Cloud Scan

A cloud discovery scan lets you identify certificates in use within your cloud environment. The discovery is filtered based on specific cloud environments and identifies certificates irrespective of the issuing certificate authority.

Initiating a Cloud Discovery Scan for AWS

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Cloud Scan.
    The Discovery : Cloud Scan : Add Discovery page is displayed.
  2. To initiate a cloud certificate discovery scan, enter the Discover Details.
    1. To specify the frequency at which the certificate discovery scan will be triggered, select the Discovery Run Type.
      Table 1. Discovery run type options
      Frequency Type Description
      On-demand Cloud certificate discovery scan is triggered manually by the user as and when required.
      Scheduled Cloud certificate discovery scan is triggered automatically at the specified time and date.
    2. Enter the details for initiating an on-demand cloud certificate discovery scan.
      Table 2. Field descriptions for on-demand discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters

      OR

      Enter the details for initiating a scheduled cloud certificate discovery scan.

      Table 3. Field descriptions for scheduled discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters
      *Time Zone From the dropdown list, select the time zone in which the scheduled discovery instance will be triggered.
      Occurrence Type From the dropdown list, from the following options, select an occurrence frequency:
      • Daily
      • Weekly
      • Monthly
      • Yearly
      *Repeat On
      Note: This field is displayed only when Occurrence Type = Weekly.
      Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
      *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
      *Ends From the following options, select when the scheduled discovery is to end:
      • Never: Discovery never stops.
      • After: Discovery stops after the number of occurrences specified in the text field.
      • On: Discovery stops on the date selected using (Calendar widget)
      Summary Displays a summary of the selections made for scheduled discovery
      *: Mandatory fields
  3. To filter the discovered certificates, enter the Discover By details.
    Table 4. Field descriptions for the Discover By section
    Field Description
    *Discovery From From the dropdown list, select Cloud (the source to discover a certificate from).
    *Vendor From the dropdown list, select AWS.
    *Account type From the following options, select the AWS account type for certificate discovery:
    • Stand-alone account sign-in (In a stand-alone account, the user account and the resources are available in the same account.)
    • Cross account sign-in (In a cross-account resources are available across multiple accounts and users are given role-based access.)
    *Select Account View
    Note: This field is displayed only when you've selected Account type = Cross account sign-in.
    From the given options, select one to specify if the discovery will be performed for the master account or for the child accounts.
    *Select Filter Type
    Note: This field is enabled when:
      • Account type = Stand-alone account sign-in
      • Account type = Cross account sign-in AND Select Account View = Child Account.
    From the following options, select one to specify how the discovery results should be filtered:
    • Account View
    • Service View
    Selected Resources To search for a resource:
    1. (Optional) In the Type your search and press Enter field, enter a search keyword to filter the list of resources.
    2. Select the checkbox corresponding to the required resource.
    To add an existing resource to the list:
    1. Click .
    2. From the Add Accounts dialog box, select the checkbox corresponding to the required resource(s).
    3. Click Add Selected.
      Note: The Add Selected button is enabled after at least one resource is selected.
    To delete a resource from the list:
    1. Select the checkbox corresponding to the resource you want to delete.
    2. From the Action field, click .

      OR

      Click .
      Note: To delete multiple resources at once:
      1. Select the checkboxes for the resources to be deleted.
      2. Click .
    Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
    *Interval Between Batches If Execute Batches Sequentially is selected, enter an interval duration (in minutes) in this field. The sequential execution of the batches is spaced according to the interval value entered here.
    *: Mandatory fields
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. In the After Discover section, enter the following details:
    Table 5. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    *: Mandatory fields
  6. In the Discovery Notifications section, to receive discovery status update notifications:
    1. Select the Subscribe for discovery status notifications checkbox.
    2. In the Who should be notified? field, select one from the following options:
      • Notify User: Send a notification only to the user configuring/modifying this discovery instance.
      • Notify User Group: Send a notification to all the users in the triggering user's user group.
  7. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
    The discovered certificates are listed in the certificate inventory.

