Alibaba Cloud - Onboarding
Instructions for Onboarding an Alibaba Cloud Account or Accounts with InsightCloudSec
After InsightCloudSec is successfully installed, you're ready to start harvesting resources from your target accounts. This documentation provides details on configuring Alibaba Cloud to "talk" with InsightCloudSec securely for both admin and non-admin users and explains the different onboarding workflows you can expect for new and returning users.
Getting Started with Onboarding Alibaba Cloud
Before you can begin the Alibaba Cloud onboarding process, you'll need to login to InsightCloudSec and open the Cloud Account Onboarding Wizard, which provides a different experience depending on the type of user you are:
- First-time User: InsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.
- Returning User: InsightCloudSec has one or more CSPs already onboarded and you would like to add a new Alibaba Cloud account.
- Admin User: You can login to the Alibaba Cloud console and have the appropriate access to grant InsightCloudSec access to your account(s).
- Non-Admin User: You can interact with InsightCloudSec and would like to onboard an Alibaba Cloud account(s) but do not have the appropriate Alibaba Cloud access to grant InsightCloudSec access to your account(s).
In addition, we also provide instructions for:
- Existing Cloud Accounts: For information about modifying an existing Alibaba Cloud account, check out the Cloud Account Setup & Management page.
- Supported Resources - To see a list of the Alibaba Cloud resources that are supported take a look at our Resource Matrix
Need Support?
We are here to help! If you have questions or concerns reach out to us through the Customer Support Portal.
Configuration Information for Alibaba Cloud
Alibaba Cloud Details
There are several steps that must be taken within the Alibaba Cloud console to enable InsightCloudSec to get access to an account, and this page provides those steps.
Additional Resources on Alibaba Cloud include:
- Details on Resource Access Management (RAM) in Alibaba Cloud
- Managing Policies in Alibaba Cloud
- Managing Users in Alibaba Cloud
Policies
InsightCloudSec support of Alibaba Cloud is currently limited to read-only access.
Read-Only Policy
The Read-Only policy contains only read permissions for the Alibaba Cloud resources that InsightCloudSec supports. The policy can be obtained from our public S3 bucket. Note: This policy will need to be updated any time InsightCloudSec supports a new Alibaba Cloud service.
Non-Admin Onboarding for Alibaba Cloud
If you've determined that you're not an Admin user or you're not sure, you will need to provide an Admin within your organization with the "Alibaba Cloud Admin Instructions". Once the Admin has completed the instructions, they should be able to provide you with answers and/or content for the following required fields:
- A Nickname for the Account
- An Access Key ID
- An Access Key Secret
Steps for Non-Admin Onboarding
The steps to complete this process for both First-time Users and Returning Users are provided below. Step 2a and 2b provide specifics for the two user types.
1. Log in to your InsightCloudSec installation.
2-a. For first-time users a successful log in should launch the Onboard a Cloud Account workflow. You will need to select "Alibaba Cloud" as your Cloud Service Provider, and then select "No - Help me identify the details needed". Click "Next" to start the onboarding process.
2-b. For returning users navigate to "Cloud --> Cloud Accounts" and select "Add Cloud". *You will need to select "Alibaba Cloud" as your Cloud Service Provider, and then select the "Don't have admin access?" option at the bottom right of the window.
3. Copy the details from the admin instructions and share them with your Admin.
4. Once your Admin has completed the setup, they can provide you with the required information to complete the configuration.
5. Return to the onboarding workflow, input the Nickname, Access Key ID, and Secret Access Key to finalize your Alibaba Cloud onboarding setup and click "Connect".
Admin Onboarding for Alibaba Cloud
For administrative users this section includes step-by-step instructions for the configuration required in both the Alibaba Cloud console and the InsightCloudSec Onboarding Wizard to connect.
-
If you are connecting to InsightCloudSec for the first time, you will be greeted by a workflow that shares some details around InsightCloudSec capabilities and allows you to select your Cloud Service Provider to start the onboarding process.
-
If you have connected to InsightCloudSec previously but are setting up Alibaba Cloud for the first time, you will need to navigate to "Cloud --> Cloud Accounts" and select the "Add Cloud" option to open the cloud onboarding.
Using either path above select "Alibaba Cloud" as your CSP to get started with the admin onboarding.
InsightCloudSec - Alibaba Cloud Onboarding Example
Alibaba Login (Step 1)
In the InsightCloudSec Onboarding Wizard
1. Provide your Alibaba Cloud account with an identifiable "Nickname".
2. Click "Next" to go to 2. RAM Policy.
RAM Policy (Step 2)
In the Alibaba Cloud Console - Create a Resource Access Management (RAM) Policy
1. Login to the Alibaba Cloud console using the account you would like to connect to InsightCloudSec.
2. From the Products and Services menu, click "Resource Access Management" (under the Operations and Maintenance group).
3. In the RAM navigation menu, click "Policies" (under Permissions).
4. Click "Create Policy", and then click "JSON".
5. In the JSON section, paste the details from the InsightCloudSec Read Only RAM JSON Policy (found in our public S3 bucket).
- The Read-Only policy contains only read permissions for the Alibaba Cloud resources that InsightCloudSec supports.
Policy Updates
This policy will need to be updated any time InsightCloudSec supports a new Alibaba Cloud service.
6. Click "Next to edit policy information", then provide the policy a name.
- Note special character rules (for example: spaces are not allowed).
- Add a note/description if desired.
7. Click "OK" to finalize your RAM policy and then verify that your policy was successfully created under the Policies section.
In the InsightCloudSec Onboarding Wizard
8. Click "Next" to go to User (Step 3.)
User (Step 3)
The steps here are provided in order but take place in both the Alibaba Cloud Console and the InsightCloudSec Onboarding Wizard with some back and forth. The environment location for the steps will specify where each step or steps are intended to take place so read carefully.
In the Alibaba Console - Create User
1. In the RAM navigation menu, click "Users" (under Identity).
2. Click "Create User", then provide a logon name.
- Note special character rules (for example: spaces are not allowed).
- Add a display name if desired.
3. Under Access Mode, select "OpenAPI Access".
4. Select "OK" to finalize the creation of the user.
Save the Information for the Access Key
Either download a CSV file or copy the Access Key ID and the Access Key Secret to secure location.
In the InsightCloudSec Onboarding Wizard
5. Paste the values for the "Access Key ID" and "Access Key Secret".
In the Alibaba Console - Assign Your Policy to Your User
6. Locate the user you created and click the name.
7. Select the "Permissions" tab (under Basic Information), then under the "Individual" tab, click "Grant Permission".
8. Select "Custom Policy" as the type of policy to add.
9. Search for and select the name of the policy you created, and then click "OK" to finalize the changes.
10. Confirm permissions have been authorized and click "Complete".
11. View the User details to confirm that the policy (permissions) have been added for this user.
In the InsightCloudSec Onboarding Wizard
12. Under the Assign Policy to User section, click the checkbox for "I confirm the policy has been assigned to the user."
13. Click "Connect Account" to finalize your Alibaba Cloud setup.
Updated about 1 month ago