Azure LPA Setup

The Azure LPA feature can be used to harvest and send detailed data about Azure users and roles to your InsightCloudSec instance. If you have any issues or questions with this setup, reach out to the support team through the Customer Support Portal.

Setup Overview

The Azure LPA feature relies on infrastructure deployed in the user’s account to collect action data and aggregate action statistics. This configuration is performed through the Azure LPA configuration library. For an overview of this infrastructure, review Azure LPA design. You can deploy the necessary infrastructure automatically using the Azure LPA configuration library contained with the InsightCloudSec Azure LPA repository.

To setup Azure LPA, you'll need to complete the following steps:

  • Step 1: Download and Setup the Repository -- Download and setup the repository then deploy the Azure LPA infrastructure.
  • Step 2: InsightCloudSec Configuration -- Setup Azure LPA data collection within InsightCloudSec and begin receiving data.

Prerequisites

Before configuring Azure LPA, you'll need the following:

  • MacOS or Linux local environment
  • Admin access to the Azure subscription that contains the LPA data
  • The Azure subscription to associate with LPA is connected to InsightCloudSec
  • You are logged in to the associated Azure subscription via the Azure CLI with appropriate Admin permissions

Azure CloudShell is not supported!

The instructions below are currently only supported in local MacOS or Linux environment or in a virtual machine.

Step 1: Download and Setup the Repository

Downloading

The repository is publicly available in an S3 bucket.

Product name to be replaced

You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn't affect the configuration or the product's functionality, and we will notify you as we replace these component names.

  1. Download the repository using the following link: https://s3.amazonaws.com/get.divvycloud.com/prodserv/ics-azure-lpa/ics-azure-lpa-latest.zip
  2. Extract the repository's contents to the desired location.

Upon extracting the repository, you should examine its contents for basic understanding. Below is an outline of the sections of this repository:

  • README.md -- contains extensive documentation for the Azure LPA Python Library
  • roles -- Azure role definitions for the roles to be deployed to your subscription
  • src/ics_azure_lpa/automation -- Azure deployment automation framework
    • Automation entails the creation of the Azure LPA infrastructure, addition/removal of subscriptions, and destruction of the Azure LPA infrastructure
  • src/ics_azure_lpa/client -- Azure client interaction
    • Client interaction relates to either direct interactions with the Kusto/Azure Data Explorer (ADX) cluster or Azure Storage (to receive the final data products)
  • arm_templates -- Azure ARM templates
  • bicep_templates -- Azure Bicep templates
  • tests/integration -- Integration tests (long-running tests that manipulate actual resources).
  • tests/regression -- Regression tests (short-running tests that ensure code consistency).

Setup

Azure LPA deployment is best done via the Python deployment script that uses Bicep, the Azure CLI, and the Kusto client. Setting up a Python virtual environment specifically (e.g., pyenv virtualenv ...) for the Azure LPA deployment is recommended.

Python version

This library was developed and tested using Python 3.8.5, but newer versions may work as well.

  1. From a terminal, navigate to the repository.
    • Before continuing, we highly recommend you review the README!
  2. Install dependencies: make deps-py-dev (development dependencies) or make deps-py (build dependencies)
  3. Create or refresh the Azure ARM templates: make arm-templates
  4. Deploy the infrastructure: deployLpa.
    Additional information about this command can be viewed by running the following: deployLpa --help
  5. Answer the interactive prompts to ensure proper deployment location and options. An example run of the deployment script is included below:

Deployment Duration

Deployment of the entire Azure LPA infrastructure can take anywhere from 40 to 60 minutes.

