Inventories

Inventories

Providers and services

SSMCM monitors the services offered by Cloud providers in various inventories. The list of suppliers and services inventoried by each supplier increases over time.

Currently, SSMCM would invent the following providers and services:

  • Amazon Web Services:
    • EC2
    • EBS
    • RDS
    • Dynamo DB
    • S3
    • Route 53
    • Redes
    • Elastic IPs
    • Certificates
    • ELB
    • ALB
    • Lambda
    • AMI
    • ElastiCache
    • EFS
    • Elasticsearch
    • SQS
    • Users IAM
    • Cloudfront
    • Elastic Beanstalk
    • SES identities
  • Azure Cloud
    • VMs
    • Redes
    • Availability sets
    • Application Gateways
    • VMSS
    • DNS
    • App services
    • Certificates
    • SQL
    • Sendgrid
    • CDN
    • Traffic managers
    • Load balancers
    • Storage accounts
  • Google Cloud
    • VMs
    • Subnets
    • DNS
    • SQL
    • Storage
    • IAM roles

Overview

By clicking on the vendor icon in the navigation bar, we hide and show the available inventories of this supplier. In each inventory, on the right, we find the number of items available:

If we click on the icon or the name of the service, we access the overview of the inventory of this service:

The inventory overview consists of a screen with a header, usually with the name of the service inventoried in the title and some additional data under it, such as number of accounts, instances, etc. Under this section heading we find a table with the elements contained in that inventory, distributed in rows (elements, whether instances, duckets, networks, etc.) and columns (information related to specific properties of this element).

Listing options

All inventories have the following common actions that allow you to modify what information we will show and in what way:

  • Filtering to show a certain number of results per page.

  • Pagination, with indication of current page and total results and pages.

  • Ascending or descending sorting in columns by clicking on the arrows to the right of the title of each column of the table.

  • Filtering of information and actions, which allow you to modify the information shown in the inventory according to our needs, this configuration being saved in the browser cache.

These actions incorporate tooltips with a brief description for ease of use. Below, we list all actions from left to right:

  • Add button: Available only in some inventories; This button with the + icon allows access to the interface to add content.
  • Global search: A global search engine that will filter the content according to matches of the text entered in all the fields of the fabla, as long as they are searchable.
  • Clean search: Button with an eraser icon that allows you to clean ALL filters applied to the table, restoring the default presentation.

  • Search by column: Button with the binoculars icon, which displays under each column a search field that allows you to filter in that column by the text entered:

  • Reload data: Button with the two circular arrows: allows you to reload the table if necessary.

  • Select columns: Button with the table icon, which allows you to modify the columns that are displayed by default, being able to show all the columns available in that table or a custom selection, according to the filter applied:

    When we select more columns than it is possible to show in the screen width, the responsive functions are activated, which adapt the content to the dimensions of the screen or the window, hiding the information that does not enter into menus that we can display if necessary:

  • Export table: Button with the download to disk icon that allows you to export the table to a file with XLS (Excel) or CSV (Comma Separated Values) format, being able to export the default columns, a custom selection or all, depending on the filter applied:

Actions

In each row of the table we can find various actions that allow you to see extended information about that record:

  • Pop-up links: These links, marked with a continuous line when the mouse is hovered over them or highlighted with a dotted underline, will display a modal window with expanded information about the data in that cell. One of the most common cases is the Account column.

    These manners can be resizable and movable at will modal shown can in turn contain other links that open other manners. If there is more than one modal open, these can be closed one at a time or all at once with a specific icon located in the upper right corner of the screen.

    In the instance information modal, in addition to detailing the settings for certain resources, the Configuration Management and Secure Access Events tab is displayed: Configuration Management displays the entire history of security state changes for the corresponding instance. Security status is updated every time you run an ansible playbook related to security packages. Credential Access displays the entire history of credential read and write events performed by users from SSMCM. To be able to view this tab you must have the policy: secureaccessmanagement:read|write o secureaccessmanagementdynamic:write and that the account associated with the resource has some SAM configured.

  • Links to new tab: In some cases, the information displayed in the cell will have a link to a new browser tab, usually when we access information external to SSMCM.

  • Status indicators: Available only in some inventories. In the case of certain services, such as databases or virtual machines, there will be a status column in whose cells the status of each instance can be viewed periodically, providing information about started, stopped, paused, etc. instances in that inventory.

