Importing Tags for AWS Discovery

^{Last Updated: 2024-01-08}

Purpose

This article describes how to import tags for AWS discovery.

Introduction

The Importing Tags for AWS Discovery feature allows Outscan to automatically import metadata (key/value tags) from AWS resources into its own asset inventory during a Cloud Discovery scan. By enabling this feature, you ensure that assets discovered via the AWS API carry over your existing organizational context (such as department, environment, or location), which greatly simplifies asset management, filtering, and reporting inside the Outscan platform. This functionality helps maintain alignment between your cloud infrastructure and vulnerability-management system, reducing manual work and improving the relevance and visibility of discovered assets. Based on the AWS instance tags and the External Tag Keys configuration, AWS tags will be imported to Asset with some rules.

Importing Tags from AWS

To import tags:

1. Go to Scan Configurations > Report Settings.

2. It contains External tags section for CLOUD DISCOVERY template.

3. When the toggle switch in External Tags is in its off (grey) position, the import function is disabled. 
   
   

   

   
   
   

4. When the toggle switch is in its on (blue) position we can enter tag keys in the text field section.
   
   

   

   
   
   

5. When entering a non-existing tag key, it adds that key into text field section so that it can be selected through the auto-completion.
   
   

   

6. After saving and going back to Report Settings page, the tags setting are now visible as blue buttons.
   
   

   

Expected Result

Depending on the discovered AWS instance, the external tags should be imported to the newly created or found Asset(s).

Based on the AWS instance tags and External Tag Keys configuration, it will update the tags to Asset with some rules:

• In case Import External Tags is False

  

  (Toggle Switch OFF), then no AWS tags are imported.

• In case Import External Tags is True

  

  (Toggle Switch ON).
  

  • If users do not have tag permission, then no AWS tags are imported and a warning message is displayed in the scan result.

  • If External Tag Keys text field empty, all AWS tags are imported.

  • Only the AWS tags that match case-sensitive with the key in External Tag Keys text field are imported.

  • In case imported tags do not exist, then these tags are created. Otherwise, the existing tags will be reused.

Example 1

1. Edit external tags
   
   

   

2. Then run the scan (Asset does not exist yet)

3. Results:

   • Scan finished with an asset
     

     

   • A new asset is created
     
     

     

     
     

   • A new tag Location:HoangCau was created and linked to Asset. We have 3 externalKeys: department, dev, Location, but there is only Location key is matched with AWS tags

Example 2

1. Update the external tags section by adding one more key: location.

   

2. Run the scan again, and check the result: no more tag is created but the existing tag: location:DongDa was linked to the asset.

   

   
   

Example 3

1. Unlinked all tags from the above asset.

2. Edit the External tags section by disabling Import external tags from the environments target by discovery.
   
   

   

3. Run the scan again and check the result. No tags linked to the asset.
   
   

   

Example 4

1. Edit the external tags section by enabling Import external tags from the environments target by discovery again.
   
   

   

2. Run the scan again and check the result. Two tags were linked again.
   
   

   

Example 5

1. Configure AWS identity to not allow tags permissions. For example, elasticloadbalancing:DescribeTags, cloudfront:ListTagsForResource.

2. Enable Import external tags from the environments target by discovery.
   

   

3. Running the scan now produces an Issues warning message as seen in the screenshot below: