Importing Tags for AWS Discovery
Purpose
This document describes how to import tags for AWS discovery.
Introduction
Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource.
Based on the AWS instance tags and the External Tag Keys configuration, AWS tags will be imported to Asset with some rules.
Importing Tags from AWS
To import tags:
- Go to Scan Configurations > Report Settings.
- It contains External tags section for CLOUD DISCOVERY template.
- When the toggle switch in External Tags is in its off (grey) position, the import function is disabled.
- When the toggle switch is in its on (blue) position we can enter tag keys in the text field section.
- When entering a non-existing tag key, it adds that key into text field section so that it can be selected through the auto-completion.
- After saving and going back to Report Settings page, the tags setting are now visible as blue buttons.
Expected Result
Depending on the discovered AWS instance, the external tags should be imported to the newly created or found Asset(s).
Based on the AWS instance tags and External Tag Keys configuration, it will update the tags to Asset with some rules:
- In case Import External Tags is False (Toggle Switch OFF), then no AWS tags are imported.
- In case Import External Tags is True (Toggle Switch ON).
- If users do not have tag permission, then no AWS tags are imported and a warning message is displayed in the scan result.
- If External Tag Keys text field empty, all AWS tags are imported.
- Only the AWS tags that match case-sensitive with the key in External Tag Keys text field are imported.
- In case imported tags do not exist, then these tags are created. Otherwise, the existing tags will be reused.
Example 1
Edit external tags
Then run the scan (Asset does not exist yet)
Results:
Scan finished with an asset
A new asset is created
A new tag Location:HoangCau was created and linked to Asset. We have 3 externalKeys: department, dev, Location, but there is only Location key is matched with AWS tags
Example 2
Update the external tags section by adding one more key: location.
Run the scan again, and check the result: no more tag is created but the existing tag:
location:DongDa
was linked to the asset.
Example 3
Unlinked all tags from the above asset.
Edit the External tags section by disabling Import external tags from the environments target by discovery.
Run the scan again and check the result. No tags linked to the asset.
Example 4
Edit the external tags section by enabling Import external tags from the environments target by discovery again.
Run the scan again and check the result. Two tags were linked again.
Example 5
- Configure AWS identity to not allow tags permissions. For example,
elasticloadbalancing:DescribeTags
,cloudfront:ListTagsForResource
. - Enable Import external tags from the environments target by discovery.
- Running the scan now produces an Issues warning message as seen in the screenshot below:
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.