Running AWS Organization-level discovery jobs - Adaptive Applications - BlueCat Gateway - 24.1.1

Cloud Discovery & Visibility Administration Guide

Product name
BlueCat Gateway

After setting up cross-account credentials in Cloud Discovery & Visibiltiy (CDV) so that CDV can use a user or role wtth the AssumeRole permission (see Setting up AWS credentials for Organization-level discovery jobs in Cloud Discovery & Visibility), you can set up and run Organization-level Discovery jobs on AWS infrastructures (running discovery on some or all accounts in the Organization).

Tip: For more details on setting up AWS discovery jobs in general, see AWS Discovery Options.

To set up Organization-level Discovery jobs:

  1. If you haven't already done so, start CDV and go to the AWS Discovery page. (In the CDV banner, click the AWS tab, then click Discovery.)

  2. In the AWS Account Filter section, select the Discovery for Organization checkbox.

  3. In Role Name used for Discovery Organization, enter the name of the user or role that you configured earlier (with the AssumeRole permission).

    Tip: In the earlier steps for creating this role, the example name was cdvrole.
  4. Configure the filters used to determine whether or not an AWS Account is included in discovery.

    You can specify individual organizational units, you can set up an account name filter, and you can specify matching AWS tags. If you don't want to use one of the three filter types, leave it empty.

    Note: CDV includes an account in discovery only if it satisfies all filters for which a value or setting is specified. For example, if you leave all AWS Account Tag fields empty, but specify the following:
    • In AWS Account organizational unit, you select an OU named merchant-ou.
    • In Account Name Filter, you enter marketing*
    Then an AWS Account named marketing-web (which satifies the Account Name Filter) would be included only if its parent OU is merchant-ou. Its AWS Account Tags are ignored.

    Available filters are as follows:

    Field/Option Description
    AWS Account Organziational Unit

    Click the AWS account organizational unit field, then select checkboxes for the OUs on whose accounts you want to run discovery.

    If a desired OU doesn't appear, you can refresh the list by clicking the Re-fetch Organizational Units from cloud button. Depending on the complexity of your AWS infrastructure, refreshing the list can take several minutes.

    Note: Organizational Unit (OU) selections do not cascade. If you include an Organizational Unit (OU) in your selection, only accounts directly within that OU will be included in discovery. If that OU contains additional OUs, accounts in those additional OUs will not be included. (To include those child OUs, make sure you also select their checkboxes in the list.)
    Show Account Name Filter and Account Tags If checked, the Discovery job will include only accounts with a specific name or pattern, and that satisfy certain Account Tag specifications. Ticking this checkbox displays additional fields in the AWS Account Filter section.
    AWS Account Name Filter

    (Available only if Show Account Name Filter and Accounts Tags is ticked.)

    The account name filter to apply to accounts in the Organization. If Show Account Name Filter and Account Tags is checked, Discovery will include only accounts whose name fits this pattern.

    Within the name filter, you can use * as a wildcard character. For example, a name filter of marketing* would include accounts named marketing-admin, marketing-web, and marketingcustplan. You can use * wildcards in any spot in the name filter (not just at the beginning or end).

    If you leave this filter blank, CDV ignores the account name when choosing accounts to include..

    Include Tags

    Tag Name

    Tag Value

    If Include Tags is checked, the Discovery job will include only accounts that have at least one of a specified set of AWS Tags with specified values.

    To include accounts with a specific AWS Tag and Tag value (these fields appear only when Include Tags is checked):

    1. In Tag Name, enter the AWS Tag name.

    2. In Tag Value, enter the values that the Tag name should have in order to be included in Discovery. To enter multiple values, separate them with commas.

      Note: You cannot specify the same Tag and Value in both the Include list and Exclude list.
    3. Click Add.

    You cannot enter multiple Tag-Value pairs with the same Tag name. Tag names and values can use only alphanumeric characters. If you enter a Tag Name but leave the value blank, the filter will include accounts that have an empty value for that tag. (To include an empty value in a list of multiple tag values, use an empty space between commas: value1,,value2)

    Tags and values included in Discovery are listed below the Tag Name and Tag Value fields. To remove a tag from the list, click the Remove link next to it.

    If you do not enter any tags, CDV ignores account tags when choosing accounts to include.

    Exclude Tags

    Tag Name

    Tag Value

    If Exclude Tags is checked, the Discovery job will exclude accounts that have at least one of a specified set of AWS Tags with specified values. Discovery will not be run on excluded accounts.

    An account that has an AWS Tag from the Exclude list (with a specified value) will always be excluded. This will override any other inclusion criteria.

    Note: You cannot specify the same Tag and Value in both the Include list and Exclude list. If an account has multiple Tag-Value pairs where some are in the "Include" list and some in the "Exclude" list, all the Tag-Value pairs will be excluded.

    To exclude accounts with a specific AWS Tag and value (these fields appear only when Exclude Tags is checked):

    1. In Tag Name, enter the AWS Tag name.

    2. In Tag Value, enter the values that the Tag name should have in order to be excluded from Discovery. To enter multiple values, separate them with commas.

    3. Click Add.

    You cannot enter multiple Tag-Value pairs with the same Tag name. Tag names and values can use only alphanumeric characters. If you enter a Tag Name but leave the value blank, the filter will exclude accounts that have an empty value for that tag. (To include an empty value in a list of multiple tag values, use an empty space between commas: value1,,value2)

    Tags and values that you exclude from Discovery are listed below the Tag Name and Tag Value fields. To remove a tag from the list, click the Remove link next to it.

  5. Continue configuring the discovery job as normal. For more details, see AWS Discovery Options.