From 0b02081bdde0c8b2902099303abacd38f6fea32e Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Wed, 9 Jul 2025 09:21:03 -0400 Subject: [PATCH 1/3] Removes statement about CSPM only working in default space (#6911) (cherry picked from commit 86631d53560827b83b08d48bf2c6475405535b13) # Conflicts: # docs/cloud-native-security/cspm-get-started-aws.asciidoc # docs/cloud-native-security/cspm-get-started-azure.asciidoc # docs/cloud-native-security/cspm-get-started-gcp.asciidoc # docs/cloud-native-security/cspm.asciidoc --- .../cspm-get-started-aws.asciidoc | 4 + .../cspm-get-started-azure.asciidoc | 186 ++++++++++++++++++ .../cspm-get-started-gcp.asciidoc | 4 + docs/cloud-native-security/cspm.asciidoc | 12 ++ 4 files changed, 206 insertions(+) create mode 100644 docs/cloud-native-security/cspm-get-started-azure.asciidoc diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc index f82a676394..e2dbba8921 100644 --- a/docs/cloud-native-security/cspm-get-started-aws.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-aws.asciidoc @@ -11,12 +11,16 @@ This page explains how to get started monitoring the security posture of your cl [sidebar] -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +<<<<<<< HEAD * CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. * CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). * To view posture data, you need `read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` ** `Logs-cloud_security_posture.findings` +======= +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. +>>>>>>> 86631d53 (Removes statement about CSPM only working in default space (#6911)) * The user who gives the CSPM integration AWS permissions must be an AWS account `admin`. -- diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc new file mode 100644 index 0000000000..ce3e8d2e24 --- /dev/null +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -0,0 +1,186 @@ +[[cspm-get-started-azure]] += Get started with CSPM for Azure + +[discrete] +[[cspm-overview-azure]] +== Overview + +This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. + +.Requirements +[sidebar] +-- +* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <>. +* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. +* The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`. +-- + +[discrete] +[[cspm-setup-azure]] +== Set up CSPM for Azure + +You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. <> allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. <> requires you to deploy and manage an agent in the cloud account you want to monitor. + +[discrete] +[[cspm-azure-agentless]] +== Agentless deployment + +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Search for `CSPM`, then click on the result. +. Click *Add Cloud Security Posture Management (CSPM)*. +. Select *Azure*, then either *Azure Organization* to onboard your whole organization, or *Single Subscription* to onboard an individual subscription. +. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. +. Click **Advanced options**, then select **Agentless (BETA)**. +. Next, you'll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to <>. +. Once you've provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. + +IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. + +[discrete] +[[cspm-azure-agent-based]] +== Agent-based deployment + +[discrete] +[[cspm-add-and-name-integration-azure]] +=== Add your CSPM integration + +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Search for `CSPM`, then click on the result. +. Click *Add Cloud Security Posture Management (CSPM)*. +. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. +. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. + +[discrete] +[[cspm-set-up-cloud-access-section-azure]] +=== Set up cloud account access + +NOTE: To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription. + +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. + +[discrete] +[[cspm-set-up-ARM]] +== ARM template setup (recommended) + +NOTE: If you are deploying to an Azure organization, you need the following permissions: `Microsoft.Resources/deployments/*`, `Microsoft.Authorization/roleAssignments/write`. You also need to https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin[elevate access to manage all Azure subscriptions and management groups]. + +. Under *Setup Access*, select *ARM Template*. +. Under **Where to add this integration**: +.. Select **New Hosts**. +.. Name the {agent} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. +.. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. +.. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. +.. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click **Review + create**. +.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. +. Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-set-up-manual-azure]] +== Manual setup + +For manual setup, multiple authentication methods are available: + +* Managed identity (recommended) +* Service principal with client secret +* Service principal with client certificate + +[discrete] +[[cspm-azure-managed-identity-setup]] +=== Option 1: Managed identity (recommended) + +This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {agent} on it. + +. Go to the Azure portal to https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM[create a new Azure VM]. +. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. +. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. +. Go to **Access control (IAM)**, and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. + +After assigning the role: + +. Return to the **Add CSPM** page in {kib}. +. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-azure-client-secret]] +=== Option 2: Service principal with client secret + +Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. + +. On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**. +. Under **Preferred manual method**, select **Service principal with Client Secret**. +. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. +. Click on **New Registration**, name your app and click **Register**. +. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. +. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. +. Copy the new secret. Paste it into the corresponding field in {kib}. +. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. +. Go to **Access control (IAM)** and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. +. Return to the **Add CSPM** page in {kib}. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-azure-client-certificate]] +=== Option 3: Service principal with client certificate + +Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. + +. On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**. +. Under **Preferred manual method**, select **Service principal with client certificate**. +. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. +. Click on **New Registration**, name your app and click **Register**. +. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. +. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. +. Go to **Access control (IAM)** and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. + +Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. + +Create a pkcs12 certificate, for example: +```shell +# Create PEM file +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + +# Create pkcs12 bundle using legacy flag (CLI will ask for export password) +openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem +``` + +Create a PEM certificate, for example: +```shell +# Generate certificate signing request (csr) and key +openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr + +# Generate PEM and self-sign with key +openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem + +# Create bundle +cat cert.key > bundle.pem +cat signed.pem >> bundle.pem +``` + +After creating your certificate: + +. Return to Azure. +. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. +. Click **Upload certificate**. +.. If you're using a PEM certificate that was created using the example commands above, upload `signed.pem`. +.. If you're using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. +. Upload the certificate bundle to the VM where you will deploy {agent}. +.. If you're using a PEM certificate that was created using the example commands above, upload `bundle.pem`. +.. If you're using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. +. Return to the **Add CSPM** page in {kib}. +. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {agent}. +. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 77ef5c581c..fe7adce43d 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -11,12 +11,16 @@ This page explains how to get started monitoring the security posture of your cl [sidebar] -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +<<<<<<< HEAD * CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. * CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). * To view posture data, you need `read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` ** `Logs-cloud_security_posture.findings` +======= +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. +>>>>>>> 86631d53 (Removes statement about CSPM only working in default space (#6911)) * The user who gives the CSPM integration GCP permissions must be a GCP project `admin`. -- diff --git a/docs/cloud-native-security/cspm.asciidoc b/docs/cloud-native-security/cspm.asciidoc index 664a18eb16..193f773732 100644 --- a/docs/cloud-native-security/cspm.asciidoc +++ b/docs/cloud-native-security/cspm.asciidoc @@ -10,8 +10,20 @@ This feature currently supports Amazon Web Services (AWS) and Google Cloud Platf -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. * {stack} version 8.10 or greater. +<<<<<<< HEAD * CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. * CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). +======= +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. +* `Read` privileges for the following {es} indices: +** `logs-cloud_security_posture.findings_latest-*` +** `logs-cloud_security_posture.scores-*` +* The following {kib} privileges: +** Security: `Read` +** Integrations: `Read` +** Saved Objects Management: `Read` +** Fleet: `All` +>>>>>>> 86631d53 (Removes statement about CSPM only working in default space (#6911)) -- [discrete] From 2ab54fccbb75f25b5649fa4b09c4fb63502af299 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 10 Jul 2025 13:09:08 -0400 Subject: [PATCH 2/3] fix merge conflicts --- .../cspm-get-started-aws.asciidoc | 5 - .../cspm-get-started-azure.asciidoc | 186 ------------------ .../cspm-get-started-gcp.asciidoc | 5 - docs/cloud-native-security/cspm.asciidoc | 5 - 4 files changed, 201 deletions(-) delete mode 100644 docs/cloud-native-security/cspm-get-started-azure.asciidoc diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc index e2dbba8921..43c3aba75f 100644 --- a/docs/cloud-native-security/cspm-get-started-aws.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-aws.asciidoc @@ -11,16 +11,11 @@ This page explains how to get started monitoring the security posture of your cl [sidebar] -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. -<<<<<<< HEAD -* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. * CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). * To view posture data, you need `read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` ** `Logs-cloud_security_posture.findings` -======= -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. ->>>>>>> 86631d53 (Removes statement about CSPM only working in default space (#6911)) * The user who gives the CSPM integration AWS permissions must be an AWS account `admin`. -- diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc deleted file mode 100644 index ce3e8d2e24..0000000000 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ /dev/null @@ -1,186 +0,0 @@ -[[cspm-get-started-azure]] -= Get started with CSPM for Azure - -[discrete] -[[cspm-overview-azure]] -== Overview - -This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. - -.Requirements -[sidebar] --- -* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <>. -* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. -* The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`. --- - -[discrete] -[[cspm-setup-azure]] -== Set up CSPM for Azure - -You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. <> allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. <> requires you to deploy and manage an agent in the cloud account you want to monitor. - -[discrete] -[[cspm-azure-agentless]] -== Agentless deployment - -. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. Search for `CSPM`, then click on the result. -. Click *Add Cloud Security Posture Management (CSPM)*. -. Select *Azure*, then either *Azure Organization* to onboard your whole organization, or *Single Subscription* to onboard an individual subscription. -. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. -. Click **Advanced options**, then select **Agentless (BETA)**. -. Next, you'll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to <>. -. Once you've provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. - -IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. - -[discrete] -[[cspm-azure-agent-based]] -== Agent-based deployment - -[discrete] -[[cspm-add-and-name-integration-azure]] -=== Add your CSPM integration - -. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. Search for `CSPM`, then click on the result. -. Click *Add Cloud Security Posture Management (CSPM)*. -. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. -. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. - -[discrete] -[[cspm-set-up-cloud-access-section-azure]] -=== Set up cloud account access - -NOTE: To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription. - -For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. - -[discrete] -[[cspm-set-up-ARM]] -== ARM template setup (recommended) - -NOTE: If you are deploying to an Azure organization, you need the following permissions: `Microsoft.Resources/deployments/*`, `Microsoft.Authorization/roleAssignments/write`. You also need to https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin[elevate access to manage all Azure subscriptions and management groups]. - -. Under *Setup Access*, select *ARM Template*. -. Under **Where to add this integration**: -.. Select **New Hosts**. -.. Name the {agent} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. -.. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. -.. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. -.. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click **Review + create**. -.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. -. Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. - -[discrete] -[[cspm-set-up-manual-azure]] -== Manual setup - -For manual setup, multiple authentication methods are available: - -* Managed identity (recommended) -* Service principal with client secret -* Service principal with client certificate - -[discrete] -[[cspm-azure-managed-identity-setup]] -=== Option 1: Managed identity (recommended) - -This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {agent} on it. - -. Go to the Azure portal to https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM[create a new Azure VM]. -. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. -. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. -. Go to **Access control (IAM)**, and select **Add Role Assignment**. -. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. - -After assigning the role: - -. Return to the **Add CSPM** page in {kib}. -. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. -. Under **Where to add this integration**, select **New hosts**. -. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. - -Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. - -[discrete] -[[cspm-azure-client-secret]] -=== Option 2: Service principal with client secret - -Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. - -. On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**. -. Under **Preferred manual method**, select **Service principal with Client Secret**. -. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. -. Click on **New Registration**, name your app and click **Register**. -. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. -. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. -. Copy the new secret. Paste it into the corresponding field in {kib}. -. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. -. Go to **Access control (IAM)** and select **Add Role Assignment**. -. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. -. Return to the **Add CSPM** page in {kib}. -. Under **Where to add this integration**, select **New hosts**. -. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. - -Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. - -[discrete] -[[cspm-azure-client-certificate]] -=== Option 3: Service principal with client certificate - -Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. - -. On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**. -. Under **Preferred manual method**, select **Service principal with client certificate**. -. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. -. Click on **New Registration**, name your app and click **Register**. -. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. -. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. -. Go to **Access control (IAM)** and select **Add Role Assignment**. -. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. - -Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. - -Create a pkcs12 certificate, for example: -```shell -# Create PEM file -openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes - -# Create pkcs12 bundle using legacy flag (CLI will ask for export password) -openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem -``` - -Create a PEM certificate, for example: -```shell -# Generate certificate signing request (csr) and key -openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr - -# Generate PEM and self-sign with key -openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem - -# Create bundle -cat cert.key > bundle.pem -cat signed.pem >> bundle.pem -``` - -After creating your certificate: - -. Return to Azure. -. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. -. Click **Upload certificate**. -.. If you're using a PEM certificate that was created using the example commands above, upload `signed.pem`. -.. If you're using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. -. Upload the certificate bundle to the VM where you will deploy {agent}. -.. If you're using a PEM certificate that was created using the example commands above, upload `bundle.pem`. -.. If you're using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. -. Return to the **Add CSPM** page in {kib}. -. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {agent}. -. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. -. Under **Where to add this integration**, select **New hosts**. -. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. - -Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index fe7adce43d..6ac539798c 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -11,16 +11,11 @@ This page explains how to get started monitoring the security posture of your cl [sidebar] -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. -<<<<<<< HEAD -* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. * CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). * To view posture data, you need `read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` ** `Logs-cloud_security_posture.findings` -======= -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. ->>>>>>> 86631d53 (Removes statement about CSPM only working in default space (#6911)) * The user who gives the CSPM integration GCP permissions must be a GCP project `admin`. -- diff --git a/docs/cloud-native-security/cspm.asciidoc b/docs/cloud-native-security/cspm.asciidoc index 193f773732..be1b4389f9 100644 --- a/docs/cloud-native-security/cspm.asciidoc +++ b/docs/cloud-native-security/cspm.asciidoc @@ -10,10 +10,6 @@ This feature currently supports Amazon Web Services (AWS) and Google Cloud Platf -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. * {stack} version 8.10 or greater. -<<<<<<< HEAD -* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. -* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). -======= * CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. * `Read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` @@ -23,7 +19,6 @@ This feature currently supports Amazon Web Services (AWS) and Google Cloud Platf ** Integrations: `Read` ** Saved Objects Management: `Read` ** Fleet: `All` ->>>>>>> 86631d53 (Removes statement about CSPM only working in default space (#6911)) -- [discrete] From 287978858ab2ec36ea62c44ae8bdc39a767868e0 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Thu, 10 Jul 2025 13:40:25 -0400 Subject: [PATCH 3/3] Update docs/cloud-native-security/cspm.asciidoc --- docs/cloud-native-security/cspm.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm.asciidoc b/docs/cloud-native-security/cspm.asciidoc index be1b4389f9..55771a9d98 100644 --- a/docs/cloud-native-security/cspm.asciidoc +++ b/docs/cloud-native-security/cspm.asciidoc @@ -10,7 +10,7 @@ This feature currently supports Amazon Web Services (AWS) and Google Cloud Platf -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. * {stack} version 8.10 or greater. -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. +* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). * `Read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*`