Limit AWS Regions to restrict the scope of device discovery

AWS organizes the data centers and virtual instances by region. This property of a cloud instance is reported in AWS Region by the Amazon Web Services Resources analyses.

AWS Region

An AWS Region is a collection of AWS resources in a geographic area. The resources that you create in one Region do not exist in any other Region unless you explicitly use a replication feature offered by an AWS service. When you enable a Region, AWS performs actions to prepare your account in that Region. For more information, see the AWS official documentation at https://docs.aws.amazon.com/general/latest/gr/rande-manage.html

Limit scan regions

For faster discovery, it is recommended to limit scanning only the AWS regions that you use. If not specified, after logging into the cloud environment, discovery is performed to all the AWS managed regions retrieved in the login phase, regardless of the authority that the additional credentials defined in the plugin have for the various regions.

For example, if the IAM User credentials specified at plugin install time have authority only to access us-west1 region, when the plugin logins, it tries to retrieve all the AWS account managed regions and starts the discovery. At this point, the AWS plugin tries to use the IAM User credentials to login to all AWS managed regions. This causes failed logins as the credential is not authorized to access any regions other than us-west1.

BigFix Platform 10.0.5 introduces the possibility to limit the regions that are used for discovery through the parameter Allowed regions. If specified, it restricts the scope of the discovery, optimizing the network traffic and minimizing errors.

You can customize Allowed region setting by editing the AWS settings or by adding new AWS credentials.

The following table summarizes the usage of parameters and what happens if not specified.
Applicability Parameter name Used for What if not used?
PLUGIN

AWS Default region *

Login (to open the session through API)

MANDATORY at install time

Allowed regions (1)

Narrows down the scope of the plugin discovery

by listing the only regions where the discovery should run among the complete list of entitled regions for the users

Discovery spans every managed region

ACCOUNT LABEL

AWS User region

(Regions for account label)

Login and, if specified, overrides AWS Default region

AWSDefaultregion Is used instead

Allowed regions

(for account label)

Overrides Plugin Allowed regions(1) if present

Narrow down the scope of the account discovery by listing the only regions where the discovery should run among the complete list of entitled regions for the users

Plugin Allowed regions(1) is used

Region

(Role region)

Used for login and it overrides AWS User region and AWS Default region in cascade

AWS User region or in cascade AWS Default region is used

Limit AWS Regions at plugin level

To set AWS regions at plugin level, complete the following steps:
  1. Click the AWS tab.
  2. In the Plugin Management page, edit the plugin General settings

    .
    • Add one or more regions to limit the discovery. The added regions are listed as pills.
      Important: Enter the correct spelling for the region names, because BigFix cannot check the name of the region for correctness. Refer name and code of AWS Regions.
    • You can also remove a region easily.
    After you have added all the regions you want, click Save. This deploys the Fixlet to apply the configuration change.

Limit AWS Regions at credential level

To limit AWS Regions at credential level, complete the following steps:
  1. In the Authentication table, click Edit credential in the specific credential line.

  2. On the Edit AWS credentials page, enter AWS Region and click the tick mark to add it. Add one or more regions as needed.

    • Important: Enter the correct spelling for the region names, because you cannot check the name of the region for correctness.
    • You can also remove a region easily as needed by clicking ‘x’ mark.


  3. After you have added all the regions you want, click Submit. This deploys the fixlet to apply the configuration change.

When changes are applied, they are visible in the related section of the AWS plugin tab, either in the Authentication table column "Allowed regions" or in the General Settings section.