What is Cloudhouse Guardian?
Cloudhouse Guardian, previously known as UpGuard Core, provides visibility into the configuration of your IT infrastructure, and enables you to validate that configuration against your own standards and policies. Guardian scans your entire estate – servers, desktops, laptops, boundary devices, network infrastructure, storage and cloud platforms – and detects and tracks the configuration of each component.
Guardian can monitor configuration on Windows, Linux and most other types of Unix, servers, desktops and laptops, firewalls, routers, switches, and many SAAS solutions. It can also monitor anything else where you can access the configuration via a script or API call.
Cloudhouse Guardian supports the Cloud
Guardian provides a single pane of glass through which you can see accurate configuration data across the whole of IT, including the Cloud. It collects detailed configuration details and compares this to your policies, identifying when systems are out of compliance with then. With this valuable insight, you can get better control of your Change Management processes, avoiding misconfiguration, identifying configuration drift, measuring compliance with standards and so on.
Discover the AWS monitoring features built into Guardian
This post walks you through how to use the AWS monitoring features. Before you get started, please note that we do not recommend switching on everything immediately – you might want to talk with your Cloudhouse Account team to get recommendations on the best way to maximise value from your Guardian license and to prioritise nodes which will give you best insights.
Once you have identified your priority nodes, navigate to the Add a Node feature at the top right of the screen, as shown here (if you don’t see this option, please get in touch with your Guardian Admin):
This takes you to a selector page where you can add the nodes you are most interested in. There are many, many to choose from (Windows, Linux, AIX, Solaris, Network, Websites, Hypervisors, Custom scripts, and so on) but today we are interested in the AWS option on the left hand side:
Select this and provide details about the AWS instance you want to monitor and how to access it. You can also select what types of data you want to collect. Guardian supports 17 different types of Node from AWS including:
For each node type Guardian will poll the AWS API and extract the configuration data. This data is then presented in the Guardian User Interface alongside all your other node types. Be aware that each node will use a Guardian license so you should prioritise those which will give you best value:
For example, an IAM node will capture details about how your AWS users are configured. The allows you to check against policies for multi-factor authentication (MFA), password details, root access and so on, which will help you ensure that all your AWS instances are configured in line with best practice. When you have all this new data, Guardian can validate that against a target configuration using Policies:
EC2 Instance nodes will capture details about how this node is configured. Note that this is different to the data collected when monitoring the Operating System inside the instance. In an EC2 Instance node, you will see details about instance type, availability zone, device configuration, security groups etc.
S3 nodes will capture details about public visibility, encryption and so on. This data is invaluable to identify potential misconfigurations, which in turn can lead to one of the internet’s infamous mechanisms for leaking sensitive data.
Valuable configuration data
All 17 of the incremental node types introduce valuable configuration data into Guardian – and all of this works in just the same way as the other configuration data. You can see all configuration in a single place, compare changes over time, identify deviations from policy, compare between nodes and so on, meaning you are in complete control.
Common use cases might include:
- Detecting unencrypted S3 buckets to control risk of data leaks
- Validating that all temp servers are configured to AutoShutdown
- Saving usage charges
- Controlling Security Group permissions to detect permission creep
- The list goes on!
Visibility and integrity validation
AWS and other Cloud providers have changed the way IT works in business, and Guardian offers you a simple and consistent way to get visibility and integrity validation across both your Cloud and on-premises IT assets.
If you would like to discuss how this can help you, contact your Account Manager or say hello on our contact page