text
1
(divvycloud-azure-lpa) admin@my-macbook divvycloud-azure-lpa % deployLpa
2
Deployment location (Central US, East US, East US 2, US Gov Iowa, US Gov Virginia, North Central US, South Central US, West US, North Europe, West Europe, East Asia, Southeast Asia, Japan East, Japan West, Brazil South, Australia East, Australia Southeast, Central India, South India, West India) [East US]:
3
With virtual network [y/N]: y
4
5
Starting LPA deployment for Resource Group: "my-resource-group"!
6
7
2022-05-31 13:35:11,052 - divvy_azure_lpa.automation.accounts - INFO - Subscription: "Azure Alpha" [23456a7b-234b-2345-a23b-a23456b7c89d] Tenant [12345a6b-123b-1234-a12b-a12345b6c78d] (accounts.py:48)
8
2022-05-31 13:35:11,055 - divvy_azure_lpa.automation.accounts - INFO - Subscription: "qa-testbed" [34567a8b-3451-3456-a34b-a34567b8c90d] Tenant [12345a6b-123b-1234-a12b-a12345b6c78d] (accounts.py:48)
9
2022-05-31 13:35:11,055 - divvy_azure_lpa.automation.accounts - INFO - Default subscription: "qa-testbed" [34567a8b-3451-3456-a34b-a34567b8c90d] Tenant [12345a6b-123b-1234-a12b-a12345b6c78d] (accounts.py:61)
10
2022-05-31 13:35:11,914 - divvy_azure_lpa.automation.lpa - INFO - Looking for Azure Event Grid System Topic: "Microsoft.Resources.Subscriptions" within subscription [34567a8b-3451-3456-a34b-a34567b8c90d]... (lpa.py:1012)
11
2022-05-31 13:35:13,212 - divvy_azure_lpa.automation.lpa - INFO - Utilizing Azure Event Grid System Topic: "Microsoft.Resources.Subscriptions" (Name: "subscription-resource-events" RG: "r7-ics-lpa" Sub: [34567a8b-3451-3456-a34b-a34567b8c90d]) (lpa.py:396)
12
2022-05-31 13:35:13,213 - divvy_azure_lpa.automation.lpa - INFO - Target LPA RG: "my-resource-group" Sub: [34567a8b-3451-3456-a34b-a34567b8c90d] Tenant: [12345a6b-123b-1234-a12b-a12345b6c78d] (lpa.py:404)
13
2022-05-31 13:35:14,262 - divvy_azure_lpa.automation.lpa - INFO - Deployment configuration chosen: Virtual Network (lpa.py:219)
14
2022-05-31 13:35:14,262 - divvy_azure_lpa.automation.lpa - INFO - Attempting to deploy/update deployment associated with: "templates/vn/overallLPA.bicep"... (lpa.py:230)
15
2022-05-31 13:35:14,263 - divvy_azure_lpa.automation.lpa - WARNING - Deployment can take around 60 minutes. (lpa.py:234)
16
2022-05-31 14:03:55,929 - divvy_azure_lpa.automation.bicep - INFO - Provisioning state: Succeeded (bicep.py:90)
17
2022-05-31 14:03:55,929 - divvy_azure_lpa.automation.network_security_group - INFO - Attempting to deploy/update deployment associated with: "templates/vn/SecurityGroupAllowlist.bicep"... (network_security_group.py:151)
18
2022-05-31 14:04:32,305 - divvy_azure_lpa.automation.bicep - INFO - Provisioning state: Succeeded (bicep.py:90)
19
2022-05-31 14:04:32,466 - divvy_azure_lpa.automation.lpa - INFO - Opening Virtual Network up to local access (temporarily...) (lpa.py:579)
20
2022-05-31 14:04:44,393 - divvy_azure_lpa.automation.lpa - INFO - Updating Kusto cluster to allow client access for principal "bc9bf403-9b66-4be5-8a4d-c6ff399440f5"... (lpa.py:591)
21
2022-05-31 14:04:46,067 - divvy_azure_lpa.automation.lpa - INFO - Kusto cluster access updated. (lpa.py:602)
22
2022-05-31 14:04:46,067 - divvy_azure_lpa.automation.lpa - INFO - Closing Virtual Network to local access. (lpa.py:608)
23
2022-05-31 14:04:57,976 - divvy_azure_lpa.automation.lpa - INFO - Enabling workflow: "workflow"... (lpa.py:617)
24
2022-05-31 14:04:59,156 - divvy_azure_lpa.automation.lpa - INFO - Workflow enabled. (lpa.py:624)
25
2022-05-31 14:04:59,156 - divvy_azure_lpa.automation.lpa - INFO - Deployment complete for Resource Group: "my-resource-group"! (lpa.py:626)
26
27
Deployment of resource group "my-resource-group" complete!
28
29
To access data via CLI, set the environment variables:
30
export AZURE_STORAGE_CONNECTION_STRING="REDACTED"
31
export AZURE_STORAGE_CONTAINER_NAME="events"
32
Invoke: downloadLpaData

If you run into deployment errors, review the Troubleshooting section below for help or reach out to the support team through the Customer Support Portal.

