|
| 1 | +--- |
| 2 | +applies_to: |
| 3 | + stack: all |
| 4 | + serverless: |
| 5 | + security: all |
| 6 | +--- |
| 7 | + |
| 8 | +# Set up Cloud Asset Discovery for Azure |
| 9 | + |
| 10 | +## Overview [cad-overview-azure] |
| 11 | + |
| 12 | +This page explains how to set up the Cloud Asset Discovery integration (CAD) to inventory assets in AWS. |
| 13 | + |
| 14 | +::::{admonition} Requirements |
| 15 | +* The user who gives the CAD integration permissions in Azure must be an Azure subscription `admin`. |
| 16 | +* The CAD integration is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). |
| 17 | +* CAD is supported only on AWS, not on Azure Government. [Click here to request support](https://github.com/elastic/kibana/issues/new/choose). |
| 18 | +:::: |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +## Set up CAD for Azure [cad-setup-azure] |
| 23 | + |
| 24 | +You can set up CAD for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, you will first add the CAD integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. |
| 25 | + |
| 26 | + |
| 27 | +## Agentless deployment [cad-azure-agentless] |
| 28 | + |
| 29 | +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). |
| 30 | +2. Search for `Cloud asset discovery`, then click on the result. |
| 31 | +3. Click **Add Cloud Asset Discovery**. |
| 32 | +4. Select **Azure**, then either **Azure Organization** to onboard your whole organization, or **Single Subscription** to onboard an individual subscription. |
| 33 | +5. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. |
| 34 | +6. Under **Deployment options**, select **Agentless**. |
| 35 | +7. Next, you’ll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/asset-disc-azure.md#cad-azure-client-secret). |
| 36 | +8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. |
| 37 | + |
| 38 | +## Agent-based deployment [cad-azure-agent-based] |
| 39 | + |
| 40 | + |
| 41 | +### Add your CAD integration [cad-add-and-name-integration-azure] |
| 42 | + |
| 43 | +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). |
| 44 | +2. Search for `Cloud asset discovery`, then click on the result. |
| 45 | +3. Click **Add Cloud Asset Discovery**. |
| 46 | +4. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. |
| 47 | +5. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CAD-dev-1`. |
| 48 | + |
| 49 | + |
| 50 | +### Set up cloud account access [cad-set-up-cloud-access-section-azure] |
| 51 | + |
| 52 | +::::{note} |
| 53 | +To set up CAD for an Azure organization or subscription, you will need admin privileges for that organization or subscription. |
| 54 | +:::: |
| 55 | + |
| 56 | +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. |
| 57 | + |
| 58 | + |
| 59 | +## ARM template setup (recommended) [cad-set-up-ARM] |
| 60 | + |
| 61 | +::::{note} |
| 62 | +If you are deploying to an Azure organization, you need the following permissions: `Microsoft.Resources/deployments/*`, `Microsoft.Authorization/roleAssignments/write`. You also need to [elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin). |
| 63 | +:::: |
| 64 | + |
| 65 | + |
| 66 | +1. Under **Setup Access**, select **ARM Template**. |
| 67 | +2. Under **Where to add this integration**: |
| 68 | + |
| 69 | + 1. Select **New Hosts**. |
| 70 | + 2. Name the {{agent}} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The **ARM Template deployment** window appears. |
| 71 | + 3. In a new tab, log in to the Azure portal, then return to {{kib}} and click **Launch ARM Template**. This will open the ARM template in Azure. |
| 72 | + 4. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. |
| 73 | + 5. Copy the `Fleet URL` and `Enrollment Token` that appear in {{kib}} to the corresponding fields in the ARM Template, then click **Review + create**. |
| 74 | + 6. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. |
| 75 | + |
| 76 | +3. Return to {{kib}} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. |
| 77 | + |
| 78 | + |
| 79 | +## Manual setup [cad-set-up-manual-azure] |
| 80 | + |
| 81 | +For manual setup, multiple authentication methods are available: |
| 82 | + |
| 83 | +* Managed identity (recommended) |
| 84 | +* Service principal with client secret |
| 85 | +* Service principal with client certificate |
| 86 | + |
| 87 | + |
| 88 | +### Option 1: Managed identity (recommended) [cad-azure-managed-identity-setup] |
| 89 | + |
| 90 | +This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CAD, and installing {{agent}} on it. |
| 91 | + |
| 92 | +1. Go to the Azure portal to [create a new Azure VM](https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM). |
| 93 | +2. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. |
| 94 | +3. Go to your Azure subscription list and select the subscription or management group you want to monitor with CAD. |
| 95 | +4. Go to **Access control (IAM)**, and select **Add Role Assignment**. |
