Resource Discovery

Resource discovery is a tool to use to locate assets in your cloud provider and then onboard them as resources in StrongDM quickly and efficiently. In StrongDM, you can configure one or more of your nodes, granting them the ability to see your cloud infrastructure. Then, you can set up a connector which uses those nodes to reach out to your cloud provider and scan for running infrastructure. This updates a list in StrongDM of all available assets within that cloud, and provides a way to onboard supported assets easily, adding them to your StrongDM organization as available resources. Resource discovery makes it significantly easier to onboard the cloud infrastructure for your organization into StrongDM, particularly if that infrastructure is extensive.

Currently, AWS is supported as a cloud provider for resource discovery. The resource types supported for discovery at this time are EC2, RDS, and EKS.

Node Setup #

The node(s) you select to use for scanning your cloud provider infrastructure must be configured with the ability to read data from your account. As an example, if you are using AWS, hosting your nodes in EC2, and scanning for EC2, RDS, and EKS resources, the following steps are required:

1. First, choose the node(s) you wish to use to scan your cloud infrastructure with read access to that infrastructure.
2. Log in to the AWS Management Console for your organization.
3. Create an IAM role and add these polices:
   • The managed policy AmazonEC2ReadOnly
   • The managed policy AmazonRDSReadOnly
   • A custom policy that you create to provide read-only access to list EKS clusters because there is not a managed policy for this.
4. Ensure that your new role is attached to your EC2 instance(s) that you run the chosen node(s) on.

Connectors #

Connectors are a collection of selected nodes and configuration for how they can discover information about your assets, when, and from where. You can get started with connectors by following these steps:

Set up a connector #

1. In the StrongDM Admin UI, go to the Settings > Connectors page. Here you see a list of current connectors. Select Add Connector.
2. Select a Cloud (AWS is currently the only supported option), and then choose a Name for the connector. Ideally, the name will indicate which cloud account or environment you wish to discover assets in. A Description is optional and can provide further context. Lastly, select one or more of your nodes from the Node(s) dropdown menu. These should be the nodes that you configured to have read access to your cloud infrastructure in step 1.
3. Select a value for Crawl interval to alter the frequency at which the connector crawls your cloud infrastructure and updates your assets list.
4. Now the connector is set up. It specifies which nodes to use to run the scan and against which type of cloud. The nodes have been configured with the access they need. Your scans run automatically at whatever period of time you set your Crawl interval to be. This is the primary way to update your assets list, but you can run a manual scan to start off if you don’t want to wait. Select Actions > Run Scan to run your scan. A green checkmark briefly appears in the bottom right corner of the Admin UI if the scan is successful. A red <CONNECTOR_NAME> failed message appears if it fails. If it was successful, you can see information in the Assets page of the Admin UI. There, the assets found by all scans of all connectors are shown.

Assets #

Assets are the infrastructure within your cloud provider that are discovered by scans that you run with connectors. Assets shown in the Admin UI on the Assets page are shown in a list with their name, tags, and status:

• Name: Name of this asset in the cloud provider (not a StrongDM resource name)
• Tags: Tags this asset has in the cloud provider (not StrongDM tags)
• Status:
  • Managed (onboarded as one or more resource(s) in StrongDM)
  • Unmanaged (discovered but not yet onboarded into StrongDM)

The list is separated into tabs that reflect asset status for filtering convenience:All, Managed, and Unmanaged.

You can also view the list of assets with the CLI command sdm admin assets list, which outputs a list of assets.

NAME:
   sdm admin assets list - list discovered assets

USAGE:
   sdm admin assets list [command options] [arguments...]

OPTIONS:
   --json, -j  output as json
   --no-tags   skip output of tags

Onboard an asset to a resource #

When viewing the asset details, you can onboard the asset to add it as an available resource in StrongDM.

1. Select Manage Asset to begin onboarding the asset as a resource.
2. The resulting modal has the Name of the resource in StrongDM prefilled to be the name of the asset. You will be prompted to select a Resource Type.
   Although the type of asset has already been detected in the scan, choosing a StrongDM resource type is still necessary. This is because for many kinds of infrastructure there are multiple StrongDM resource types available as configuration options, each reflecting a different kind of connection or authentication.
3. Once you select a resource type, you are brought to the view to fill in the resource’s configuration. Some fields will be auto-filled based on discovered information about the asset. Fill in the rest of the fields appropriately. See the StrongDM resource configuration guides for more details on those fields.
   • RDS (RDS PostgreSQL)
   • EKS (EKS or EKS (Instance Profile))
   • EC2 (Various SSH Server Resource Types)
4. Once the resource configuration is complete, select Save.

Once the resource is created, you are able to view it in Resources and whichever subcategory (Servers, Datasources, or Clusters) is appropriate for your resource type. You can also see in the source asset from which the resource was onboarded that the two are now linked. Note that the link between the asset and the resource is not durable. Changes to one will not reflect in the other after onboarding. See the asset considerations section for more detail.

Asset considerations #

• Assets can’t be deleted through StrongDM, as they are simply the latest information gathered by scans of your infrastructure.
• Asset data in StrongDM is not authoritative. StrongDM is not the source of truth for what exists in your infrastructure, and the information that is captured is only regarding the assets that were running and that you’ve given StrongDM permission to see.
• One asset can be onboarded into many resources, preserving the ability to make many resources with different credentials and permissions to provide varying levels of access to the same asset.
• Currently, there is no way to automatically delete a resource in StrongDM when the linked asset is decommissioned in the cloud.
• The link between a scanned asset and an onboarded resource is only the origin of the resource. It is not a continuous sync between the two. If you, for example, change the hostname of a resource to something different than that of its original asset, the asset still reports as a managed asset linked to the resource, even if it no longer is. This also means that assets that are taken offline, removed from the asset list, and then added again in later scans are added as new, unlinked assets.

Logs #

The following logs are recorded in StrongDM regarding resource discovery:

• Admin activities are logged when connectors are created, updated, or deleted.
• Admin activities are logged when an asset is onboarded to a resource.
• Node logs record events with the results of scans that they run against your cloud infrastructure. Currently, there is no Admin UI activity for scan results.

Troubleshooting #

1. Find the node(s) in the Admin UI at Networking > Gateways or Networking > Relays and check if it is healthy.
2. Make sure that your IAM role is attached to your node.
3. Check that the IAM role has the required read permissions for the resource types you intend to scan for.