Resource Discovery

Last modified on August 15, 2025

Resource discovery is a tool to use to discover resources in your cloud provider and then onboard them as resources in StrongDM quickly and efficiently. In your cloud provider, you can grant permission to one or more of your nodes, allowing them to scan your cloud infrastructure. Then, you can set up a connector in StrongDM which uses those nodes to reach out to your cloud provider and scan for running infrastructure. This updates a list in StrongDM of resources within that cloud, and provides a way to onboard supported resource types easily, adding them to your StrongDM organization as managed resources. Resource discovery makes it significantly easier to onboard the cloud infrastructure for your organization into StrongDM, particularly if that infrastructure is extensive.

Currently, AWS and GCP are supported as cloud providers for resource discovery.

  • The AWS resources supported for discovery at this time are EC2, RDS, and EKS.
  • The GCP resources supported for discovery at this time are GCE, Cloud SQL, and GKE.

Node Setup

Choose the StrongDM node(s) you wish to use to scan your cloud infrastructure. This node needs read access to your cloud infrastructure. Note that although you can choose any relay or gateway with enough permissions to scan your cloud, the simplest option is choosing a gateway running in the cloud organization you wish to scan. If you want to limit the node’s visibility into your cloud (for example, limiting scanning to a certain account, project, or application), you can grant read access only to the resources those resources using your cloud provider’s IAM feature. The node and connector will complete scans of the resources in scope, but resource data out of the defined permission scope will not be imported into StrongDM. Ensure that your nodes are using CLI version 49.90.0 or greater.

If you are using AWS, hosting your scanning node(s) in EC2 instances within the same organization, and scanning for EC2, RDS, and EKS resources, the following steps are required:

  1. Log in to the AWS Management Console for your organization.
  2. Create an IAM role and add these polices:
    • The managed policy AmazonEC2ReadOnly
    • The managed policy AmazonRDSReadOnly
    • A custom policy that you create to provide read-only access to list EKS clusters because there is not a managed policy for this
  3. Ensure that your new role is attached to your EC2 instance(s) that you run the chosen node(s) on.

If you are using GCP, hosting your scanning node(s) in GCE instances within the same organization, and scanning for GCE, Cloud SQL, and GKE resources, the following steps are required:

  1. Log in to the Google Cloud console for your organization.
  2. Create a custom IAM role with the following permissions:
    • resourcemanager.projects.list
    • compute.zones.list
    • compute.instances.list
    • cloudsql.instances.list
    • container.clusters.list
  3. Assign the custom role to the service account of the Cloud Compute Engine where the StrongDM gateway is running.

As an alternative to the custom role, you can assign the node these default built-in roles instead:

  • roles/resourcemanager.projectBrowser
  • roles/cloudsql.viewer
  • roles/container.clusterViewer
  • roles/compute.viewer

Connectors

Connectors are a collection of selected nodes and configuration for how they can discover information about your resources, when, and from where. You can get started with connectors by following these steps.

Set up a connector

  1. In the StrongDM Admin UI, go to the Settings > Connectors page. Here you see a list of current connectors. Select Add Connector.
  2. Select a Cloud, and then choose a Name for the connector. Ideally, the name will indicate which cloud account or environment you wish to discover resources in. A Description is optional and can provide further context. Lastly, select one or more of your nodes from the Node(s) dropdown menu. These should be the nodes that you configured to have read access to your cloud infrastructure in step 1.
  3. Select a value for Crawl interval to alter the frequency at which the connector crawls your cloud infrastructure and updates your discovered resources list.
  4. Now the connector is set up. It specifies which nodes to use to run the scan and against which type of cloud. The nodes have been configured with the access they need. Your scans run automatically at whatever period of time you set your Crawl interval to be. This is the primary way to update your discovered resources list, but you can run a manual scan to start off if you don’t want to wait. Select Actions > Run Scan to run your scan. A green checkmark briefly appears in the bottom right corner of the Admin UI if the scan is successful. A red <CONNECTOR_NAME> failed message appears if it fails. The connector will show a failure message if you start a manual scan while a scan is already running. You can view a connector’s scan history by clicking on the connector name to display the connector details page.

Discovered Resources

Discovered resources are the infrastructure within your cloud provider that are discovered by scans that you run with connectors. Discovered resources shown in the Admin UI on the Discovered Resources page are shown in a list with their name, tags, and status:

  • Name: Name of this discovered resource in the cloud provider (not a StrongDM resource name)
  • Cloud: Cloud provider that this resource was discovered in
  • Kind: Type of cloud service discovered
  • Tags: Tags associated with this discovered resource in the cloud provider. You may overwrite these tags during when creating a managed resource from the discovered resource
  • Status:
    • Managed (onboarded as one or more resource(s) in StrongDM)
    • Unmanaged (discovered but not yet onboarded into StrongDM)
  • First Seen: Date/time stamp of when this resource was first seen in a scan
  • Last Seen: Date/time stamp of when this resource was last seen in a scan

Onboard a discovered resource

When viewing the discovered resource details, you can onboard the discovered resource to make it a managed resource in StrongDM.

  1. Select Manage Resource to begin onboarding the discovered resource.
  2. The resulting modal has the Display Name of the resource in StrongDM prefilled to be the name of the discovered resource. You will be prompted to select a Resource Type.
  3. Once you select a resource type, you are brought to the view to fill in the resource’s configuration. Some fields will be auto-filled based on discovered information about the resource. Fill in the rest of the fields appropriately. See the StrongDM resource configuration guides for more details on those fields.
  4. Once the resource configuration is complete, select Save.

Once the resource is created, you are able to view it in Resources and whichever subcategory (Servers, Datasources, or Clusters) is appropriate for your resource type. In the discovered resources detail view for this item, you will see under the Resources tab a link to the managed resource within StrongDM. Note that the link between the “discovered resource” and the resource in StrongDM are broken if the discovered resource is removed from your cloud, or if the managed resource is deleted in StrongDM. See the discovered resource considerations section for more detail.

Discovered resource considerations

  • Items in the Discovered Resources view can’t be deleted through StrongDM, as they are simply the latest information gathered by scans of your infrastructure.
  • Discovered resource data in StrongDM is not authoritative. StrongDM is not the source of truth for what exists in your infrastructure, and the information that is captured is only regarding the resources that were running and that you’ve given StrongDM permission to see.
  • One discovered resource can be onboarded into many StrongDM managed resources, preserving the ability to make many resources with different credentials and permissions to provide varying levels of access to the same piece of infrastructure.
  • Currently, there is no way to automatically delete a resource in StrongDM when the linked “discovered resource” is decommissioned in the cloud and no longer located in scans.
  • The link between a scanned (discovered) resource and an onboarded resource is only the origin of the resource. It is not a continuous sync between the two. If you, for example, change the hostname of a resource to something different than that of its original discovered resource, that item in the Discovered Resources view still reports as a managed resource linked to the StrongDM resource, even if it no longer is. This also means that resources that are taken offline, removed from the list, and then added again in later scans are added as new, unlinked discovered resources.

Logs

The following logs are recorded in StrongDM regarding resource discovery:

  • Admin activities are logged when connectors are created, updated, or deleted.
  • Admin activities are logged when a discovered resource is onboarded to a StrongDM resource.
  • Node logs record events with the results of scans that they run against your cloud infrastructure. Currently, there is no Admin UI activity for scan results.

Troubleshooting

  1. Find the node(s) in the Admin UI at Networking > Gateways or Networking > Relays and check if it is healthy.
  2. Make sure that your IAM role is attached to your node.
  3. Check that the IAM role has the required read permissions for the resource types you intend to scan for.