Running AWS Organization-level discovery and visibility - Adaptive Applications - BlueCat Gateway - 25.3

After setting up credentials in Cloud Discovery & Visibility (CDV) (see Setting up AWS credentials for Organization-level discovery in Cloud Discovery & Visibility), you can set up and run Organization-level discovery and visibility on AWS infrastructures (running discovery and visibility on some or all accounts in the Organization).

To finish setup for Organization-level discovery or visibility and run it:

1. If you haven't already done so, open the Credentials settings for the Schedule managers or Visibility managers that you're configuring:

   1. In CDV, click the Discovery or Visibility tab (if the page you want isn't already open).

   2. In the Discovery or Visibilty tab, tick the checkboxes for the managers whose credentials you want to edit. Then, at the top of the table, click Actions, then Update credentials.

      For more details on finding and filtering the list of jobs, see Searching, filtering, and viewing items in tables.

   Tip: Credentials settings are also available (along with other settings) when creating a new Discovery or Visibility. Click the Credentials tab if doing so.

2. Click AWS Account Filter to open the Account Filters section.

3. To run discovery on all current and future organizational units (OUs) that match the filter you're about to specify, tick Select all organization units.

4. Configure the filter settings used to determine whether or not an AWS Account is included in discovery.

   When configuring filters, you can specify individual organizational units, you can set up an account name filter, and you can specify matching AWS tags. If you don't want to use a particular filter type, leave it empty.

   Note: CDV includes an account in discovery only if it satisfies all filters for which a value or setting is specified. For example, if you leave all AWS Account Tag fields empty, but specify the following:

   • In AWS Account organizational unit, you select an OU named merchant-ou.

   • In Account Name Filter, you enter marketing*

   Then an AWS Account named marketing-web (which satisfies the Account Name Filter) would be included only if its parent OU is merchant-ou. Its AWS Account Tags are ignored.

   Available filter settings are as follows:

   Field/Option	Description
   Select all organizational units	If ticked, CDV will run discovery on all current organization units (OUs) as well as future units that match the specified account name filters.
   AWS Account organizational units	(Configurable only if Select all organization units is cleared.) Click in the AWS account organizational unit field, then select checkboxes for the OUs on whose accounts you want to run discovery. If a desired OU doesn't appear, you can refresh the list by clicking the Fetch Organizational units from cloud for filtering button. Depending on the complexity of your AWS infrastructure, refreshing the list can take several minutes. Note: Organizational Unit (OU) selections do not cascade. If you include an Organizational Unit (OU) in your selection, only accounts directly within that OU will be included in discovery. If that OU contains additional OUs, accounts in those additional OUs will not be included. (To include those child OUs, make sure you also select their checkboxes in the list.)
   Show account name filter and account tags	If checked, the Discovery will include only accounts with a specific name or pattern, and that satisfy certain Account Tag specifications. Ticking this checkbox displays additional fields in the AWS Account Filter section.
   AWS account name filter	(Available only if Show account name filter and accounts tags is ticked.) The account name filter to apply to accounts in the Organization. If Show account name filter and account tags is checked, Discovery will include only accounts whose name fits this pattern. Within the name filter, you can use * as a wildcard character. For example, a name filter of marketing* would include accounts named marketing-admin, marketing-web, and marketingcustplan. You can use * wildcards in any spot in the name filter (not just at the beginning or end). If you leave this filter blank, CDV ignores the account name when choosing accounts to include..
   Include tags Tag name Tag value	(Available only if Show account name filter and accounts tags is ticked.) If Include Tags is checked, the Discovery will include only accounts that have at least one of a specified set of AWS Tags with specified values. To include accounts with a specific Tag name and value: In Tag Name, enter the AWS Tag name. In Tag Value, enter the values that the Tag name should have in order to be included in Discovery. To enter multiple values, separate them with commas. Note: You cannot specify the same Tag and Value in both the Include list and Exclude list. Click Add. You cannot enter multiple Tag-Value pairs with the same Tag name. Tag names and values can use only alphanumeric characters. If you enter a Tag Name but leave the value blank, the filter will include accounts that have an empty value for that tag. (To include an empty value in a list of multiple tag values, use an empty space between commas: value1,,value2) Tags and values included in Discovery are listed below the Tag name and Tag value fields. To remove a tag from the list, click the remove button (X) next to it. If you do not enter any tags, CDV ignores account tags when choosing accounts to include.
   Exclude tags Tag name Tag value	(Available only if Show account name filter and accounts tags is ticked.) If Exclude tags is checked, the Discovery operation will exclude accounts that have at least one of a specified set of AWS Tags with specified values. Discovery will not be run on excluded accounts. An account that has an AWS Tag from the Exclude list (with a specified value) will always be excluded. This will override any other inclusion criteria. Note: You cannot specify the same Tag and Value in both the Include list and Exclude list. If an account has multiple Tag-Value pairs where some are in the "Include" list and some in the "Exclude" list, all the Tag-Value pairs will be excluded. To exclude accounts with a specific AWS Tag and value (these fields appear only when Exclude tags is checked): In Tag name, enter the AWS Tag name. In Tag value, enter the values that the Tag name should have in order to be excluded from Discovery. To enter multiple values, separate them with commas. Click Add. You cannot enter multiple Tag-Value pairs with the same Tag name. Tag names and values can use only alphanumeric characters. If you enter a Tag Name but leave the value blank, the filter will exclude accounts that have an empty value for that tag. (To include an empty value in a list of multiple tag values, use an empty space between commas: value1,,value2) Tags and values that you exclude from Discovery are listed below the Tag name and Tag value fields. To remove a tag from the list, click the remove button (X) next to it.

5. Continue configuring the discovery or visibility job as you normally would. For more details, see AWS job settings: Discovery options.