Knowing your environment is a key factor in driving your vulnerability program. After all, you want to know where vulnerabilities increase your attack surface and you also want to avoid the risk of an unknown asset introducing vulnerabilities to your environment.
The journey starts with planning on:
- How you want to identify your assets in AWS?
- How do you track your assets on AWS?
- We will use Resource Data Sync to gather inventory data in an S3 bucket which we can monitor and analyze. Then you will see how Resource Groups can be used to organize, manage and automate tasks on large numbers of resources at one time.
AWS Service/Feature Coverage:
- Resource Groups
Automatically Tag Amazon EC2 Resources
Tags are the building blocks of cloud resource reports and a key element of a cloud governance framework. Organizations that are most effective in their use of tags typically create business-relevant tag groupings to organize their resources along technical, business, and security dimensions.
In this exercise, you will automatically tag EC2 resources created by Auto Scaling or launched manually in response to API Events using CloudWatch Events. This solution can be used by central IT teams in an organization to automatically tag EC2 resources created by their users for cost management and security purposes. The AutoTag function will Tag the instances with:
- Owner: IAM User
- PrincipalId: IAM User aws:userid value.
- OS type: Linux, Windows (This is useful in typical integrations with on-premise CMDBs)
The solution here consists of a lambda function that monitors for CloudTrail API events from EC2 and Autoscaling service for the appropriate events. On receiving the event the Lambda function processes the event info and extracts the user identity fields to tags EC2 instances and related resources. The lambda function creates tags with key of “Owner” and value of “username” which is the user id of the IAM user that launched the EC2 instances or the Autoscaling group.
Deploy the solution
Click here if you're running this individually in your own AWS Account
Launch the CloudFormation stack below to setup the Auto Tagging Solution:
|US East 2 (Ohio)|
Click the Deploy to AWS button above (right click and open in a new tab). This will automatically take you to the console to run the template.
Click Next on the Specify Template section.
On the Specify Details step click Next.
Click Next on the Options section.
- Finally, acknowledge that the template will create IAM roles under Capabilities and click Create.
This will bring you back to the CloudFormation console. You can refresh the page to see the stack starting to create. Before moving on, make sure the stack is in a CREATE_COMPLETE.
The solution in action
Now that you have deployed the required automation infrastructure, deploy two new EC2 instances - One Windows 2016, one Amazon Linux 2 and validate that tagging works.
Launch without a keypair since we are only validating that the autotagging works.
Similarly for the Windows Instance we can see the AutoTag automation in action
Take note of the value for the Owner Tag for your EC2 Instances while in the console
Now that you know you can tag resources with a Lambda function in response to events, you can apply the same logic to other resources such as Amazon Relational Database Service (RDS) databases or S3 buckets.
Additionally, tags are useful in custom billing reports to project costs and determine how much money each individual owner is spending. You can activate the Owner tag in the billing console from the Cost Allocation Tags of your billing console to include it in your detailed billing reports. For more information, see Applying Tags
Using AWS Systems Manager Inventory with Tags
Next, we want to analyze our inventory based on tags and Resource Data Sync.
Creating a Resource Group
You can use resource groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at one time. This guide shows you how to create and manage resource groups in AWS Resource Groups.
To work with resource groups on the AWS Management Console home
- Sign in to the AWS Management Console and go to AWS Systems Manager.
- On the navigation bar under Application Management, choose Resource Groups.
- On the Resource Groups page click Create a resource group
- Select AWS::EC2::Instance with the Key-Value pair of Owner and the owner name of the instances you want to group together. Typically this might be an application-ID or layer in the stack such as Web Server, App Servers, etc.
Enter a Group name for the resources you are creating a group for. Suggested name would be something like prod-Application-xyz, dev-BusinessUnit-abc.
Click Create Group. You can now find your group under the Saved Resource Groups in the Navigation bar.
Tags are a great way to organize AWS resources in the AWS Management Console. You can configure tags to be displayed with resources and can search and filter by tag. By default, the AWS Management Console is organized by AWS service. However, the Resource Groups tool allows customers to create a custom console that organizes and consolidates AWS resources based on one or more tags or portions of tags. Using this tool, customers can consolidate and view data for applications that consist of multiple services and resources in one place.
Naming Convention Recommendations
It is recommended that tag names follow the form: “orgname:source:tag-name”, consisting of the following components:
“orgname:” prefix : To clearly differentiate Org-defined tags from tags defined by AWS, or required by third-party tools that the Org may employ
“source:” component : Which will only be used for tag values sourced from an integration with a data source such as the Org’s Configuration Management Database (CMDB) via automation
“tag-name” : Which will use a hyphen character ("-") to separate words within the name
The tags listed below are based on numerous AWS Professional Services engagements on AWS resource governance with enterprise customers with across a large variety of applications and products. The following tags have been identified, as a starting point for organizations looking to enhance governance through tagging. These tags should be included as inputs or preset values in CloudFormation templates.
|Name||Standard AWS tag, displayed in the AWS Management Console.|
|orgname:entity||Identifies whether the resource is for the Organization, for the Business unit, or shared.|
|orgname:charge-code||Identifies the method by which costs will be charged back to the resource consumer. For example, there could be four request type values: “cmdbid-application”, “bu-product”, “project”, or “direct-request”.|
|orgname:aws-budget-name||Identifies the AWS Budget name for the Charge Code.|
|orgname:environment-type||Identifies whether the resource is part of a production or non-production type of environment.|
|orgname:resource-owner-email||Identifies the email address for the individual or group that owns the resource.|
For more details on tagging strategies see AWS Tagging Strategies