
                       "s3:ListAllMyBuckets",
                       "s3:GetBucketPublicAccessBlock",
                       "s3:GetBucketPolicyStatus",
                       "s3:GetBucketAcl",
                       "s3:GetBucketLocation",
                       "s3:ListAccessPoints",  
                       "s3:GetAccessPointPolicyStatus,
                       "route53:ListResourceRecordSets",
                       "logs:GetLogEvents",
                       "elasticloadbalancing:Describe*",
                       "eks:ListClusters",
                       "eks:DescribeNodegroup",
                       "eks:DescribeUpdate",
                       "eks:ListNodegroups",
                       "eks:ListUpdates",
                       "eks:DescribeCluster"
            ],
            "Resource": "*"
        }
    ]
}

Add/Edit AWS Roles

Device42 includes an editor you can use to define or edit the AWS Roles displayed for Amazon AWS cloud autodiscovery jobs. Follow the steps below to view and add AWS Roles.

Select Resources > Secrets > AWS Roles from the main menu.

Device42 displays the AWS Roles list page. Use the AWS Role drop-down to select a role to display or click Advanced to construct more specific searches. See the Advanced Search Feature documentation page for instructions.

Click Add at the top right to add a new role – click a role Name to view or edit that role.

Enter a Name for the role.
Enter the AWS Role label and an optional AWS Role Description.
In the Account ID and External ID section, click + Add More.
Add the role Account ID and the External ID – click the eye icon to show or hide the field. Click the trash can icon to remove the entries.
Click Save at the top right of the page to save the role.

Device42 adds the new AWS Role to the roles list; it will also appear in the Available AWS Roles list when you create or edit an Amazon AWS cloud autodiscovery job.

Note: The following steps are required if you are looking to leverage the AWS switch (Assume) Roll on the API calls to scan other AWS accounts

From the Main Account:
1. Create a role within IAM -> This should be using the “Another AWS Account” option
2. We would need an account that uses just accountID and one that would be with the Require ExternalID option – Note no requirement for MFA option at this time
3. Policy to be added – use the example minimum policy needed for discovery from our docs site here
From the Sub (or separate)-account
1. Have a user that is assigned the assumerole from Step 2 “Grant Access to the Role” here in the AWS IAM case IAM Tutorial

Amazon API Autodiscovery

Amazon API Discovery Items

Cloud Service/Object Name	Where to locate in D42	Accessed API	Information Generated
EC2 Instances	Devices –> All Devices		Service name, instance ID, OS platform, image ID, Status, etc.

When discovering your Amazon Cloud via the Amazon API, Device42 authenticates against the API URL with your AWS API Access Key and Secret Key. To create a discovery job, please ensure you have these available. You can find or generate new AWS API Access keys via the AWS Console -> UserName Menu –> “My Security Credentials”. Expand the “Access keys (access key ID and secret access key)” item, and “Create New Access Key” (or reference an existing one): create aws api access key

Begin by setting Cloud Type: ‘Amazon AWS’ via the dropdown [pictured].
Enter a ‘Name’ for your Amazon AWS API discovery job.
Enter the ‘URL’ to of the AWS API endpoint you are targeting, including the port if necessary – for URLs and other information on AWS API endpoints, reference the “Endpoints” section of the AWS API documentation.
Add your AWS API Key ID to the “Account ID” field, followed by the corresponding Amazon Secret Key in the “Secret Key” field for the account to be discovered: You’ll add both your API Key ID and Secret Key to Device42 as separate ‘password’ entries, and the procedure is the same as adding a new password:
- Click the magnifying glass to bring up the credential selection screen
- Click the ‘Add Password’ button in the upper right-hand corner
- Enter your Account ID in the field labeled “Password:” – The USERNAME FIELD IS NOT USED by cloud discoveries!, & click “Save”
Repeat the process and add a second entry for your Secret Key, as well. Note that Device42 stores these values encrypted; If desired, you may also set access permissions on your AWS credentials.
In the Region: box, enter the region you are targeting, e.g. us-east-1.
Set a discovery schedule if desired; Save and run your AWS API discovery!

Options for AWS API Discovery:

Action for Instance not found: Choose how Device42 will handle the situation of an instance that was previously discovered not being found on subsequent discovery runs. Change Status will update the instance’s status, while “Delete Instance” will delete the missing instance. The best choice for you depends on how you manage your infrastructure.
Strip Domain Name: Strips the domain name (everything after the first period) from the name as discovered before storing in Device42
Object category for discovered devices: Choose a category to assign to discovered devices
Overwrite existing object categories: Select this option to overwrite any previously assigned categories with the current selection

Contents