A successful deployment yields three crucial values for the next section:

  • Resource group name
  • Azure Storage connection string
  • Azure Storage container name

At this point, the Azure LPA infrastructure is deployed and the data collection is beginning. Data is collected continually, but aggregation of the LPA action statistics happens at midnight.

Step 2: InsightCloudSec Configuration

Now that the Azure LPA infrastructure has been deployed, it's time to enable data collection within InsightCloudSec.

  1. Login to your InsightCloudSec platform and click the settings button (cog icon) in the top-right corner.

  2. Click IAM Settings>Azure LPA Settings. The LPA Settings page will appear with a list of Azure Subscriptions that have been added to InsightCloudSec.

  3. Next to the proper subscription, click the vertical three dots to open the menu.

  4. Click Enable LPA.

  5. Provide the values for harvesting the LPA data.

    • Provide the resource group name where the Azure LPA infrastructure is deployed (created in step 1)
    • Provide the connection string for the Azure Storage resource that hosts the Azure LPA data (created in step 1)
    • Provide the container name inside the Azure Storage resource that contains the Azure LPA data (created in step 1)
  6. Click OK. You'll be returned to the LPA Settings page with the Status column updated to reflect LPA's current state. The status will typically be Enabled, but relatively recent deployments may reflect that the data is still awaiting aggregation. Review LPA States for more information.

Once LPA is successfully enabled and data has been collected, review Azure LPA Usage for information on viewing your data.

Data Availability

It can take up to 24 hours for data to be harvested and appear in InsightCloudSec.

Troubleshooting

Permissions

During deployment, the current Azure command line interface (CLI) user may not have the necessary permissions to create the Azure LPA infrastructure. Alternatively, you may want to create a specialized deployment user that is relatively de-privileged to execute the deployment commands. The Azure LPA infrastructure library provides the command createLpaDeploymentRole that allows for the creation of a custom role that can be used to perform the Azure LPA infrastructure deployment.

User Loses Connection Information

While the user should retain the key three values (resource group name, connection string, container name) listed in the terminal post-deployment, it is possible they may lose that data. They would need to resurrect that data via the Azure Console:

  1. To find the resource group name, you'll need to search through your resource groups with the Feature tag set to LPA.
  2. To find the Azure Storage account name, examine the LPA-related resource group (step 1).
  3. The connection string and container name can be reached from navigating to the Azure Storage account (step 2) via Azure Storage Explorer.

LPA States

On the LPA Settings page, there are statuses associated with each Azure subscription added to InsightCloudSec and its LPA state:

StateDescription
EnabledLPA is enabled and configured properly & data is available
Not EnabledLPA has not been enabled for the subscription yet
ErrorInvalid connection information
Collecting DataWaiting on data

The Collecting Data state indicates that the initial collection (scheduled daily) has not yet occurred.

Additional Deployment Script Options

After downloading the repository and installing up any dependencies, the Azure LPA configuration library is available for use. While deploying the LPA infastructure is its main function, there are some other important functions available.

Download Data

After you have successfully deployed the Azure LPA infrastructure, you may want to manually download the data being collected.

Prerequisites

Before you can manually download Azure LPA data, you will need the following on hand:

  • The connection string for the Azure Storage resource that hosts the Azure LPA data (created in step 1)
  • The container name inside the Azure Storage resource that contains the Azure LPA data (created in step 1)
  1. Open a terminal locally and set the following environment variables (or pass them in via the command line):
    • AZURE_STORAGE_CONNECTION_STRING
    • AZURE_STORAGE_CONTAINER_NAME
  2. Run the following command and look in the set download path for the data: downloadLpaData

Add Subscription

You have the option of using the same Azure LPA deployment infrastructure against multiple subscriptions within the same Azure tenant. This will save you money, as the expensive pieces will be re-used instead of duplicated.

The use of the subscribeLpa command will allow the linkage of other subscriptions to existing Azure LPA infrastructure. Invoking the command will result in an interactive dialog that allows registering another subscription.

Upon completion of this subscription addition process within the Azure LPA library, you can reuse the same resource group name, connection string, and container name with the ICS configuration process for each of these existing, linked accounts.

Remove Subscription

If you'd like to remove a subscription from Azure LPA harvesting, you can use the unsubscribeLpa command.

Undeploy Infrastructure

If you'd like to remove the infrastructure associated with the Azure LPA feature from your Azure subscription, you can use the undeployLpa command.