|
| 1 | +[[cspm-get-started-azure]] |
| 2 | += Get started with CSPM for Azure |
| 3 | + |
| 4 | +[discrete] |
| 5 | +[[cspm-overview-azure]] |
| 6 | +== Overview |
| 7 | + |
| 8 | +This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. |
| 9 | + |
| 10 | +.Requirements |
| 11 | +[sidebar] |
| 12 | +-- |
| 13 | +* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <<cspm-required-permissions>>. |
| 14 | +* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. |
| 15 | +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. |
| 16 | +* The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`. |
| 17 | +-- |
| 18 | + |
| 19 | +[discrete] |
| 20 | +[[cspm-setup-azure]] |
| 21 | +== Set up CSPM for Azure |
| 22 | + |
| 23 | +You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. <<cspm-azure-agentless, Agentless deployment>> allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. <<cspm-azure-agent-based, Agent-based deployment>> requires you to deploy and manage an agent in the cloud account you want to monitor. |
| 24 | + |
| 25 | +[discrete] |
| 26 | +[[cspm-azure-agentless]] |
| 27 | +== Agentless deployment |
| 28 | + |
| 29 | +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. |
| 30 | +. Search for `CSPM`, then click on the result. |
| 31 | +. Click *Add Cloud Security Posture Management (CSPM)*. |
| 32 | +. Select *Azure*, then either *Azure Organization* to onboard your whole organization, or *Single Subscription* to onboard an individual subscription. |
| 33 | +. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. |
| 34 | +. Click **Advanced options**, then select **Agentless (BETA)**. |
| 35 | +. Next, you'll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to <<cspm-azure-client-secret, Service principal with client secret>>. |
| 36 | +. Once you've provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. |
| 37 | + |
| 38 | +IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. |
| 39 | + |
| 40 | +[discrete] |
| 41 | +[[cspm-azure-agent-based]] |
| 42 | +== Agent-based deployment |
| 43 | + |
| 44 | +[discrete] |
| 45 | +[[cspm-add-and-name-integration-azure]] |
| 46 | +=== Add your CSPM integration |
| 47 | + |
| 48 | +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. |
| 49 | +. Search for `CSPM`, then click on the result. |
| 50 | +. Click *Add Cloud Security Posture Management (CSPM)*. |
| 51 | +. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. |
| 52 | +. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. |
| 53 | + |
| 54 | +[discrete] |
| 55 | +[[cspm-set-up-cloud-access-section-azure]] |
| 56 | +=== Set up cloud account access |
| 57 | + |
| 58 | +NOTE: To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription. |
| 59 | + |
| 60 | +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. |
| 61 | + |
| 62 | +[discrete] |
| 63 | +[[cspm-set-up-ARM]] |
| 64 | +== ARM template setup (recommended) |
| 65 | + |
| 66 | +NOTE: If you are deploying to an Azure organization, you need the following permissions: `Microsoft.Resources/deployments/*`, `Microsoft.Authorization/roleAssignments/write`. You also need to https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin[elevate access to manage all Azure subscriptions and management groups]. |
| 67 | + |
| 68 | +. Under *Setup Access*, select *ARM Template*. |
| 69 | +. Under **Where to add this integration**: |
| 70 | +.. Select **New Hosts**. |
| 71 | +.. Name the {agent} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. |
| 72 | +.. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. |
| 73 | +.. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. |
| 74 | +.. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click **Review + create**. |
| 75 | +.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. |
| 76 | +. Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. |
| 77 | + |
| 78 | +[discrete] |
| 79 | +[[cspm-set-up-manual-azure]] |
| 80 | +== Manual setup |
| 81 | + |
| 82 | +For manual setup, multiple authentication methods are available: |
| 83 | + |
| 84 | +* Managed identity (recommended) |
| 85 | +* Service principal with client secret |
| 86 | +* Service principal with client certificate |
| 87 | + |
| 88 | +[discrete] |
| 89 | +[[cspm-azure-managed-identity-setup]] |
| 90 | +=== Option 1: Managed identity (recommended) |
| 91 | + |
| 92 | +This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {agent} on it. |
| 93 | + |
| 94 | +. Go to the Azure portal to https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM[create a new Azure VM]. |
| 95 | +. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. |
| 96 | +. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. |
