Skip to main content

Resource Discovery

Resource discovery is the foundation of everything Guardian Pro does. Before scanning for security issues, analysing costs, or evaluating architecture, Guardian Pro first needs to know what resources exist in your environment. The discovery process automatically inventories your AWS infrastructure across all connected accounts and all enabled regions, building a comprehensive registry that every other module relies on.

How Discovery Works

Guardian Pro automatically discovers resources across all connected accounts and enabled regions. The process validates access, collects resource data in parallel, and publishes the updated inventory. Resources that no longer exist in AWS are automatically removed.

info

The entire discovery pipeline typically completes in 2-10 minutes depending on the size of your environment. You can monitor progress in real time from the Dashboard.

What Gets Collected

For each discovered resource, Guardian Pro collects:

DataDescription
Resource IDThe unique identifier for the resource (instance ID, ARN, name, etc.)
Resource ARNThe full Amazon Resource Name
Resource typeThe specific AWS resource type (for example, EC2 instance, RDS cluster, S3 bucket)
RegionThe AWS region where the resource is deployed (or "global" for global services)
ConfigurationThe full resource configuration as returned by the AWS API
TagsAll tags applied to the resource
RelationshipsDependencies and connections to other resources
AccountThe AWS account the resource belongs to

Configuration Data

Resource configurations are collected directly from AWS APIs. This includes all the settings and properties you would see in the AWS console or CLI output. For example:

  • EC2 instance -- Instance type, AMI, security groups, IAM role, monitoring status, encryption settings
  • RDS database -- Engine, version, multi-AZ status, encryption, backup retention, parameter groups
  • S3 bucket -- Versioning, encryption, public access block, lifecycle policies, logging
  • Lambda function -- Runtime, memory, timeout, environment variables (values redacted), VPC configuration
note

Guardian Pro collects resource configurations using read-only API calls. No changes are ever made to your resources during discovery. All access is through the IAM roles deployed during onboarding.

Relationship Data

In addition to individual resource configurations, Guardian Pro discovers how resources relate to each other:

  • EC2 instances connected to security groups, subnets, and IAM roles
  • Load balancers routing to target groups and backend instances
  • Lambda functions triggered by SQS queues or EventBridge rules
  • ECS services running within clusters and connected to load balancers
  • Subnets within VPCs, associated with route tables and NACLs

These relationships form the dependency graph that powers the Architecture Map and Failure Simulator.

Triggering Discovery

Automatic Scans

Guardian Pro runs discovery scans automatically on a scheduled basis. The scan frequency depends on your subscription plan and configuration:

  • Scheduled scans run at configured intervals to keep your resource registry current
  • Event-driven scans can be triggered by specific events (such as after onboarding a new account)

On-Demand Scans

You can trigger a discovery scan at any time from the Dashboard by clicking the Run Scan button. This is useful when:

  • You have just made infrastructure changes and want to see them reflected immediately
  • You are about to run a failure simulation and want the latest data
  • You have onboarded a new AWS account and want to discover its resources
tip

After making significant infrastructure changes (deploying new services, removing resources, modifying configurations), trigger an on-demand scan to ensure Guardian Pro's data is current before running any analysis.

Monitoring Scan Progress

When a discovery scan is in progress, Guardian Pro provides real-time progress updates:

  • Dashboard banner -- Shows scan status with a progress indicator
  • Region progress -- See which regions have been scanned and which are in progress
  • Resource count -- Watch the discovered resource count increase as collectors complete
  • Real-time updates -- Progress updates are pushed to your browser in real time, so you do not need to refresh the page

Discovery Scope

Regional vs. Global Services

Guardian Pro handles regional and global AWS services differently:

  • Regional services (EC2, RDS, Lambda, ECS, etc.) are scanned in every enabled region
  • Global services (IAM, S3, CloudFront, Route 53, Account settings) are collected once since they exist at the account level, not within a specific region

Enabled Regions

Guardian Pro scans all regions that are enabled in your AWS account. Regions that have been opted out in your AWS account settings are not scanned.

Multi-Account Discovery

For multi-account environments, Guardian Pro discovers resources in every connected AWS account. The discovery process assumes the appropriate IAM role in each account and runs the full collection pipeline independently for each account.

Data Freshness

The resource registry reflects the state of your infrastructure at the time of the most recent scan. Between scans, resources may be created, modified, or deleted in your AWS accounts without being reflected in Guardian Pro.

Best practices for data freshness:

  • Configure scan schedules that match your rate of infrastructure change
  • Trigger on-demand scans before important analysis (failure simulations, compliance reports)
  • Check the "Last scan time" indicator on the Dashboard to know when data was last refreshed
info

Guardian Pro stores the timestamp of each scan, and the Resource Explorer displays the last scan time prominently. Historical scan data is retained for trend analysis and auditing.

After Discovery Completes

When a discovery scan finishes, it triggers several downstream processes automatically:

  1. Security scanner -- Evaluates all discovered resources against hundreds of checks
  2. Architecture advisor -- Analyses the dependency graph for risks and health scoring
  3. Cost enricher -- Correlates cost data with discovered resources
  4. Compliance mapper -- Maps resource configurations to compliance framework controls

You do not need to trigger these processes separately -- they chain automatically from the discovery scan.

Next Steps