Discovery enables security administrators a continuous view into their cloud deployment
- Inventory - shows contextual information about cloud assets. This is used to build dynamic cloud aware security policies.
- DNS queries - DNS queries from your workloads using AWS Route 53 logs
- VPC flow logs - meta-data of traffic flows from AWS VPC flow logs
Enabling DNS queries and VPC flow logs discovery are optional. Enabling them will allow Valtix Controller to provide better visibility on your traffic pattern by combing this with inventory and threat intelligence.
To enable discovery of assets in your Cloud Account:
- Navigate to Manage -> Accounts
- Select the checkbox next to the Cloud Account and click Manage Inventory
- Select the Regions where you have cloud assets that you would wish Valtix to discover.
- Click Finish to save.
- To review the discovered assets: go to Manage -> Inventory. If you deploy a new instance or update a tag, you should see the discovered changes within few seconds.
The refresh interval is the time in minutes after which the inventory is refreshed (recommended default of 60 min). Valtix also performs continuous discovery using Cloud Provider APIs and Events (instead of a regular poll). The refresh time interval specified here is for a full re-crawl. This reconciles all assets for any missed events during real time discovery. Different refresh intervals can be defined for different Regions by adding a new row and selecting the desired Regions. A Region can belong to a single refresh interval only.
Enable DNS Log Discovery¶
If you provided a S3 Bucket during the stack creation from the CloudFormation template in the previous section, a S3 bucket is created by the template that acts as the destination for the Route53 Query Logs. The VPCs that are monitored for the DNS query logs must be added manually.
- On AWS Console go to the Route53 Query Logging
- Select the Query Logger created by the template (Look for the logger with the Prefix name provided in the template)
- Select and add all the VPCs for which you want to get the traffic insights
- Click Log queries for VPCs or Add VPC under the VPCs that queries are logged for section
- Select all the VPCs and click Choose
Enable VPC Flow Logs¶
If you provided a S3 Bucket during the stack creation from the CloudFormation template in the previous section, a S3 bucket is created by the template that acts as the destination for the VPC Flow Logs. Flow logs must be enabled for each of the VPCs.
- Go to the VPCs section on the AWS Console
- Select the VPC and select the Flow Logs tab for that VPC
- Select All as the Filter
- Select Send to an Amazon S3 bucket as the Destination
- Provide the S3 Bucket ARN copied from the Outputs of the CloudFormation template stack
- Choose Custom Format as the Log Record Format
- Select all the fields from the Log Format dropdown
- Click Create Flow Log