Skip to main content

AWS Resource Management Information

Introduction

This guide describes how supported AWS resources are discovered and managed in the Xshield platform when an AWS account is onboarded.

Core Tags

The Xshield platform supports a number of Core Tags which are used to help manage assets in the platform. When supported AWS resources such as Amazon EC2 instances are discovered, AWS resource tags (if configured) can be imported into the platform. These tags are periodically synchronized and updated in the platform as needed by the Cloud Connector.

A few examples of supported core tags that are user-configurable:

  • Application: Typically used to identify parts of a cloud-based application
  • Environment: Used to distinguish between types of environments (Production, Testing, Development, etc)
  • Owner: Identifies the resource owner, typically a team or individual
  • Role: The role of the resource in the application (Web Gateway, Web Server, Backend, etc)

Some core tags will be populated automatically by the platform, based on the type of resource:

  • Category: The type of resource (Instance, Database, etc)
  • Location: The AWS region where the resource is located
  • Subnet: The address prefix of the subnet that the resource belongs to (when applicable)

Assets

Supported assets in the AWS account will be discovered by the Cloud Connector and periodically synchronized to the Xshield platform. New assets that come online after the original onboarding process will be automatically added to the platform, and assets that are removed from the account will also be removed from the Xshield platform.

Currently, the Cloud Connector supports the following types of assets in AWS:

  • Amazon EC2
  • Amazon RDS
  • Amazon API Gateway
  • AWS Lambda
  • Amazon S3
  • Amazon DynamoDB

For more information on how assets are managed in the Xshield platform, check the Assets documentation.

Security Groups -> Xshield Templates

AWS Security Groups that are attached to workloads (for example, EC2 instances through their network interfaces) can be imported into Xshield as Templates.

These templates will automatically be associated with the corresponding assets in the platform during the onboarding process, and will be continuously monitored for any changes to Security Group rules.

  • Inbound rules: Sources for inbound Security Group rules are mapped to inbound paths in the corresponding template
  • Outbound rules: Destinations for outbound Security Group rules are mapped to outbound paths in the corresponding template

AWS Prefix Lists -> Xshield Named Networks

AWS managed prefix lists represent sets of IPv4 / IPv6 address prefixes that can be referenced in Security Group rules.

During onboarding, prefix lists referenced by Security Group rules can be discovered and imported into Xshield as Named Networks, and will be associated with the corresponding Template Rule.

Some prefixes may have special handling in the Xshield platform:

  • Internet: Public IP destinations may be associated with the default "Internet (Public)" Named Network
  • VPC CIDRs: VPC and subnet CIDR ranges may be represented as named networks to support clearer policy authoring