Initiating a Cloud Discovery Scan for Azure

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Cloud Scan.
    The Discovery : Cloud Scan : Add Discovery page is displayed.
  2. To initiate a cloud certificate discovery scan, enter the Discover Details.
    1. To specify the frequency at which the certificate discovery scan will be triggered, select the Discovery Run Type.
      Table 6. Discovery run type options
      Frequency Type Description
      On-demand Cloud certificate discovery scan is triggered manually by the user as and when required.
      Scheduled Cloud certificate discovery scan is triggered automatically at the specified time and date.
    2. Enter the details for initiating an on-demand cloud certificate discovery scan.
      Table 7. Field descriptions for on-demand discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters

      OR

      Enter the details for initiating a scheduled cloud certificate discovery scan.

      Table 8. Field descriptions for scheduled discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters
      *Time Zone From the dropdown list, select the time zone in which the scheduled discovery instance will be triggered.
      Occurrence Type From the dropdown list, from the following options, select an occurrence frequency:
      • Daily
      • Weekly
      • Monthly
      • Yearly
      *Repeat On
      Note: This field is displayed only when Occurrence Type = Weekly.
      Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
      *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
      *Ends From the following options, select when the scheduled discovery is to end:
      • Never: Discovery never stops.
      • After: Discovery stops after the number of occurrences specified in the text field.
      • On: Discovery stops on the date selected using (Calendar widget)
      Summary Displays a summary of the selections made for scheduled discovery
      *: Mandatory fields
  3. To filter the discovered certificates, enter the Discover By details.
    Table 9. Field descriptions for the Discover By section
    Field Description
    *Discovery From From the dropdown list, select Cloud (the source to discover a certificate from).
    *Vendor From the dropdown list, select Azure.
    Discovery Scope Select the Azure environment scope (range/boundary) within which the certificate discovery process will operate.
    • Azure Settings

      Azure settings are configurable parameters that define the behavior of the resources within a subscription.

    • Azure Subscriptions

      Azure subscriptions are logical containers that constitute the Azure services and resources, identified based on a customer's agreement with Microsoft.

    Enable Service Specific Discovery
    Note: This field is displayed only when Discovery Scope = Azure Subscriptions.
    To filter discovery results based on the services under each subscription mapped to a service, turn on the Enable Service Specific Discovery option.

    If this field is disabled, the discovery scope will include all the services within a subscription that is mapped to a setting.
    Selected Resources To search for a resource:
    1. (Optional) In the Type your search and press Enter field, enter a search keyword to filter the list of resources.
      To make your search more specific:
      1. From the Type your search and press Enter field, click .
      2. Enter values for one or more of the following parameters:
        • Azure Settings
        • Subscription ID
        • Tenant ID
        • Resource Type
      3. In the Condition field:
        • To get search results that meet all your specified criteria, select AND.
        • To get results that meet at least one (or more) of your specified criteria, select OR.
    2. From the search results, select the checkbox corresponding to the required resource.
    To add an existing resource to the list:
    1. Click .
    2. From the Add Accounts dialog box, select the checkbox corresponding to the required resource(s).
    3. Click Add Selected.
      Note: The Add Selected button is enabled after at least one resource is selected.
    To delete a resource from the list:
    1. Select the checkbox corresponding to the resource you want to delete.
    2. From the Action field, click .

      OR

      Click .
      Note: To delete multiple resources at once:
      1. Select the checkboxes for the resources to be deleted.
      2. Click .
    Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
    *Interval Between Batches If Execute Batches Sequentially is selected, enter an interval duration (in minutes) in this field. The sequential execution of the batches is spaced according to the interval value entered here.
    *: Mandatory fields
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. In the After Discover section, enter the following details:
    Table 10. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select one from the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    *: Mandatory fields
  6. In the Discovery Notifications section, to receive discovery status update notifications:
    1. Select the Subscribe for discovery status notifications checkbox.
    2. In the Who should be notified? field, select one from the following options:
      • Notify User: Send a notification only to the user configuring/modifying this discovery instance.
      • Notify User Group: Send a notification to all the users in the triggering user's user group.
  7. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
    Once the certificates are discovered, you can view them in the certificate inventory.

    To automate the certificate lifecycle management for the discovered certificates, you can enable auto regeneration of certificates, auto renewal of certificates, and auto push of certificates to endpoints.

Initiating a Cloud Discovery Scan for GCP

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Cloud Scan.
    The Discovery : Cloud Scan : Add Discovery page is displayed.
  2. To initiate a cloud certificate discovery scan, enter the Discover Details.
    1. To specify the frequency at which the certificate discovery scan will be triggered, select the Discovery Run Type.
      Table 11. Discovery run type options
      Frequency Type Description
      On-demand Cloud certificate discovery scan is triggered manually by the user as and when required.
      Scheduled Cloud certificate discovery scan is triggered automatically at the specified time and date.
    2. Enter the details for initiating an on-demand cloud certificate discovery scan.
      Table 12. Field descriptions for on-demand discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters

      OR

      Enter the details for initiating a scheduled cloud certificate discovery scan.

      Table 13. Field descriptions for scheduled discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters
      Occurrence Type
      From the dropdown list, from the following options, select an occurrence frequency:
      • Daily
      • Weekly
      • Monthly
      • Yearly
      *Repeat On
      Note: This field is displayed only when Occurrence Type = Weekly.
      Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
      *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
      *Ends From the following options, select when the scheduled discovery is to end:
      • Never: Discovery never stops.
      • After: Discovery stops after the number of occurrences specified in the text field.
      • On: Discovery stops on the date selected using (Calendar widget)
      Summary Displays a summary of the selections made for scheduled discovery
      *: Mandatory fields
  3. To filter the discovered certificates, enter the Discover By details.
    Table 14. Field descriptions for the Discover By section
    Field Description
    *Discovery From From the dropdown list, select Cloud (the source to discover a certificate from).
    *Vendor From the dropdown list, from the following options, select GCP.
    Discovery Scope Select the GCP environment scope (range/boundary) within which the certificate discovery process will operate.
    • GCP Settings

      GCP settings are configurable parameters that define the behavior of the resources within a project.

    • GCP Projects

      GCP projects are logical containers that constitute the GCP resources, identified based on a specific requirement.

    Enable Service Specific Discovery
    Note: This field is displayed only when Discovery Scope = GCP Projects.
    To filter discovery results based on the services under each project mapped to a setting, turn on the Enable Service Specific Discovery option.

    If this field is disabled, the discovery scope will include all the services within a project that is mapped to a setting.
    *Selected Resources To search for a resource:
    1. (Optional) In the Type your search and press Enter field, enter a search keyword to filter the list of resources.
    2. Select the checkbox corresponding to the required resource.
    To add an existing resource to the list:
    1. Click .
    2. From the Add Accounts dialog box, select the checkbox corresponding to the required resource(s).
    3. Click Add Selected.
      Note: The Add Selected button is enabled after at least one resource is selected.
    To delete a resource from the list:
    1. Select the checkbox corresponding to the resource you want to delete.
    2. From the Action field, click .

      OR

      Click .
      Note: To delete multiple resources at once:
      1. Select the checkboxes for the resources to be deleted.
      2. Click .
    Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
    *Interval Between Batches If Execute Batches Sequentially is selected, enter an interval duration (in minutes) in this field. The sequential execution of the batches is spaced according to the interval value entered here.
    *: Mandatory fields
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. In the After Discover section, enter the following details:
    Table 15. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    *: Mandatory fields
  6. In the Discovery Notifications section, to receive discovery status update notifications:
    1. Select the Subscribe for discovery status notifications checkbox.
    2. In the Who should be notified? field, select one from the following options:
      • Notify User: Send a notification only to the user configuring/modifying this discovery instance.
      • Notify User Group: Send a notification to all the users in the triggering user's user group.
  7. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.