Cloudhouse Guardian: how to use its built in AWS monitoring features

Back To Resources

What is Cloudhouse Guardian?

Cloudhouse Guardian, previously known as UpGuard Core, provides visibility into the configuration of your IT infrastructure, and enables you to validate that configuration against your own standards and policies.  Guardian scans your entire estate – servers, desktops, laptops, boundary devices, network infrastructure, storage and cloud platforms – and detects and tracks the configuration of each component.

Guardian can monitor configuration on Windows, Linux and most other types of Unix, servers, desktops and laptops, firewalls, routers, switches, and many SAAS solutions. It can also monitor anything else where you can access the configuration via a script or API call.

Cloudhouse Guardian supports the Cloud

Guardian provides a single pane of glass through which you can see accurate configuration data across the whole of IT, including the Cloud. It collects detailed configuration details and compares this to your policies, identifying when systems are out of compliance with then. With this valuable insight, you can get better control of your Change Management processes, avoiding misconfiguration, identifying configuration drift, measuring compliance with standards and so on.

Discover the AWS monitoring features built into Guardian

This post walks you through how to use the AWS monitoring features. Before you get started, please note that we do not recommend switching on everything immediately – you might want to talk with your Cloudhouse Account team to get recommendations on the best way to maximise value from your Guardian license and to prioritise nodes which will give you best insights.

Getting started

Once you have identified your priority nodes, navigate to the Add a Node feature at the top right of the screen, as shown here (if you don’t see this option, please get in touch with your Guardian Admin):

This takes you to a selector page where you can add the nodes you are most interested in. There are many, many to choose from (Windows, Linux, AIX, Solaris, Network, Websites, Hypervisors, Custom scripts, and so on) but today we are interested in the AWS option on the left hand side:

Select this and provide details about the AWS instance you want to monitor and how to access it. You can also select what types of data you want to collect. Guardian supports 17 different types of Node from AWS including:

Guardian supports 17 different types of node

For each node type Guardian will poll the AWS API and extract the configuration data. This data is then presented in the Guardian User Interface alongside all your other node types. Be aware that each node will use a Guardian license so you should prioritise those which will give you best value:

For example, an IAM node will capture details about how your AWS users are configured. The allows you to check against policies for multi-factor authentication (MFA), password details, root access and so on, which will help you ensure that all your AWS instances are configured in line with best practice. When you have all this new data, Guardian can validate that against a target configuration using Policies:

EC2 Instance nodes will capture details about how this node is configured. Note that this is different to the data collected when monitoring the Operating System inside the instance. In an EC2 Instance node, you will see details about instance type, availability zone, device configuration, security groups etc.

S3 nodes will capture details about public visibility, encryption and so on. This data is invaluable to identify potential misconfigurations, which in turn can lead to one of the internet’s infamous mechanisms for leaking sensitive data.

Valuable configuration data

All 17 of the incremental node types introduce valuable configuration data into Guardian – and all of this works in just the same way as the other configuration data. You can see all configuration in a single place, compare changes over time, identify deviations from policy, compare between nodes and so on, meaning you are in complete control.

Common use cases might include:

  • Detecting unencrypted S3 buckets to control risk of data leaks
  • Validating that all temp servers are configured to AutoShutdown
  • Saving usage charges
  • Controlling Security Group permissions to detect permission creep
  • The list goes on!

Visibility and integrity validation

AWS and other Cloud providers have changed the way IT works in business, and Guardian offers you a simple and consistent way to get visibility and integrity validation across both your Cloud and on-premises IT assets.

If you would like to discuss how this can help you, contact your Account Manager or say hello on our contact page

About Cloudhouse

Avatar photoCloudhouse is experienced in problematic application migration and config monitoring systems to fix the unfixable and modernise any IT estate – whether it’s run on-premises or in the cloud. With two proven solutions; Alchemy: Cloudhouse Application Packaging Solution modernises IT estates by fixing unfixable apps and moves them onto a supported operating system.

Load More


How much does Cloudhouse cost? Down Arrow

Cloudhouse costs are split into two elements – the licensing required to deploy application compatibility packages, and the professional services needed to create the application compatibility packages.

Licensing is offered on a per user basis for desktop applications and a per server basis for server applications. There are discounts available based on volumes.

Professional Services costs are dependent on the nature and complexity of the application. We quote a cost for packaging once we have been able to see the application, or portfolio of applications.

Contact us here with your requirements and we will provide you with a quote.

Packaging and Maintaining Applications
Who is responsible for packaging desktop and server applications? Down Arrow

Cloudhouse provide the Professional Services to package applications.

Requirements for Test and Development Down Arrow

Cloudhouse recommend packaged applications are tested in the standard UAT environments used for natively installed applications, or applications packaged in App-V. The more representative the test environment is of the live environment, the greater the chance of finding any issues prior to go-live.

Updating Applications Down Arrow

Service packs and updates can be applied to the applications in a package using the Editor, refer to Updating, Editing and Maintaining Containers which describes how a new snapshot is created for the update, and how it is then applied to the package.

Who manages Cloudhouse operationally within an account? Down Arrow

Cloudhouse recommends the same team who manage the operations of native apps.

Automation and Deployment Down Arrow

Applications running in Application Compatibility Packages can be deployed, and managed with same tools, or scripts used to deploy natively installed applications e.g. SCCM, InTune, LAN Desk. Please refer to Supported 3rd Party Products and Versions for details.

How do we know which of our departments/ teams should support the Package? Down Arrow

The Cloudhouse Package does not include OS components, it only contains the packaged application plus Cloudhouse components. Cloudhouse recommend the same team that is responsible for supporting applications packaged with App-V, or delivered as natively installed applications, support Cloudhouse Application Compatibility Containers.

Documentation for Service Desk & Service Management Down Arrow

Full documentation is made available to Cloudhouse partners and customers as required.

Do Cloudhouse provide training? Down Arrow

Cloudhouse offers a full packaging service that can scale to meet any requirement. In the event, however, that a partner wishes to offer application compatibility packaging as part of a wider solution, Cloudhouse will work with that partner. Please contact us here for details.