| 97 | +. Go to **Access control (IAM)**, and select **Add Role Assignment**. |
| 98 | +. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. |
| 99 | + |
| 100 | +After assigning the role: |
| 101 | + |
| 102 | +. Return to the **Add CSPM** page in {kib}. |
| 103 | +. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. |
| 104 | +. Under **Where to add this integration**, select **New hosts**. |
| 105 | +. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. |
| 106 | + |
| 107 | +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. |
| 108 | + |
| 109 | +[discrete] |
| 110 | +[[cspm-azure-client-secret]] |
| 111 | +=== Option 2: Service principal with client secret |
| 112 | + |
| 113 | +Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. |
| 114 | + |
| 115 | +. On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**. |
| 116 | +. Under **Preferred manual method**, select **Service principal with Client Secret**. |
| 117 | +. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. |
| 118 | +. Click on **New Registration**, name your app and click **Register**. |
| 119 | +. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. |
| 120 | +. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. |
| 121 | +. Copy the new secret. Paste it into the corresponding field in {kib}. |
| 122 | +. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. |
| 123 | +. Go to **Access control (IAM)** and select **Add Role Assignment**. |
| 124 | +. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. |
| 125 | +. Return to the **Add CSPM** page in {kib}. |
| 126 | +. Under **Where to add this integration**, select **New hosts**. |
| 127 | +. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. |
| 128 | + |
| 129 | +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. |
| 130 | + |
| 131 | +[discrete] |
| 132 | +[[cspm-azure-client-certificate]] |
| 133 | +=== Option 3: Service principal with client certificate |
| 134 | + |
| 135 | +Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. |
| 136 | + |
| 137 | +. On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**. |
| 138 | +. Under **Preferred manual method**, select **Service principal with client certificate**. |
| 139 | +. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. |
| 140 | +. Click on **New Registration**, name your app and click **Register**. |
| 141 | +. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. |
| 142 | +. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. |
| 143 | +. Go to **Access control (IAM)** and select **Add Role Assignment**. |
| 144 | +. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. |
| 145 | + |
| 146 | +Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. |
| 147 | + |
| 148 | +Create a pkcs12 certificate, for example: |
| 149 | +```shell |
| 150 | +# Create PEM file |
| 151 | +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes |
| 152 | + |
| 153 | +# Create pkcs12 bundle using legacy flag (CLI will ask for export password) |
| 154 | +openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem |
| 155 | +``` |
| 156 | + |
| 157 | +Create a PEM certificate, for example: |
| 158 | +```shell |
| 159 | +# Generate certificate signing request (csr) and key |
| 160 | +openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr |
| 161 | + |
| 162 | +# Generate PEM and self-sign with key |
| 163 | +openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem |
| 164 | + |
| 165 | +# Create bundle |
| 166 | +cat cert.key > bundle.pem |
| 167 | +cat signed.pem >> bundle.pem |
| 168 | +``` |
| 169 | + |
| 170 | +After creating your certificate: |
| 171 | + |
| 172 | +. Return to Azure. |
| 173 | +. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. |
| 174 | +. Click **Upload certificate**. |
| 175 | +.. If you're using a PEM certificate that was created using the example commands above, upload `signed.pem`. |
| 176 | +.. If you're using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. |
| 177 | +. Upload the certificate bundle to the VM where you will deploy {agent}. |
| 178 | +.. If you're using a PEM certificate that was created using the example commands above, upload `bundle.pem`. |
| 179 | +.. If you're using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. |
| 180 | +. Return to the **Add CSPM** page in {kib}. |
| 181 | +. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {agent}. |
| 182 | +. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. |
| 183 | +. Under **Where to add this integration**, select **New hosts**. |
| 184 | +. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. |
| 185 | + |
| 186 | +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. |
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments