Azure Setup - Single Cloud

🚧 New Azure Onboarding

As of InsightCloudSec version 23.4.11, a new Azure onboarding experience is available. This experience will replace the old setup experience and you will not be able to access it. This page and associated pages have been archived to prevent confusion. Review Azure - Onboarding for more details on the new experience.

As usual, if you have issues or need support reach out to us through the Customer Support Portal with any questions.

Once your InsightCloudSec instance is up and running, the first thing you'll want to do is integrate an Azure cloud account (subscription in Azure's parlance) to take advantage of the security Insights that apply to your cloud footprint. InsightCloudSec supports Microsoft Azure, Microsoft Azure Government (also termed GovCloud), and Microsoft Azure China. These three differ primarily in supported services and regions. If you have any issues or questions with this setup, reach out to the support team through the Customer Support Portal.

If you need to add multiple accounts grouped under an Azure organization (management group in Azure's parlance) to InsightCloudSec, review Azure Setup - Organization.

👍 Azure GovCloud Support

InsightCloudSec supports Azure GovCloud Single Cloud harvesting. The instructions below are the same for Azure GovCloud except a different user role will be used.

Setup Overview

For InsightCloudSec to securely access the information contained within your Azure cloud account, you'll need to create and setup an application registration as well as configure a role assignment. Review Azure's Active Directory documentation for more information on these concepts. To achieve proper harvesting for InsightCloudSec, you will complete the following within your Azure and InsightCloudSec environments:

The diagram below outlines the setup required:

Prerequisites

Before you configure anything in your Azure environment, you'll need the following:

  • Admin access to the Azure cloud account you want to harvest
  • Domain Admin permissions within InsightCloudSec
  • An IAM Role that allows InsightCloudSec to harvest Azure subscription data
    • See the Roles section below for more information

Roles

An IAM role must be associated with the Azure subscription that will be harvested by InsightCloudSec to ensure secure and appropriate access of this information. There are two paths for selecting the IAM role:

1. Use a standard role managed by Azure; this requires less maintenance long term because Microsoft will automatically update these roles for new services

2. Use a custom role that the InsightCloudSec team has created; this offers more customization and a 1:1 match to the Azure resources that InsightCloudSec supports

Using a Standard Role

InsightCloudSec recommends using the Azure Reader role for read-only permissions to all resources. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Contributor role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

Using a Custom Role

InsightCloudSec recommends using the Custom Azure Reader or Reader Plus. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Power User role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

Note: If you're a GovCloud user, you would instead use the GovCloud counterparts found on the Azure Custom Roles page.

Step 1: Configure an Application Registration

The Azure subscription that contains resource data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.

1. Login as an Admin to the Azure Dashboard for the account you want to harvest.

2. Add a New Application Registration.

  • Select "Microsoft Entra ID" from the navigation menu on the far left.
  • Select "App registrations", located under the Manage menu.
  • Select "New registration".

3. Describe the New App Registration.

  • Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Account".
  • Select the supported account type.
  • Optionally, enter a "Redirect URI" using the specified URL format, e.g., "https://<name_of_site>"
    • Note: This may be required later for authentication
  • Select "Register" to create the app registration.

4. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID. Copy both of these IDs to a safe location; you will need to use these values later.

5. Create and save a key for this Application.

  • From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
  • Under Client secrets, click "New client secret".
  • Give your client secret a description.
  • Set an expiration period for your secret.
  • Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.

6. Copy the generated client secret key value to a safe location; you will need to use this value later.

❗️ Copying the Secret Key Value

This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.

7. Set up permissions for this App Registration.

  • From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
  • Select "Add a permission".
  • Select "Microsoft Graph".

8. Select "Application Permissions".

  • Search for Directory.Read.All under the "Directory" section.
  • Check the box next to the permission and click "Add permissions".
  • Search for AuditLog.Read.All under the "AuditLog" section.
  • Check the box next to the permission and click "Add permissions".

📘 Azure Application Credentials Permissions

The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.

9. Click "Grant admin consent for Default Directory", then confirm the selection.

Step 2: Assign a Role

To ensure that the new InsightCloudSec-associated Application Registration you created in the previous section is securely and appropriately accessing your Azure account data, you'll need to select the appropriate IAM role and assign it to the relevant subscription.