  • Actions column, which allows access to extended information about an instance or item, as well as editing, deleting or specific actions functions, available only some inventories.

  • View: Button with eye icon that allows you to display extended information of that instance in a pop-up window or a new browser tab if preferred. These manners are resizable and movable at will and allow the opening of other manners if they contain elements with links.

    • Static credentials: Available in some inventories. Button with red key icon that allows you to read and/or update a credential.
    • Edit: Available only in some inventories. Button with pencil icon that allows you to edit the contents of that row.
    • Delete: Available only in some inventories. Button with trash can icon that allows you to delete that item.

    • Actions on instances and machines: Available only in some inventories. Button with nut icon, allows you to perform certain actions on instances of some services, such as virtual machines or databases (more information in the corresponding section):

    • Specific actions: Available only in some inventories. Some administrative sections of SSMCM have their own actions, such as the Accounts section, which allows access to contacts associated with that account, incorporates an icon to access the provider, an icon to update information, access to the wiki, etc.

Actions on elements

Power Off/On/Restart

Available in:

  • AWS - EC2
  • AWS - RDS
  • AWS - RDS Clusters
  • Azure - VM
  • Google Cloud - VM
  • Oracle Cloud - VM

Executes this action on the selected item

Create image/backup

Available in:

  • AWS - EC2

Creates an AMI from the selected instance. The following parameters must be specified:

  • Image name: name with which the image will be saved (required)
  • Retention: number of days the AMI will be retained before the deletion process deletes it; is an optional field. If no value is entered, the AMI will not be deleted.

The nomenclature must be taken into account according to the procedure backup and cleaning.

Run Ansible Playbook

Available in:

  • AWS - EC2

Runs an Ansible playbook on the selected instance.

View the document specific to Ansible integration into SSMCM for more information.

Reading, creating, and updating static and dynamic credentials

Available in:

  • AWS - EC2
  • Azure - VM
  • Google Cloud - VM
  • Oracle Cloud - VM

For this action to be available on an instance, the following conditions must be met:

  • The user must have read and/or write permissions that include the following policies: secureaccessmanagement:read, secureaccessmanagement:write, secureaccessmanagementdynamic:write.
  • At the same time you must have visibility into the account associated with the resource.
  • The account in question must be configured with SAM.

Description of associated policies:

  • secureaccessmanagement:read It allows the visualization of the static keys (red key) in the inventory list. Clicking on this action will display A popup where it will allow us to see the corresponding key. If there is no credential, it would be displayed in opaque red. In the detail of the instance allows the visualization of the tab "Access to credentials" which is the history of reading and writing events of static and OTP credentials.

  • secureaccessmanagement:write It allows the visualization of the static keys (red key) in the inventory list. In the detail of the instance allows the visualization of the tab "Access to credentials" and the button "Credentials" (red key). Pressing it will show us a modal of static credential creation.

  • secureaccessmanagementdynamic:write allows the visualization of OTP credentials (green key) in the list of inventories. Clicking on this action will display a popup where it will let us configure an OTP key. In the detail of the instance allows the visualization of the tab "Access to credentials" and the button "Credentials" (green key). When pressed It will show us an OTP credential creation modal.

View the specific document of SAM Configuration for more information.

Costs of items in inventory

This feature is linked to guidance on the associated costs of the following cloud services:

  • AWS - EC2: Where we can see cost of the current month for each instance.
  • AWS - AMI: the current month's cost is shown for each AMI taken individually. There may be synergies at the AWS snapshots level that minimize the indicative cost referred.
  • AWS - EBS: where we will see the cost of the current month.
  • AWS - Elasticache: where you can see the cost of the current month.
  • AWS - S3: These logs will show the cost of the current month.
  • AWS - RDS: where the cost of the current month will be displayed.
  • AWS - DynamoDb: where the cost of the current month will be displayed.

The SSMCM app updates cost data daily through integrations with cost management tools (currently Cloudcheckr). The data are estimates, cannot be considered as the final cost incurred by the cloud provider, and may reflect delays in updating them by the cost management tool.

Azure Certificates

SSMCM supports monitoring of Azure certificates.

Through Azure certificate inventory, App Service, Application Gateway, KeyVault, and API Management certificates can be monitored.