Review Details for a Single Cloud Account
The Cloud Account Detail Page is the dedicated page for an individual cloud account.
To review details for a cloud account:
- Navigate to Cloud > Cloud Accounts and click the cloud account you want to view details for.
Overview
Each Cloud Overview page includes high-level status information, including cloud type, name, and account details, harvesting status and permissions, and harvested resources summary. Some cloud types will also have information on the number of harvested resources by type. All of this data refreshes every 2 hours. Additionally, some cloud types have access to a Best Practices & Recommendations section that lists curated Insights reflecting common security issues and high-impact concerns. This list varies by Cloud Service Provider (CSP). For each Insight listed, you can click to view a filtered set of resources based on the selected cloud and specific Insight.
Harvest Info
The “Harvest Info” tab from the overview page of the individual cloud provides details (e.g., resource type, region, etc.) from the last known harvest. This is useful in understanding when a particular resource was last harvested, failures and context, the next scheduled harvest, or when a Bot action was last run.
- Check out our Harvesting Overview documentation for additional details on harvesting and how it works.
- Refer to our Resources documentation for more details on individual resources and resource types.
You can manually trigger a harvesting job either through Enqueue Now (in the Action menu) for an individual job/resource type, or by selecting multiple jobs to activate the Enqueue Selected button. Clicking this button will trigger harvesting for multiple jobs.
Settings
The Cloud Settings tab allows you to explore the settings for your clouds accounts. Consider the following when interacting with this tab:
- Permissions - For all of the actions available on this tab, appropriate permissions are required. If you are not able to view certain details or make changes, reach out to your administrator or contact us via the Customer Support Portal .
- Removing Cloud Accounts - Removing a cloud account from InsightCloudSec does not delete the cloud itself from the cloud service provider. Removing a cloud account from InsightCloudSec removes the ability to provide you with complete and accurate visibility into your cloud operations.
- Organization Child Accounts - This page will look slightly different (with certain aspects being locked down) for accounts that are part of a Cloud Organization.
Managing settings
You can manage the following settings:
- Updating the Account information
- Configuring Billing information (which also including configuration of a billing bucket for AWS or GCP)
- Updating the EKS Scanner Role associated with the account for Kubernetes Security Guardrails
- Removing a Cloud Account
- Assign Harvesting Strategy
- Setting Custom Properties
- With appropriate permissions, you can view and add custom properties to your cloud account. These can be used as metadata or to otherwise extend the functionality of your work within InsightCloudSec.
Configuring a Billing Bucket (AWS only)
For AWS accounts, your system administrator can configure the billing bucket for the selected cloud account. Billing information will be pulled from this location periodically. For more information, see AWS Billing Bucket
APIs (GCP only)
For GCP Cloud accounts, an additional tab is available. This tab will display all the GCP APIs that InsightCloudSec uses with details on their status (Enabled or Disabled). Check out the content we have on Projects for (GCP) for additional details on configuration. From this page, you can also turn on Automatic API Enablement if you want to automatically turn on and harvest from every GCP API that InsightCloudSec supports, however this requires you to manually enable the Service Usage API in the GCP Cloud Console. In general, Automatic API Enablement is not recommended because it may reduce performance and increase cost. Additionally, it is best security practice to leave unused APIs turned off.
Frequently Asked Questions (FAQ)
What is an application?
What is an Application?
An Application is a collection of resources/infrastructure that’s dynamically built and maintained as customer infrastructure scales up/down to support their workloads. These collections are built based on the presence of a specific tag key that is configured within InsightCloudSec.
What’s the difference between Applications and Resource Groups?
What’s the difference between Applications and Resource Groups?
There are similarities between Resource Groups vs Applications. They are not mutually exclusive and the customer can absolutely have both. There are several limitations of Resource Groups where Applications shine:
- Resource Groups need to be manually built and maintained. They cannot be dynamically created based on tagging, etc.
- Resource Groups cannot easily be kept in sync as resources change. Doing so requires customers to maintain Bots which presents scaling challenges since a Bot can only curate into a single group. If a customer wanted this for 100 groups they’d need 100 bots.
- Resource Groups do not support custom attributes such as criticality, business critical (“crown jewel”), POC, category, etc.
What if I don’t have a tag key that defines an application?
What if I don’t have a tag key that defines an application?
This capability is additive and is not required within InsightCloudSec. While strongly encouraged, customers can skip this set up and continue leveraging all of the great capabilities. We recommend reading up on Tagging Best Practices as proper tagging not only enriches the capabilities within InsightCloudSec, but within your CSP as well.
Where can Applications be used within the product?
Can I leverage Applications as a way to scope user visibility across the product?
Can I turn off Applications for basic users if I don’t want to use them?
Can I turn off Applications for basic users if I don’t want to use them?
Yes. Applications currently support User Entitlements Matrix, making it easy to turn off the capability for customers who are not interested in using it.
What’s the purpose of metadata fields such as Business Critical, Criticality, etc.?
What’s the purpose of metadata fields such as Business Critical, Criticality, etc.?
For the initial launch of Applications, the metadata fields can be used to help customers create different perspectives on compliance violations, inventory, vulnerabilities, threat findings. In the coming months, we will be leveraging this metadata as a way to better categorize risk.
Can I scope one or more Bots based on Application membership?
How do permissions work with Applications?
How do permissions work with Applications?
Domain/Organization Administrators have full control over Application management. This includes updating settings, modifying business critical status, and modifications to other metadata properties. When given the proper entitlements, basic users can view Applications, but can only see the infrastructure/resources within the application that are located in Cloud Accounts they have view/read access to. Basic users with editor permissions can update Application metadata/properties.
Can I bulk edit Application metadata?
Can a customer input multiple tag keys/permutations for defining Applications?
Can a customer input multiple tag keys/permutations for defining Applications?
At this time we only allow customers to input a single tag key. They can support multiple permutations of the tag key by selecting Case Insensitive in the Application Settings screen. In future releases we will look to support multiple tag keys.