Best Practices in Clod Discovery

Suvetha S · ‎03-16-2023

Hi All

I would like to know the best practices in Implementing Clod Discovery. Have few questions regarding the same,.

1. How to determine the number of MID servers required for each cloud provider?

2. What is the best practice in setting up AWS credentials? In the product documentation, i could see 4 different approaches for account setup.

3. What are the best practices in creating Discovery Schedules like frequency, no. of cloud resources & VMs targeted for each schedule, etc.,

Ram Devanathan1 · ‎03-16-2023

@Suvetha S wrote:

Hi All

I would like to know the best practices in Implementing Clod Discovery. Have few questions regarding the same,.

1. How to determine the number of MID servers required for each cloud provider?

2. What is the best practice in setting up AWS credentials? In the product documentation, i could see 4 different approaches for account setup.

3. What are the best practices in creating Discovery Schedules like frequency, no. of cloud resources & VMs targeted for each schedule, etc.,

cloud discovery can be heavily curtailed by api query limits set by cloud provider. having more mids will mean more parallel requests being sent to cloud - so don't have more mids in general. we have seen that having 1 mid or 2 max is enough for very large environments.

there are multiple approaches depending on your needs - but each has a different purpose. oldest and simplest to setup for small environments is via credentials but if you prefer to go credential-less then use instance profiles assigned to the mid's compute vm running in ec2. with latest tokyo patches we also support mid clustering.

for larger setups with master account and multiple members (10+ member accounts), you need to adopt the org assume-role or cross assume-role - these are the available approaches - each available for different setup approaches. you can pick the one that suit your needs.

for cloud resource discovery schedules there's no real limit on number of resources and it might even be impossible to do something like breaking this down by schedules. i would recommend restricting schedules to just the relevant regions, e.g. if customer only uses US and India region, then select only these.

FLP1 · ‎10-18-2023

Hello Ram, i have a question regarding the mid server access. For GCP and Azure there seems to be easy to provide a credential with organizational permissions to access the cloud and perform an scan, you can use an on prem mid server instead of one mid server deployed in the cloud.

Is different for the case of AWS where i can see we can request to have credentials with organizational roles permissions to configure but most of the people and the documentation i read about AWS does not talk about this. I only see configurations using IAM roles being assigned to the EC2 instance running the mid server. This is something that forces you to have the mid server in the cloud.

ServiceNow documentation have a short note saying if you use Credentials you don't need to have the mid inside the cloud meaning there is no need for EC2.

Can you please provide some guidance?

thank you!

Aarti6 · ‎10-18-2023

If you are using Credentials then like GCP and Azure you can use the on prem mid server with AWS capabilities set.
If you dont have credentials then you need mid on cloud i.e EC2 mid

FLP1 · ‎10-18-2023

Hello Aarti6 thank you for your reply, what do you mean with unlike GCP and Azure. For them you can also use on-prem mid servers with their suitable capabilities. It does come to my attention that most of the documentation and articles a see for AWS use AIM roles instead of the credential to access it...

If is easier to do it that way why to do extra configurations using AIM roles?