Resource Discovery
Resource discovery is the foundation of everything Guardian Pro does. Before scanning for security issues, analysing costs, or evaluating architecture, Guardian Pro first needs to know what resources exist in your environment. The discovery process automatically inventories your AWS infrastructure across all connected accounts and all enabled regions, building a comprehensive registry that every other module relies on.
How Discovery Works
Guardian Pro automatically discovers resources across all connected accounts and enabled regions. The process validates access, collects resource data in parallel, and publishes the updated inventory. Resources that no longer exist in AWS are automatically removed.
The entire discovery pipeline typically completes in 2-10 minutes depending on the size of your environment. You can monitor progress in real time from the Dashboard.
What Gets Collected
For each discovered resource, Guardian Pro collects:
| Data | Description |
|---|---|
| Resource ID | The unique identifier for the resource (instance ID, ARN, name, etc.) |
| Resource ARN | The full Amazon Resource Name |
| Resource type | The specific AWS resource type (for example, EC2 instance, RDS cluster, S3 bucket) |
| Region | The AWS region where the resource is deployed (or "global" for global services) |
| Configuration | The full resource configuration as returned by the AWS API |
| Tags | All tags applied to the resource |
| Relationships | Dependencies and connections to other resources |
| Account | The AWS account the resource belongs to |
Configuration Data
Resource configurations are collected directly from AWS APIs. This includes all the settings and properties you would see in the AWS console or CLI output. For example:
- EC2 instance -- Instance type, AMI, security groups, IAM role, monitoring status, encryption settings
- RDS database -- Engine, version, multi-AZ status, encryption, backup retention, parameter groups
- S3 bucket -- Versioning, encryption, public access block, lifecycle policies, logging
- Lambda function -- Runtime, memory, timeout, environment variables (values redacted), VPC configuration
Guardian Pro collects resource configurations using read-only API calls. No changes are ever made to your resources during discovery. All access is through the IAM roles deployed during onboarding.
Relationship Data
In addition to individual resource configurations, Guardian Pro discovers how resources relate to each other:
- EC2 instances connected to security groups, subnets, and IAM roles
- Load balancers routing to target groups and backend instances
- Lambda functions triggered by SQS queues or EventBridge rules
- ECS services running within clusters and connected to load balancers
- Subnets within VPCs, associated with route tables and NACLs
These relationships form the dependency graph that powers the Architecture Map and Failure Simulator.
Triggering Discovery
Automatic Scans
Guardian Pro runs discovery scans automatically on a scheduled basis. The scan frequency depends on your subscription plan and configuration:
- Scheduled scans run at configured intervals to keep your resource registry current
- Event-driven scans can be triggered by specific events (such as after onboarding a new account)
On-Demand Scans
You can trigger a discovery scan at any time from the Dashboard by clicking the Run Scan button. This is useful when:
- You have just made infrastructure changes and want to see them reflected immediately
- You are about to run a failure simulation and want the latest data
- You have onboarded a new AWS account and want to discover its resources
After making significant infrastructure changes (deploying new services, removing resources, modifying configurations), trigger an on-demand scan to ensure Guardian Pro's data is current before running any analysis.
Monitoring Scan Progress
When a discovery scan is in progress, Guardian Pro provides real-time progress updates:
- Dashboard banner -- Shows scan status with a progress indicator
- Region progress -- See which regions have been scanned and which are in progress
- Resource count -- Watch the discovered resource count increase as collectors complete
- Real-time updates -- Progress updates are pushed to your browser in real time, so you do not need to refresh the page
Discovery Scope
Regional vs. Global Services
Guardian Pro handles regional and global AWS services differently:
- Regional services (EC2, RDS, Lambda, ECS, etc.) are scanned in every enabled region
- Global services (IAM, S3, CloudFront, Route 53, Account settings) are collected once since they exist at the account level, not within a specific region
Enabled Regions
Guardian Pro scans all regions that are enabled in your AWS account. Regions that have been opted out in your AWS account settings are not scanned.
Multi-Account Discovery
For multi-account environments, Guardian Pro discovers resources in every connected AWS account. The discovery process assumes the appropriate IAM role in each account and runs the full collection pipeline independently for each account.
Data Freshness
The resource registry reflects the state of your infrastructure at the time of the most recent scan. Between scans, resources may be created, modified, or deleted in your AWS accounts without being reflected in Guardian Pro.
Best practices for data freshness:
- Configure scan schedules that match your rate of infrastructure change
- Trigger on-demand scans before important analysis (failure simulations, compliance reports)
- Check the "Last scan time" indicator on the Dashboard to know when data was last refreshed
Guardian Pro stores the timestamp of each scan, and the Resource Explorer displays the last scan time prominently. Historical scan data is retained for trend analysis and auditing.
After Discovery Completes
When a discovery scan finishes, it triggers several downstream processes automatically:
- Security scanner -- Evaluates all discovered resources against hundreds of checks
- Architecture advisor -- Analyses the dependency graph for risks and health scoring
- Cost enricher -- Correlates cost data with discovered resources
- Compliance mapper -- Maps resource configurations to compliance framework controls
You do not need to trigger these processes separately -- they chain automatically from the discovery scan.
Next Steps
- Browsing Resources -- Search and filter your discovered resources.
- Resource Details -- Inspect individual resource configurations.
- Architecture Map -- Visualise the relationships discovered during the scan.
- Dashboard -- Monitor scan progress and trigger new scans.