As an administrator of an expanding, highly distributed infrastructure, you may be responsible for overseeing thousands of on-premise and cloud resources from multiple providers—governed under dozens of accounts by a complex nest of RBAC rules. To query all these resources for purposes such as compliance audits and access management, you may be required to write custom scripts and painstakingly sift through data across disparate tools. To efficiently govern all these disparate resources, you need to access ownership, configuration, and security posture data about all of them in one place.
By providing a complete inventory of all your resources and mapping their interrelationships, the Datadog Resource Catalog helps you govern your resources more effectively. With the Resource Catalog, you can view, sort, filter, and drill into all your resources to find key metadata, ownership info, and service relationships. You can use the Resource Catalog in a variety of contexts, including:
- Understanding the team ownership of resources and finding orphaned ones to clean up
- Planning upgrades of resources that are running deprecated versions
- Accessing configuration information and other metadata to speed up incident response
- Maintaining your security posture by finding and resolving misconfigurations and vulnerabilities
In this post, we’ll discuss the Resource Catalog’s key features, and show how you can use it to:
- Govern your organization’s resources to improve ownership and observability coverage
- Find useful context during incident investigations
- Maintain your security posture
The Resource Catalog’s Inventory view enables you to quickly change scope to see the resources you own or care about. You can search for resources by name, filter them by any shared attributes (such as region, environment, account, or cloud platform), and group them using out-of-the-box categorization options. You can then see the service and team attribution for all the queried resources. By finding and fixing gaps in this attribution, you can better understand the allocation and ownership of your resources.
The Resource Catalog lets you group resources not only by specific types—such as Amazon EC2, Amazon S3, or Azure Blob Storage—but also by broader categories, such as analytics, compute, database, networking, and management tools. This way, even if your resources are distributed across multi-cloud or hybrid environments, you can still group them by architectural function, and understand their service and team attribution at this level.
For example, the following screenshot shows resources grouped by category, and you can see that a large number of resources are missing team and service tags. Analytics and management tools have the lowest rate of service attribution. You’ll want to add team and service tags to these resources so that they can provide helpful context for incident investigations and initiatives like upgrade planning and cost optimization. This way, you’ll be able to spot orphaned resources, identify the services impacted by misconfigurations, and know which individuals to contact to help address these issues.
You can filter your resources not only by the primary suggested tags (cloud provider, region, environment, account, service, and team) but also by any other tag. These tag filters can provide insights about your resources in many different governance scenarios. For example, let’s say your team uses x86-based EC2 instances, and you’re planning to migrate all of them to Arm to improve performance and lower cost. For the safest migration, you’ll be doing this region by region. The Resource Catalog lets you filter all your EC2s by architecture type, so you can quickly surface the x86-based instances that still need to be migrated. The following example shows a query that additionally groups these resources by region, so you can more easily plan each step of the migration.
To enable teams across your organization to govern their resources more easily, you can create saved views that provide quick access to helpful queries. For example, you might want to create a saved view for your team’s production environment, filtered to compute resources and grouped by region, so your team can easily see a catalog of all their production hosts.
By giving you access to configuration details and other key metadata about all your resources in a single view, the Resource Catalog can help steer your incident investigations. For example, when investigating an incident with one of your team’s services, you might want to quickly filter for the resources belonging to it and look for issues in their configuration.
Let’s say you’re alerted that your
eshop service is experiencing a high error rate. You use APM to discover that the errors are occurring in read requests on its databases. To investigate these resources’ configurations, you can filter the Catalog to view database resources for your service, as shown in the following screenshot.
Then, you can drill into specific instances to view their configuration details and look for potential issues. The resource side panel gathers all this information under the Resource Info tab. In the following screenshot, you can see that one of your databases is running an older version than the one expected by your code. This may have been the result of an incomplete upgrade rollout during a migration.
Next, you’ll want to contact the infrastructure team that owns the database and tell them about this issue. You can use the Ownership tab to quickly page the on-call engineer, contact the team via Slack, or dive into the docs to figure out how to upgrade the database yourself.
If you’re a Datadog CSM customer, you can also access the Resource Catalog’s Security view, which provides actionable intelligence about security misconfigurations and active threats. Just like with the Inventory view, you can filter and group your resources in the Security view to quickly find active issues.
In the following example, we’ve found that the EBS volumes for our
chaos-cloud service are all unencrypted.
The Security tab lets you not only search for and identify misconfigurations and threats, but also kick off remediation. When you click to view the details of this misconfigured resource, you can see a description of the issue and access a runbook that provides steps you can use to encrypt your volumes by using the AWS CLI. The side panel also includes a button you can use to pivot directly to your cloud provider console, so you can quickly implement this guidance.
You can also leverage Datadog Workflow Automation to trigger an automated process that resolves the issue, or create a new Jira ticket to loop in more collaborators.
In addition to the Security view’s list of resources and their misconfigurations and threats, the Resource Catalog also offers a map that can help you assess the security posture of your resources. For example, let’s say you want to find misconfigurations in your Amazon S3 buckets. You can filter to those resources and fill the nodes according to the severity of misconfigurations. The following screenshot shows the resulting map, which surfaced a number of high-severity misconfigurations in your buckets across your three biggest regions. You can click on any node in the graph to view that resource’s side panel and investigate the misconfigurations on it further.
The Datadog Resource Catalog provides a powerful way to proactively govern your infrastructure, find the context you need during troubleshooting and remediation, and stay ahead of misconfigurations and security risks. The Resource Catalog is now available in public beta—get started in the Datadog app. On-prem hosts that are running the Datadog Agent will automatically appear in your Resource Catalog. You can add more resources to Datadog by enabling resource collection for your cloud account, project, or subscription. If you’re new to Datadog, sign up for a free trial.