🚧 Prerequisites

Before you can assign a role to an Azure subscription, you must have already decided what role to use. Review the Prerequisites section for more information.

1. Navigate to the Subscriptions page.

  • Select "All Services" from the navigation menu, then select "Subscriptions".

2. Identify the subscription with which you wish to associate your application. Copy the subscription ID to a safe location; you will need to use this value later.

Note: The following sections utilize the Azure Portal to assign (and/or create) a role to a subscription. Azure details several other methods, e.g., via Azure CLI, REST API, Powershell, etc., for assigning (and/or creating) a role in their documentation.

(Optional) Adding a Custom Role

🚧 Standard vs. Custom

The next steps will vary depending on the type of role (standard or custom) you want to use for the subscription.

  • If you plan on using a standard Azure role, skip to Adding a Role Assignment.
  • If you plan on using a custom InsightCloudSec role, you'll need to create the role first, so proceed with the next steps.

If you want to assign a custom InsightCloudSec role (e.g., Reader Plus, Power User) to a subscription, first you'll need to add a custom role to the desired subscription.

Note: Before you can create the role, you will need the Subscription ID (found in the previous section).

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

2. Provide the Basics.

  • Provide a custom role name.
  • Optionally, provide a description for the role.
  • Select "Start from scratch".

3. Update the generated JSON file for the correct permissions.

  • Click the "JSON" tab.
  • Click "Edit".
  • Open the Microsoft Azure - Custom Roles page in a new tab.
  • For the desired role, navigate to the section and download the role JSON and copy it.
    • Note: If you're a GovCloud user, remember that you'll need a GovCloud-specific role.

📘 Key Rotation Permissions

The recommended custom roles do not include the Microsoft Key Vault dataActions permission, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which provides read access to key rotation policies (an InsightCloudSec-supported resource). If desired, you should add this permission to the policy now before saving it.

  • Return to the Azure Portal tab and replace the JSON object with the one you just copied.
  • Update the placeholder Subscription ID for the ID associated with the subscription you're integrating with InsightCloudSec.
  • Verify the JSON. It should look similar to the example below, which is using the Reader Plus custom role.
  • Click "Save". The "Review + create" button will become active.

4. Click "Review + create".

  • The JSON will be validated. If successful, verify everything looks correct.
  • Click "Create".

Adding a Role Assignment

Standard and custom roles alike must be assigned to a subscription so it can be harvested properly and securely.

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

2. Select the role you wish to assign.

  • Select the type of role, e.g., "Reader", and click "Next" to continue.
  • Note: If you created a custom role, it might be easier to search for the role's name.

3. Add the Application Registration as a member.

  • Leave the Assign access to field as the default value ("User, group, or service principal").
  • Next to Members, click "+ Select members".
  • In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
  • Click "Review + assign" to add the role.

📘 Kubernetes Security Guardrails Users

If you plan on utilizing the Kubernetes Security Guardrails and Kubernetes Remote Scanner features, you should also add the required roles at this point in the setup process. Review the Azure (AKS) section for details.

Step 3: Configure InsightCloudSec

🚧 Prerequisites

Before you can successfully add an account to InsightCloudSec, you will need the following on hand:

  • The Application (client) ID (created in step 1)
  • The Directory (tenant) ID (created in step 1)
  • The Client Secret Key value (created in step 1)
  • The Subscription ID (found in step 2)

1. From your InsightCloudSec platform open the Clouds page from the navigation menu on the left.

2. Select "Add Cloud" in the upper right.

3. Determine whether you are connecting a regular Azure account, an Azure China account, or an Azure Government account and make sure to select the correct type. Click "See More" to display the full list of supported Cloud Service Providers.

4. Leave the default "Authentication Type" ("API Key/Secret") then provide the requisite Account Details. Click "Add Cloud".

5. Add any Badges you would like to this particular cloud account (also under Show Advanced). Badges provide a way to assign additional metadata about resources within the InsightCloudSec platform. They are key/value pairs which can be used for filtering and identifying resources from parent cloud account.

6. Confirm the addition of your Azure Cloud account.

Note: Your main cloud page should show your newly added Microsoft Azure cloud account.

  • InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so, depending on the size of your cloud account.