Resource Groups

Resource groups are user-created collections of resources. Defining a resource group can help simplify automation, management, and permissions at scale.

By enabling the grouping of certain resources, you can apply granular permissions to a subset of your cloud footprint. This functionality has numerous implementations and is particularly useful for scoping for custom visibility and custom policy. For example, a resource group can be used identify specific resources to configure for automation through a certain Bot action.

The Resource Groups capability is available under "Inventory --> Resource Groups" on the main navigation.

Resource Groups

Resource Group Permissions

Only InsightCloudSec Domain Admins can create Resource Groups and give lower level users access to view Resource Groups. Refer to our User Entitlements Matrix for additional details on permissions.

Creating resource groups

Prerequisites Before you get started you will need to ensure that you have:

  • A functioning InsightCloudSec platform installation
  • The appropriate permissions (Domain Admin) to create a new Resource Group for your organization.

Create and scope a new resource group

From the Resource Groups page, you can create and scope a new resource group.

  1. Go to Resources > Resource Groups page and click Create Resource Group.
  2. Enter a name and description, then click OK.
  3. Go to the Resource Groups page and click Resources.
  4. Select the scope and queries for the resource group.
  5. In the Category of Resources, select the type of resource you want to include, then click Add to resource group.
  6. In the Add to InsightCloudSec Resource Group window, select the resource group to add the resources to, and click Submit.
  7. (Optional) Add more resource groups.

(Optional) Create a new resource group from resources

In some situations, you may want to create a new resource group directly from the Resources page.

  1. Go to Resource > Resources.
  2. Click on the category of resources you want to use and scroll down to the results section which lists the resources in this category.
  3. Check the box for those resources you wish to add to your resource group and click the Add to resource group icon.
  4. On the form that opens, click on the tab labeled Create New (the form defaults to Add to Existing).
  5. Create a new resource group by providing a name and description, then selecting Submit.
  6. Add dependencies, if desired, and repeat the steps to add new resources until you have added all of the desired resources for your new resource group.

Viewing and managing resource groups

You can view and create resource groups from the Resource Groups page, accessible from Resource > Resource Groups.

From the Resource Groups page you can:

View a List of Resource GroupsThis content displays by default when open the Resource Groups landing page. Only Domain Admins can create Resource Groups, and user visibility may vary based on the permissions applied to the individual Resource Groups.
Create a Resource GroupClick on the Create Resource Group button at the top of the Resource Group landing page.
Enqueue Group RefreshAllows a user to manually trigger a refresh of Resource Groups.
View Details of Resources within Each GroupThe details of the resources within the group are available by clicking on the Go To Resources option under the Actions items listed with each individual resource group. Clicking on this option launches a filtered Resources view applicable to the selected group.

Manage existing resource groups

  1. Go to Resources > Resource Groups and select a resource group.
  2. To edit the name and description, in the Actions column, click the Edit icon.
  3. After editing, click OK.
  4. To delete a resource group, in the Actions column, click the Delete icon. Appropriate permissions are required.

Add automation to a resource group

An additional resource group capability is referred to as "resource group curation". Bot actions (or automation) can be applied to resource groups to add resources to an existing resource group or curate a new resource group.

  1. Go to Resources > Resource Groups and select a resource group.
  2. Go to the Automation > BotFactory, then select the Create Bot tab.
  3. Enter a name and description for the Bot, then select a category.
  4. Configure the Bot scope.
  5. Configure the query filters.
  6. Configure the Bot actions.
  7. Choose the Bot's run schedule. It is recommended that you use a reactive setup, where the Bot run when a resource is Created or Modified.
  8. Click Save.

Additional Resource Group Functionality

Some additional functionality that is associated with Resource Groups worth noting:

  • Cloud Service Provider "Resource Groups". InsightCloudSec also allows the Harvesting of Cloud Service Provider "Resource Groups". This capability is increasingly a cloud-native feature. The InsightCloudSec platform displays CSP-defined resource groups (and identifies them as such).
    • For example, an Azure Resource Group will be marked with an Azure icon.
    • Any InsightCloudSec-created Resource Groups will be displayed w/ an InsightCloudSec logo.
  • Curated Resources & Resource Groups. This visibility also applies to "curation" (which is discussed below). Curated resources will only be added to InsightCloudSec Resource Groups; our system will not change the resources included in any CSP-specific resource groups.

View Your New Resource Group Details

  1. Go to Resource > Resource Groups and click on the name of the new group to display an overview of the resources in the group.
  2. View the details on the individual tabs:
    • Overview. A percentage breakdown of your resource group by resource type and a breakdown of resources in your group by region.
    • Resources. Opens a filtered Resources page view that displays the resources that are already scoped for your resource group.
    • Settings. Allows you to revise the name, description, or "Delete Group" (with appropriate permissions)

Using Resource Groups

Resource groups are designed for scoping resources, Insights, and Bots. Resource groups can scope based on any number of criteria, including permissions, automation, and compliance. Only administrators can create resource groups.

Some examples of scoping include:

  • A permission-based resource group, where an administrator can specify resources to narrow the visibility of resources that don't apply to certain users. For example, database admins don't need to see every instance or web server; they are only interested in viewing database resources.
  • In an automation-based example, an administrator can use a resource group to only display resources that are monitored based on certain configured actions. Again, a resource group can be set up so that only database administrators can see where changes are being made to database resources.

Resource Group Curation

An additional resource group capability is referred to as "resource group curation". Bot actions (or automation) can be applied to resource groups for curation in one of two ways:

  • Add to Resource Group. On occasion, users may want to use multiple Bots to add resources to a group. You can do this using the Bot action "Add To Resource Group".
    • This action will only add resources to a group and will not automatically remove resources that no longer apply.
  • Curate Resource Group. InsightCloudSec includes a Bot action named "Curate Resource Group", which, when added to a Bot’s instruction set, assumes responsibility for maintaining the state of the resource group.
    • This action can be used only as a one-to-one relationship between a single Bot and a single resource group.
    • The Bot will automatically move resources in and out of the group as needed, based on the configured policy.

Curating a Resource Group (Example)

In the following example, we show the steps required to create a sample resource group named Production Resources. This group includes resources with the tag key environment and a tag value of production. The scope of the Bot will be set to look for appropriately tagged resources across Microsoft Azure, Amazon Web Services, and Google Compute Engine.

Check out our documentation on BotFactory & Automation for additional details on working with Bots and automation.

Curate a resource group

  1. Go to Resource > Resource Groups and create a new resource group. This example uses the name Production Resources.
  2. Create a new Bot. Go to Automation > BotFactory and click Create Bot.
  3. Enter the Bot details.
    1. Enter a name, description, and category. This example uses Security.
    2. Configure the Bot's scope. The scope defines the resource(s) and cloud account(s) to be inspected. The scope of this example includes billable resource types across three cloud accounts--such as instances, database instances, volumes, and snapshots.
    3. (Optional) To configure the Bot to scan every configured cloud account, click Select All Clouds.
  4. Configure the Query Filters. For this example, the Bot uses a single Query Filter that inspects resource tags and looks for a single key Environment with a single value Production.
  5. Configure the Bot's actions. The action used for this example is Curate Resource. Select that action from the listing and then use the drop-down to select the desired group, Production Resources.
  6. Choose when the Bot will run. For this type of Bot, we recommend against using any of the Reactive options and instead relying on a set schedule (hourly, daily, etc.).
  7. Save the Bot. When done, you can perform a retroactive scan, and if you have resources that meet the configured filters, they should show up in the "Production Resources" group.

To Run Your Bot Immediately

Bots are created in a paused state. This is done to allow you to review your Bot first--an InsightCloudSec best practice--before running your Bot.

You can review your Bot using the Bot Overview window (see Overview of Your Bot below). When you are ready to run your Bot, go to the Bot Listing tab, and select Enable from the action icon next to the name of your Bot. Then return to the action icon and select 'On-demand Scan'.

What's Next?

After familiarizing yourself with resource groups and viewing the information available here, why not check out more information on:

  • Exemptions (Insights) - InsightCloudSec's exemptions functionality is configured through Insights, In previous versions, InsightCloudSec offered the ability to exempt resources from Insight findings using the Resource Groups functionality. While this option worked well in certain scenarios, it did not provide a great overall user experience. The revised Exemptions functionality includes enhanced approval logic, expiration functionality, and bulk edit and delete capabilities for exempted resources.

  • Tag Explorer - The Tag Explorer feature of InsightCloudSec allows you to audit and identify resources that contain (or do not contain) tag keys. Effective tagging can help identify resources for automation activities.