The AWS Account Filter section of the Amazon Web Services (AWS) Setup page lets you configure Organization-level Discovery jobs on an AWS platform. These jobs let you run Discovery on all accounts in an Organization, as long as all AWS infrastructure structures nodes are under the same Organization.
-
For more details on setting up AWS infrastructure, roles, and permissions to allow for Organization-level Discovery, see Setting up and running AWS Organization-level discovery jobs.
-
For more details on setting up and running an Organization-level Discovery job in Cloud Discovery & Visibility (CDV), see Running AWS Organization-level discovery jobs.
Account tags are metadata information that are added to an account by a system administrator. Account tags are completely customizable, with a user-defiend key name and value, and are typically specific to the needs of a network's owner and administrator.
AWS Account Filter settings
To access these options, in the CDV banner, click AWS, then click the Setup tab and scroll down to AWS Account Filter.
The AWS Account Filter section of the AWS Setup page has the following settings.
Field/Option | Description |
---|---|
Discovery for Organization |
Tick this checkbox to enable Organization-level Discovery jobs. If this checkbox is cleared, CDV will assume that Discovery jobs are not to be run at the Organization level. All other fields in the AWS Account Filter section will be disabled. |
Role name used for Discovery Organization |
The name of the user or role that you configured for CDV to use with the Organization. This should be the user or role with the AssumeRole permission. For more details on setting up this role, see Setting up and running AWS Organization-level discovery jobs. |
Account filter settings
Remaining fields in this section let you apply various filters to the accounts on which Discovery will be run. CDV includes an account in discovery only if it satisfies all filters for which a value or setting is specified.
Field/Option | Description |
---|---|
AWS Account Organziational Unit |
Click the AWS account organizational unit field, then select checkboxes for the OUs on whose accounts you want to run discovery. If a desired OU doesn't appear, you can refresh the list by clicking the Re-fetch Organizational Units from cloud button. Depending on the complexity of your AWS infrastructure, refreshing the list can take several minutes. Note: Organizational Unit (OU) selections do not cascade. If
you include an Organizational Unit (OU) in your selection, only
accounts directly within that OU will be included in
discovery. If that OU contains additional OUs, accounts in those
additional OUs will not be included. (To include those
child OUs, make sure you also select their checkboxes in the
list.)
|
Show Account Name Filter and Account Tags | If checked, the Discovery job will include only accounts with a specific name or pattern, and that satisfy certain Account Tag specifications. Ticking this checkbox displays additional fields in the AWS Account Filter section. |
AWS Account Name Filter |
(Available only if Show Account Name Filter and Accounts Tags is ticked.) The account name filter to apply to accounts in the Organization. If Show Account Name Filter and Account Tags is checked, Discovery will include only accounts whose name fits this pattern. Within the name filter, you can use If you leave this filter blank, CDV ignores the account name when choosing accounts to include.. |
Include Tags Tag Name Tag Value |
If Include Tags is checked, the Discovery job will include only accounts that have at least one of a specified set of AWS Tags with specified values. To include accounts with a specific AWS Tag and Tag value (these fields appear only when Include Tags is checked):
You cannot enter multiple Tag-Value pairs with the same Tag name.
Tag names and values can use only alphanumeric characters. If
you enter a Tag Name but leave the value blank, the filter will
include accounts that have an empty value for that tag. (To
include an empty value in a list of multiple tag values, use an
empty space between commas: Tags and values included in Discovery are listed below the Tag Name and Tag Value fields. To remove a tag from the list, click the Remove link next to it. If you do not enter any tags, CDV ignores account tags when choosing accounts to include. |
Exclude Tags Tag Name Tag Value |
If Exclude Tags is checked, the Discovery job will exclude accounts that have at least one of a specified set of AWS Tags with specified values. Discovery will not be run on excluded accounts. An account that has an AWS Tag from the Exclude list (with a specified value) will always be excluded. This will override any other inclusion criteria. Note: You cannot specify the same Tag and Value in both the
Include list and Exclude list. If an account has multiple
Tag-Value pairs where some are in the "Include" list and
some in the "Exclude" list, all the Tag-Value pairs will be
excluded.
To exclude accounts with a specific AWS Tag and value (these fields appear only when Exclude Tags is checked):
You cannot enter multiple Tag-Value pairs with the same Tag name.
Tag names and values can use only alphanumeric characters. If
you enter a Tag Name but leave the value blank, the filter will
exclude accounts that have an empty value for that tag. (To
include an empty value in a list of multiple tag values, use an
empty space between commas: Tags and values that you exclude from Discovery are listed below the Tag Name and Tag Value fields. To remove a tag from the list, click the Remove link next to it. |