Resource Scanner

Compute Scanner

The AWS Compute Scanner is a tool that scans AWS accounts for new instances and creates resources for them automatically. Currently, the AWS Compute Scanner supports importing the following resources:
  • Amazon Elastic Kubernetes Service Clusters (EKS)
  • Amazon Virtual Private Cloud (VPC)
The managed AWS Compute Scanner is built into the Ctrlplane solution. Each workspace will be assigned an AWS IAM role when the managed provider is enabled for that workspace. You must provide this IAM role with the required permissions to access the resources in the AWS accounts that you want it to scan. After the integration is enabled, you can add a new provider, select the Managed Provider, and add all the roles in your aws account you would like it to assume and it will scan the resources available to those roles. Once you hit submit, you may need to wait a few minutes while it scans and imports all compute resources.

Role Requirements

The Managed AWS Compute Scanner role can be obtained from the provider settings under AWS Role or from the workspace settings integration page after being enabled. The role that you want assumed in your account must have the following permissions policy: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["eks:*", "ec2:*"],
      "Resource": "*"
    }
  ]
}
The role also requires a trust policy that allows the arn:aws:iam::<account-id>:role/ctrlplane-<workspace> role to assume it: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:role/ctrlplane-<workspace>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}