| 96 | +5. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. |
| 97 | + |
| 98 | +After assigning the role: |
| 99 | + |
| 100 | +1. Return to the **Add Cloud Asset Management** page in {{kib}}. |
| 101 | +2. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. |
| 102 | +3. Under **Where to add this integration**, select **New hosts**. |
| 103 | +4. Click **Save and continue**, then follow the instructions to install {{agent}} on your Azure VM. |
| 104 | + |
| 105 | +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. |
| 106 | + |
| 107 | + |
| 108 | +### Option 2: Service principal with client secret [cad-azure-client-secret] |
| 109 | + |
| 110 | +Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). |
| 111 | + |
| 112 | +1. On the **Add Cloud Asset Discovery integration** page, scroll to the **Setup access** section, then select **Manual**. |
| 113 | +2. Under **Preferred manual method**, select **Service principal with Client Secret**. |
| 114 | +3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). |
| 115 | +4. Click on **New Registration**, name your app and click **Register**. |
| 116 | +5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. |
| 117 | +6. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. |
| 118 | +7. Copy the new secret. Paste it into the corresponding field in {{kib}}. |
| 119 | +8. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CAD. |
| 120 | +9. Go to **Access control (IAM)** and select **Add Role Assignment**. |
| 121 | +10. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. |
| 122 | +11. Return to the **Add Cloud Asset Discovery integration** page in {{kib}}. |
| 123 | +12. Under **Where to add this integration**, select **New hosts**. |
| 124 | +13. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. |
| 125 | + |
| 126 | +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. |
| 127 | + |
| 128 | + |
| 129 | +### Option 3: Service principal with client certificate [cad-azure-client-certificate] |
| 130 | + |
| 131 | +Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). |
| 132 | + |
| 133 | +1. On the **Add Cloud Asset Discovery integration** page, under **Setup access**, select **Manual**. |
| 134 | +2. Under **Preferred manual method**, select **Service principal with client certificate**. |
| 135 | +3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). |
| 136 | +4. Click on **New Registration**, name your app and click **Register**. |
| 137 | +5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. |
| 138 | +6. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CAD. |
| 139 | +7. Go to **Access control (IAM)** and select **Add Role Assignment**. |
| 140 | +8. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. |
| 141 | + |
| 142 | +Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. |
| 143 | + |
| 144 | +Create a pkcs12 certificate, for example: |
| 145 | + |
| 146 | +```shell |
| 147 | +# Create PEM file |
| 148 | +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes |
| 149 | + |
| 150 | +# Create pkcs12 bundle using legacy flag (CLI will ask for export password) |
| 151 | +openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem |
| 152 | +``` |
| 153 | + |
| 154 | +Create a PEM certificate, for example: |
| 155 | + |
| 156 | +```shell |
| 157 | +# Generate certificate signing request (csr) and key |
| 158 | +openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr |
| 159 | + |
| 160 | +# Generate PEM and self-sign with key |
| 161 | +openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem |
| 162 | + |
| 163 | +# Create bundle |
| 164 | +cat cert.key > bundle.pem |
| 165 | +cat signed.pem >> bundle.pem |
| 166 | +``` |
| 167 | + |
| 168 | +After creating your certificate: |
| 169 | + |
| 170 | +1. Return to Azure. |
| 171 | +2. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. |
| 172 | +3. Click **Upload certificate**. |
| 173 | + |
| 174 | + 1. If you’re using a PEM certificate that was created using the example commands above, upload `signed.pem`. |
| 175 | + 2. If you’re using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. |
| 176 | + |
| 177 | +4. Upload the certificate bundle to the VM where you will deploy {{agent}}. |
| 178 | + |
| 179 | + 1. If you’re using a PEM certificate that was created using the example commands above, upload `bundle.pem`. |
| 180 | + 2. If you’re using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. |
| 181 | + |
| 182 | +5. Return to the **Add Cloud Asset Discovery** page in {{kib}}. |
| 183 | +6. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {{agent}}. |
| 184 | +7. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. |
| 185 | +8. Under **Where to add this integration**, select **New hosts**. |
| 186 | +9. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. |
| 187 | + |
| 188 | +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. |
0 commit comments