Resource Inventory

Overview

The Resource Inventory provides a centralized view of Resource configuration and health.
You can currently view supported AWS Resources or filter Resources based on predefined queries, such as All Resources or Resources without Tags.

The queries you can run are:

  • All Resources - shows all supported AWSת GCP and Azure multi-account resources
  • Resources without Tags - (AWS only) shows AWS resources that support tagging but have no tags
  • Databases with no Backup Policy - (AWS only) shows RDS, Redshift and DynamoDB databases that don't support backup policy
  • Unencrypted Databases and Storage Buckets - (AWS only) shows RDS, Redshift, DocDB, DynamoDB databases alongside EBS volumes, EFS and S3 buckets that aren't encrypted
  • Disabled CloudTrails - (AWS only) shows CloudTrails that don't support logging in their accounts
  • Public Virtual Machines - shows EC2 instances that are publicly exposed based on Network Access graph analysis. While not necessarily bad, this query helps you ensure that no private EC2 instance is publicly exposed.
  • Public Firewall Groups - shows Security Groups that are open to the world based on Network Access graph analysis. This query helps identify Security Groups with network exposure to identify those that shouldn’t be.
  • Public Databases - shows RDS and Redshift databases that are open to the world based on Network Access graph analysis. Typically databases should not be exposed publicly, but rather through other services or bastion hosts.
  • Resources Allowing Inbound SSH Connection - shows network resources that are attached to a security group with ingress traffic of port 22 (SSH). Resources with SSH access are more exposed to attack than a locked down resource.
  • Inactive Elastic Load Balancers - shows live load balancers that have no EC2 instances attached to them. Cleaning up these services lowers exposure.
  • NACL is not attached to subnets - shows Network ACLs that are not attached to a subnet based on connection graphs.

📘

AWS Integration Update

To use Resource Inventory, you need the updated Bridgecrew-AWS Read-Only integration - see deails here.

📘

Note

Network map and Access map have been deprecated and will no longer be available on the Bridgecrew platform. Instead, we are gradually implementing a direct-access interface our Resource Inventory Graph DB that will eventually enable similar graphical mapping resource features.

Viewing Resources

  1. Press Resource Inventory from the navigation pane.
    By default, all Resources are displayed.
  2. Choose a Resource query from the dropdown list.
  1. To further narrow the list of Resources, you can select one or more of the dropdown filters: Account, Resource Type, Tag or Network Access.
    In order to filter on exact match of tag (and not filter as substring) - put your searched value in quotation notes, i.e. "prod".

Network Access

If a resource is one of the types listed below, the Network Access column shows details about its access rules.

The globe icon indicates that the resource is open to the public internet.

A globe icon with a diagonal strikethrough indicates restricted network access.

The details of the access restriction are shown in the tooltip and can be based on:

  • CIDR block(s)
  • Security Group(s)
  • CIDR block(s) and Security Group(s)
Network Access - Restrictions based on CIDR BlocksNetwork Access - Restrictions based on CIDR Blocks

Network Access - Restrictions based on CIDR Blocks

Network Access - Restrictions based on CIDR Block and Security GroupNetwork Access - Restrictions based on CIDR Block and Security Group

Network Access - Restrictions based on CIDR Block and Security Group

For resources that are not supported for Network Access analysis, the column is blank.

📘

Note

To further investigate a Security Group, copy its ID number and search for its details.

Resource Types for Which Network Access is Displayed

  • EC2 Instance
  • ELB
  • ALB
  • RDS Cluster
  • ElasticCache Cluster
  • EMR Cluster
  • Redshift Cluster
  • ElasticSearch Domain
  • EFS Mount Target
  • ECS Service
  • EC2 Security Group
  • EC2 Security Group Rule

Exploring Resources

You can explore a Resource to see detailed information about its metadata, relationships, history, and context.

To explore a Resource:
Press on a row to view the Resource Explorer. See Explore Resource for details about the information shown.

Viewing Incidents and Taking Action

For Resources with errors, you can view the specific Incident in a new tab and take action (Remediate, Suppress, Create Issue).

To view the Incident:

  1. Hover over the number in the error column and press View.
  2. Press one of the errors.

The Incident page opens.

Export Query Outputs

Users can export query outputs as CSV files. Exported files contain the following fields:

  • Provider
  • ID
  • Account
  • Tags
  • Network Access
  • Encryption
  • Encryption Details
  • Errors No

To export the query click Export CSV and select a location to save the file.


Did this page help you?