-
Notifications
You must be signed in to change notification settings - Fork 197
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Creates CSPM privileges standalone page (#6269)
* Creates CSPM privileges standalone page * ports updates to serverless * Apply suggestions from code review Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 51b58c2) # Conflicts: # docs/serverless/cloud-native-security/cspm-get-started-azure.asciidoc # docs/serverless/cloud-native-security/cspm-get-started-gcp.asciidoc # docs/serverless/cloud-native-security/cspm-get-started.asciidoc # docs/serverless/index.asciidoc
- Loading branch information
1 parent
685793e
commit a27c722
Showing
10 changed files
with
1,066 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| [[cspm-required-permissions]] | ||
| = CSPM privilege requirements | ||
|
|
||
| This page lists required privileges for {elastic-sec}'s CSPM features. There are three access levels: read, write, and manage. Each access level and its requirements are described below. | ||
|
|
||
| [discrete] | ||
| == Read | ||
|
|
||
| Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard. | ||
|
|
||
| [discrete] | ||
| === {es} index privileges | ||
| `Read` privileges for the following {es} indices: | ||
|
|
||
| * `logs-cloud_security_posture.findings_latest-*` | ||
| * `logs-cloud_security_posture.scores-*` | ||
|
|
||
| [discrete] | ||
| === {kib} privileges | ||
|
|
||
| * `Security: Read` | ||
|
|
||
|
|
||
| [discrete] | ||
| == Write | ||
|
|
||
| Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard, create detection rules from the findings details flyout, and enable or disable benchmark rules. | ||
|
|
||
| [discrete] | ||
| === {es} index privileges | ||
| `Read` privileges for the following {es} indices: | ||
|
|
||
| * `logs-cloud_security_posture.findings_latest-*` | ||
| * `logs-cloud_security_posture.scores-*` | ||
|
|
||
| [discrete] | ||
| === {kib} privileges | ||
|
|
||
| * `Security: All` | ||
|
|
||
|
|
||
| [discrete] | ||
| == Manage | ||
|
|
||
| Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard, create detection rules from the findings details flyout, enable or disable benchmark rules, and install, update, or uninstall CSPM integrations and assets. | ||
|
|
||
| [discrete] | ||
| === {es} index privileges | ||
| `Read` privileges for the following {es} indices: | ||
|
|
||
| * `logs-cloud_security_posture.findings_latest-*` | ||
| * `logs-cloud_security_posture.scores-*` | ||
|
|
||
| [discrete] | ||
| === {kib} privileges | ||
|
|
||
| * `Security: All` | ||
| * `Spaces: All` | ||
| * `Fleet: All` | ||
| * `Integrations: All` | ||
|
|
193 changes: 193 additions & 0 deletions
193
docs/serverless/cloud-native-security/cspm-get-started-azure.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,193 @@ | ||
| [[security-cspm-get-started-azure]] | ||
| = Get started with CSPM for Azure | ||
|
|
||
| // :description: Start monitoring the security posture of your Azure cloud assets. | ||
| // :keywords: serverless, security, overview, cloud security | ||
|
|
||
|
|
||
| [discrete] | ||
| [[cspm-overview-azure]] | ||
| == Overview | ||
|
|
||
| This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. | ||
|
|
||
| .Requirements | ||
| [NOTE] | ||
| ==== | ||
| * Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <<cspm-required-permissions>>. | ||
| * CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. | ||
| * CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported (https://github.com/elastic/kibana/issues/new/choose[request support]). | ||
| * The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`. | ||
| ==== | ||
|
|
||
| [discrete] | ||
| [[cspm-setup-azure]] | ||
| == Set up CSPM for Azure | ||
|
|
||
| You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. <<cspm-azure-agentless,Agentless deployment>> allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. <<cspm-azure-agent-based,Agent-based deployment>> requires you to deploy and manage an agent in the cloud account you want to monitor. | ||
|
|
||
| [discrete] | ||
| [[cspm-azure-agentless]] | ||
| == Agentless deployment | ||
|
|
||
| beta:[] | ||
|
|
||
| . Find **Integrations** in the navigation menu or use the global search field. | ||
| . Search for `CSPM`, then click on the result. | ||
| . Click **Add Cloud Security Posture Management (CSPM)**. | ||
| . Select **Azure**, then either **Azure Organization** to onboard your whole organization, or **Single Subscription** to onboard an individual subscription. | ||
| . Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. | ||
| . Click **Advanced options**, then select **Agentless (BETA)**. | ||
| . Next, you'll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to <<cspm-azure-client-secret,Service principal with client secret>>. | ||
| . Once you've provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. | ||
|
|
||
| [discrete] | ||
| [[cspm-azure-agent-based]] | ||
| == Agent-based deployment | ||
|
|
||
| [discrete] | ||
| [[cspm-add-and-name-integration-azure]] | ||
| === Add your CSPM integration | ||
|
|
||
| . Find **Integrations** in the navigation menu or use the global search field. | ||
| . Search for `CSPM`, then click on the result. | ||
| . Click **Add Cloud Security Posture Management (CSPM)**. | ||
| . Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. | ||
| . Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. | ||
|
|
||
| [discrete] | ||
| [[cspm-set-up-cloud-access-section-azure]] | ||
| === Set up cloud account access | ||
|
|
||
| To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription. | ||
|
|
||
| For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. | ||
|
|
||
| [discrete] | ||
| [[cspm-set-up-ARM]] | ||
| === ARM template setup (recommended) | ||
|
|
||
| . Under **Setup Access**, select **ARM Template**. | ||
| . Under **Where to add this integration**: | ||
| + | ||
| .. Select **New Hosts**. | ||
| .. Name the {agent} policy. Use a name that matches the resources you want to monitor, for example, `azure-dev-policy`. Click **Save and continue**. The **ARM Template deployment** window appears. | ||
| .. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. | ||
| .. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. | ||
| .. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click **Review + create**. | ||
| .. (Optional) Change the `Resource Group Name` parameter. Otherwise, the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. | ||
| . Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. | ||
|
|
||
| [discrete] | ||
| [[cspm-set-up-manual-azure]] | ||
| === Manual setup | ||
|
|
||
| For manual setup, multiple authentication methods are available: | ||
|
|
||
| . Managed identity (recommended) | ||
| . Service principal with client secret | ||
| . Service principal with client certificate | ||
|
|
||
| [discrete] | ||
| [[cspm-azure-managed-identity-setup]] | ||
| === Option 1: Managed identity (recommended) | ||
|
|
||
| This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {agent} on it. | ||
|
|
||
| . Go to the Azure portal to create a new Azure VM. | ||
| . Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. | ||
| . Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. | ||
| . Go to **Access control (IAM)**, and select **Add Role Assignment**. | ||
| . Select the `Reader` role, assign access to **Managed Identity**, then select your VM. | ||
|
|
||
| After assigning the role: | ||
|
|
||
| . Return to the **Add CSPM** page in {kib}. | ||
| . Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. | ||
| . Under **Where to add this integration**, select **New hosts**. | ||
| . Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. | ||
|
|
||
| Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. | ||
|
|
||
| [discrete] | ||
| [[cspm-azure-client-secret]] | ||
| === Option 2: Service principal with client secret | ||
|
|
||
| Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. | ||
|
|
||
| . On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**. | ||
| . Under **Preferred manual method**, select **Service principal with Client Secret**. | ||
| . Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. | ||
| . Click on **New Registration**, name your app and click **Register**. | ||
| . Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. | ||
| . Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. | ||
| . Copy the new secret. Paste it into the corresponding field in {kib}. | ||
| . Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. | ||
| . Go to **Access control (IAM)** and select **Add Role Assignment**. | ||
| . Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. | ||
| . Return to the **Add CSPM** page in {kib}. | ||
| . Under **Where to add this integration**, select **New hosts**. | ||
| . Click **Save and continue**, then follow the instructions to install {agent} on your selected host. | ||
|
|
||
| Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. | ||
|
|
||
| [discrete] | ||
| [[cspm-azure-client-certificate]] | ||
| === Option 3: Service principal with client certificate | ||
|
|
||
| Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. | ||
|
|
||
| . On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**. | ||
| . Under **Preferred manual method**, select **Service principal with client certificate**. | ||
| . Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. | ||
| . Click on **New Registration**, name your app and click **Register**. | ||
| . Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. | ||
| . Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. | ||
| . Go to **Access control (IAM)** and select **Add Role Assignment**. | ||
| . Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. | ||
|
|
||
| Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. | ||
|
|
||
| Create a pkcs12 certificate, for example: | ||
|
|
||
| [source,shell] | ||
| ---- | ||
| # Create PEM file | ||
| openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes | ||
| # Create pkcs12 bundle using legacy flag (CLI will ask for export password) | ||
| openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem | ||
| ---- | ||
|
|
||
| Create a PEM certificate, for example: | ||
|
|
||
| [source,shell] | ||
| ---- | ||
| # Generate certificate signing request (csr) and key | ||
| openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr | ||
| # Generate PEM and self-sign with key | ||
| openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem | ||
| # Create bundle | ||
| cat cert.key > bundle.pem | ||
| cat signed.pem >> bundle.pem | ||
| ---- | ||
|
|
||
| . Return to Azure. | ||
| . Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. | ||
| . Click **Upload certificate**. | ||
| + | ||
| .. If you're using a PEM certificate that was created using the example commands above, upload `signed.pem`. | ||
| .. If you're using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. | ||
| . Upload the certificate bundle to the VM where you will deploy {agent}. | ||
| + | ||
| .. If you're using a PEM certificate that was created using the example commands above, upload `bundle.pem`. | ||
| .. If you're using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. | ||
| . Return to the **Add CSPM** page in {kib}. | ||
| . For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {agent}. | ||
| . If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. | ||
| . Under **Where to add this integration**, select **New hosts**. | ||
| . Click **Save and continue**, then follow the instructions to install {agent} on your selected host. | ||
|
|
||
| Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. |
Oops, something went wrong.