Create a Post
Sergej_Gurenko
Contributor

Is it possible to manually exclude assets in Dome9

Hello Dome9 Experts,

Please help with few questions:

1. Is it possible to onboard (half) of the AWS account, while manually excluding some assets? Or is the only boundary is AWS Account and once on-boarded all billable assets are counted? Obviously the only options in GUI are a. Read-Only (Monitor mode) b. Full protection (CloudGuard managed)

2. Imagine customer is interested in Serverless protection only, is it possible to onboard Serverless protection only, without scanning and licensing general compute?
I think it is already answered here Dome9 AWS Lambda Serverless monitoring - pre-requrements but just want to double check. The prior answer was:

Click to Expand

this is how it looks to onboard and what is needed.

1. Have to have an on boarded cloud account of course.

3. When onboarding Serverless, can you select what Lambda function to onboard? For example there are Prod, Test, Dev clones for each Lambda, can i select Lambdas i want to protect?

4. Is it the same license requirement for CloudGuard (Dome9) Proact Assessment as CloudGuard Serverless protection? That is "6 functions constitute one billable asset" no matter what is your plan, if you are only inspecting the config or actively protecting the Lambda.
I tried to ask this question here - How to secure your Serverless Functions with CloudGuard Workload with a Open Serverless CICD Job

 

References:

As per documentation in  Billable Assets :

The CloudGuard license is based on average monthly use of billable protected assets, and not on the peak number of assets used. Every hour or part of an hour for an asset contributes 1/24 to the daily average, and the daily average contributes to the weekly and monthly ones.

Asset typeComments & exclusions

EC2Micro and Nano are not billable
RDSMicro and Nano are not billable
Lambda6 functions constitute one billable asset (latest version of function only is counted)

 

1 Reply
adamybsci
Participant

Not today, Dome9 scans your entire account. I requested a feature enhancement to the product in this thread. https://community.checkpoint.com/t5/Cloud-Security-Posture/New-Feature-Request-for-Onboard-specific-... I agree that Dome9 should give the customer more control over what it can scan.
0 Kudos