Skip to main content

Resource Discovery

Resource discovery is the foundation of everything Guardian Pro does. Before scanning for security issues, analysing costs, or evaluating architecture, Guardian Pro first needs to know what resources exist in your environment. The discovery process automatically inventories your AWS infrastructure across all connected accounts and all enabled regions, building a comprehensive registry that every other module relies on.

How Discovery Works

The discovery process runs as an automated pipeline that executes in six stages:

Stage 1: Initialisation

The pipeline validates the discovery request and determines which AWS accounts and regions to scan. It resolves the list of regions based on your account's enabled regions, ensuring that only active regions are scanned.

Stage 2: Regional Collection

This is the core of discovery. Guardian Pro runs specialised collectors for each AWS service type across all target regions in parallel. Each collector queries the relevant AWS APIs to retrieve resource configurations, metadata, tags, and relationships.

Key characteristics of regional collection:

  • Parallel execution -- Multiple regions and service types are scanned simultaneously for speed
  • Throttle-safe -- Built-in exponential backoff handles AWS API rate limits gracefully
  • Error-tolerant -- If a single collector encounters an error (for example, a service not enabled in a particular region), it reports the error and the pipeline continues with other collectors

Stage 3: Aggregation

Results from all regions are merged into a unified resource registry. Duplicate resources (which can occur with global services accessible from multiple regions) are deduplicated.

Stage 4: Reconciliation

The pipeline compares the newly discovered resources against the previous scan to identify:

  • New resources -- Resources that were not present in the last scan
  • Updated resources -- Resources whose configuration has changed
  • Deleted resources -- Resources that were present before but are no longer found (marked as deleted in the registry)

This reconciliation ensures the resource registry accurately reflects the current state of your infrastructure.

Stage 5: Finalisation

The scan status is updated, summary metrics are calculated, and an event is published to trigger downstream processes (such as the security scanner, architecture advisor, and cost enricher).

Stage 6: Error Handling

If any stage encounters a critical failure, the error handler captures the details, updates the scan status, and ensures the previous scan's data remains available. Partial failures (such as a single region or service failing) do not prevent the rest of the pipeline from completing.

info

The entire discovery pipeline typically completes in 2-10 minutes depending on the size of your environment. You can monitor progress in real time from the Dashboard.

What Gets Collected

For each discovered resource, Guardian Pro collects:

DataDescription
Resource IDThe unique identifier for the resource (instance ID, ARN, name, etc.)
Resource ARNThe full Amazon Resource Name
Resource typeThe specific AWS resource type (for example, EC2 instance, RDS cluster, S3 bucket)
RegionThe AWS region where the resource is deployed (or "global" for global services)
ConfigurationThe full resource configuration as returned by the AWS API
TagsAll tags applied to the resource
RelationshipsDependencies and connections to other resources
AccountThe AWS account the resource belongs to

Configuration Data

Resource configurations are collected directly from AWS APIs. This includes all the settings and properties you would see in the AWS console or CLI output. For example:

  • EC2 instance -- Instance type, AMI, security groups, IAM role, monitoring status, encryption settings
  • RDS database -- Engine, version, multi-AZ status, encryption, backup retention, parameter groups
  • S3 bucket -- Versioning, encryption, public access block, lifecycle policies, logging
  • Lambda function -- Runtime, memory, timeout, environment variables (values redacted), VPC configuration
note

Guardian Pro collects resource configurations using read-only API calls. No changes are ever made to your resources during discovery. All access is through the IAM roles deployed during onboarding.

Relationship Data

In addition to individual resource configurations, Guardian Pro discovers how resources relate to each other:

  • EC2 instances connected to security groups, subnets, and IAM roles
  • Load balancers routing to target groups and backend instances
  • Lambda functions triggered by SQS queues or EventBridge rules
  • ECS services running within clusters and connected to load balancers
  • Subnets within VPCs, associated with route tables and NACLs

These relationships form the dependency graph that powers the Architecture Map and Failure Simulator.

Triggering Discovery

Automatic Scans

Guardian Pro runs discovery scans automatically on a scheduled basis. The scan frequency depends on your subscription tier and configuration:

  • Scheduled scans run at configured intervals to keep your resource registry current
  • Event-driven scans can be triggered by specific events (such as after onboarding a new account)

On-Demand Scans

You can trigger a discovery scan at any time from the Dashboard by clicking the Run Scan button. This is useful when:

  • You have just made infrastructure changes and want to see them reflected immediately
  • You are about to run a failure simulation and want the latest data
  • You have onboarded a new AWS account and want to discover its resources
tip

After making significant infrastructure changes (deploying new services, removing resources, modifying configurations), trigger an on-demand scan to ensure Guardian Pro's data is current before running any analysis.

Monitoring Scan Progress

When a discovery scan is in progress, Guardian Pro provides real-time progress updates:

  • Dashboard banner -- Shows scan status with a progress indicator
  • Region progress -- See which regions have been scanned and which are in progress
  • Resource count -- Watch the discovered resource count increase as collectors complete
  • Real-time updates -- Progress updates are pushed to your browser in real time, so you do not need to refresh the page

Discovery Scope

Regional vs. Global Services

Guardian Pro handles regional and global AWS services differently:

  • Regional services (EC2, RDS, Lambda, ECS, etc.) are scanned in every enabled region
  • Global services (IAM, S3, CloudFront, Route 53, Account settings) are collected once since they exist at the account level, not within a specific region

Enabled Regions

Guardian Pro scans all regions that are enabled in your AWS account. Regions that have been opted out in your AWS account settings are not scanned.

Multi-Account Discovery

For multi-account environments, Guardian Pro discovers resources in every connected AWS account. The discovery process assumes the appropriate IAM role in each account and runs the full collection pipeline independently for each account.

Data Freshness

The resource registry reflects the state of your infrastructure at the time of the most recent scan. Between scans, resources may be created, modified, or deleted in your AWS accounts without being reflected in Guardian Pro.

Best practices for data freshness:

  • Configure scan schedules that match your rate of infrastructure change
  • Trigger on-demand scans before important analysis (failure simulations, compliance reports)
  • Check the "Last scan time" indicator on the Dashboard to know when data was last refreshed
info

Guardian Pro stores the timestamp of each scan, and the Resource Explorer displays the last scan time prominently. Historical scan data is retained for trend analysis and auditing.

After Discovery Completes

When a discovery scan finishes, it triggers several downstream processes automatically:

  1. Security scanner -- Evaluates all discovered resources against hundreds of checks
  2. Architecture advisor -- Analyses the dependency graph for risks and health scoring
  3. Cost enricher -- Correlates cost data with discovered resources
  4. Compliance mapper -- Maps resource configurations to compliance framework controls

You do not need to trigger these processes separately -- they chain automatically from the discovery scan.

Next Steps