diff --git a/solutions/security/cloud.md b/solutions/security/cloud.md index 4aaf3baf85..939b3ad8be 100644 --- a/solutions/security/cloud.md +++ b/solutions/security/cloud.md @@ -31,6 +31,22 @@ Allows you to identify configuration risks in the various components that make u [Read the KSPM docs](/solutions/security/cloud/kubernetes-security-posture-management.md). +## Cloud Asset Discovery [_asset_discovery_cad] + +```{applies_to} +stack: preview 9.1 +serverless: + security: preview +``` + +Creates an up-to-date, unified inventory of your cloud resources from AWS, GCP, and Azure. Once you connect your cloud accounts, this integration automatically finds and lists your cloud services and assets, such as: + +* **AWS:** S3 buckets, EC2 instances, EKS clusters, and more. +* **GCP:** Cloud Storage buckets, Compute Engine instances, Kubernetes clusters, and more. +* **Azure:** Virtual Machines, Blob Storage, Azure Kubernetes Service (AKS), and more. + +[Read the Cloud Asset Discovery docs](/solutions/security/cloud/asset-disc.md). + ## Cloud Native Vulnerability Management (CNVM) [_cloud_native_vulnerability_management_cnvm] diff --git a/solutions/security/cloud/_snippets/cnvm-dashboard.md b/solutions/security/cloud/_snippets/cnvm-dashboard.md index 54c9124c93..6bf5087ca4 100644 --- a/solutions/security/cloud/_snippets/cnvm-dashboard.md +++ b/solutions/security/cloud/_snippets/cnvm-dashboard.md @@ -6,7 +6,7 @@ The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview ::::{admonition} Requirements * To collect this data, install the [Cloud Native Vulnerability Management](/solutions/security/cloud/get-started-with-cnvm.md) integration. -* The CNVM dashboard is available to all Elastic Cloud users. For on-premises deployments, it requires an [Enterprise subscription](https://www.elastic.co/pricing). +* The CNVM dashboard is available to all Elastic Cloud users. For on-premises deployments, it requires an [appropriate subscription](https://www.elastic.co/pricing) level. :::: diff --git a/solutions/security/cloud/_snippets/cspm-dashboard.md b/solutions/security/cloud/_snippets/cspm-dashboard.md index 327f2a810b..d0a9ad3e21 100644 --- a/solutions/security/cloud/_snippets/cspm-dashboard.md +++ b/solutions/security/cloud/_snippets/cspm-dashboard.md @@ -13,7 +13,7 @@ The Cloud Security Posture dashboard shows: * Configuration risks grouped by CIS section (security guideline category) ::::{admonition} Requirements -* The Cloud Security Posture dashboard is available to all Elastic Cloud users. For on-prem deployments, it requires an [Enterprise subscription](https://www.elastic.co/pricing). +* The Cloud Security Posture dashboard is available to all Elastic Cloud users. For on-prem deployments, it requires an [appropriate subscription](https://www.elastic.co/pricing) level. :::: diff --git a/solutions/security/cloud/asset-disc-aws.md b/solutions/security/cloud/asset-disc-aws.md new file mode 100644 index 0000000000..138f4727c1 --- /dev/null +++ b/solutions/security/cloud/asset-disc-aws.md @@ -0,0 +1,315 @@ +--- +applies_to: + stack: preview + serverless: + security: preview +--- + +# Set up Cloud Asset Discovery for AWS + +## Overview [cad-aws-overview] + +This page explains how to set up the Cloud Asset Discovery integration to inventory assets in AWS. + +## Requirements +* The user who gives the Cloud Asset Discovery integration AWS permissions must be an AWS account `admin`. +* The Cloud Asset Discovery integration is available to all {{ecloud}} users. On-premise deployments require [appropriate subscription](https://www.elastic.co/pricing) level. +* The Cloud Asset Discovery integration supports only the AWS commercial cloud platform. AWS GovCloud is not supported. To request support, [open a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). + + + + +## Set up Cloud Asset Discovery for AWS [cad-aws-setup] + +You can set up Cloud Asset Discovery for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the integration, then enable cloud account access. + +Two deployment technologies are available: agentless and agent-based. + +* [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. +* [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. + +## Agentless deployment [cad-aws-agentless] + +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Search for and select `Cloud asset discovery`. +3. Click **Add Cloud Asset Discovery**. +4. Select **AWS**, then either **AWS Organization** to onboard multiple accounts, or **Single Account** to onboard an individual account. +5. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. +6. In **Deployment options**, select **Agentless**. +7. Next, you’ll need to authenticate to AWS. Two methods are available: + + * Option 1: Direct access keys/CloudFormation (Recommended). For **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. + + ::::{note} + If you don’t want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. + :::: + + * Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/asset-disc-aws.md#cad-aws-temp-credentials). + +8. Once you’ve selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. + +## Agent-based deployment [cad-aws-agent-based] + + +### Add the Cloud Asset Discovery integration [cad-aws-add-and-name-integration] + +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Search for and select `Cloud asset discovery`. +3. Click **Add Cloud Asset Discovery**. +4. Select **AWS**, then either **AWS Organization** to onboard multiple accounts, or **Single Account** to onboard an individual account. +5. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. + + +### Set up cloud account access [cad-aws-set-up-cloud-access-section] + +Cloud Asset Discovery requires access to AWS’s built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor) in order to discover resources in your cloud account. There are several ways to provide access. + +For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described next on this page. + + +### CloudFormation (recommended) [cad-aws-set-up-cloudformation] + +1. From the **Add Cloud Asset Discovery integration** menu, in **Setup Access**, select **CloudFormation**. +2. In a new browser tab or window, log in as an admin to the AWS account or organization you want to onboard. +3. Return to your {{kib}} tab. Click **Save and continue** at the bottom of the page. +4. Review the information, then click **Launch CloudFormation**. +5. A CloudFormation template appears in a new browser tab. +6. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template’s `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under **AWS Organizations → AWS Accounts** (under each organization’s name). You can also use this field to specify which accounts in your organization to monitor, and which to skip. +7. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. +8. Tick the checkbox in **Capabilities** to authorize the creation of necessary resources. +9. At the bottom of the template, select **Create stack**. + +When you return to {{kib}}, click **View assets** to review the data being collected by your new integration. + + +### Manual authentication for organization-level onboarding [cad-aws-setup-organization-manual] + +::::{note} +If you’re onboarding a single account instead of an organization, skip this section. +:::: + + +When using manual authentication to onboard at the organization level, you need to configure the necessary permissions using the AWS console for the organization where you want to deploy: + +* In the organization’s management account (root account), create an IAM role called `cloudbeat-asset-inventory-root` (the name is important). The role needs several policies: + + * The following inline policy: + + +::::{dropdown} Click to expand policy +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "organizations:List*", + "organizations:Describe*" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "sts:AssumeRole" + ], + "Resource": "*", + "Effect": "Allow" + } + ] +} +``` + +:::: + + + * The following trust policy: + +::::{dropdown} Click to expand policy +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" <1> + }, + "Action": "sts:AssumeRole" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} +``` + +1. Replace `` in the trust policy with your AWS account ID. + +:::: + +* The AWS-managed `SecurityAudit` policy. + +* Next, for each account you want to scan in the organization, create an IAM role named `cloudbeat-asset-inventory-securityaudit` with the following policies: + + * The AWS-managed `SecurityAudit` policy. + * The following trust policy: + + +::::{dropdown} Click to expand policy +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::role/cloudbeat-asset-inventory-root" <1> + }, + "Action": "sts:AssumeRole" + } + ] +} +``` + + +1. Replace `` in this trust policy with your AWS account ID. +:::: + +After creating the necessary roles, authenticate using one of the manual authentication methods. + +::::{important} +When deploying to an organization using any of the authentication methods on this page, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-asset-inventory-root` privileges. +:::: + + + +### Manual authentication methods [cad-aws-set-up-manual] + +* [Default instance role (recommended)](/solutions/security/cloud/asset-disc-aws.md#cad-aws-use-instance-role) +* [Direct access keys](/solutions/security/cloud/asset-disc-aws.md#cad-aws-use-keys-directly) +* [Temporary security credentials](/solutions/security/cloud/asset-disc-aws.md#cad-aws-temp-credentials) +* [Shared credentials file](/solutions/security/cloud/asset-disc-aws.md#cad-aws-use-a-shared-credentials-file) +* [IAM role Amazon Resource Name (ARN)](/solutions/security/cloud/asset-disc-aws.md#cad-aws-use-iam-arn) + +::::{important} +Whichever method you use to authenticate, make sure AWS’s built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor) is attached. +:::: + + + +#### Option 1 - Default instance role [cad-aws-use-instance-role] + +::::{note} +If you are deploying to an AWS organization instead of an AWS account, you should already have [created a new role](/solutions/security/cloud/asset-disc-aws.md#cad-aws-setup-organization-manual), `cloudbeat-asset-inventory-root`. Skip to step 2 "Attach your new IAM role to an EC2 instance", and attach this role. You can use either an existing or new EC2 instance. +:::: + + +Follow AWS’s [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) documentation to create an IAM role using the IAM console, which automatically generates an instance profile. + +1. Create an IAM role: + + 1. In AWS, go to your IAM dashboard. Click **Roles**, then **Create role**. + 2. On the **Select trusted entity** page, in **Trusted entity type**, select **AWS service**. + 3. In **Use case**, select **EC2**. Click **Next**. + 4. On the **Add permissions** page, search for and select `SecurityAudit`. Click **Next**. + 5. On the **Name, review, and create** page, name your role, then click **Create role**. + +2. Attach your new IAM role to an EC2 instance: + + 1. In AWS, select an EC2 instance. + 2. Select **Actions > Security > Modify IAM role**. + 3. On the **Modify IAM role** page, search for and select your new IAM role. + 4. Click **Update IAM role**. + 5. Return to {{kib}} and [finish manual setup](/solutions/security/cloud/asset-disc-aws.md#cad-aws-finish-manual). + + +::::{important} +Make sure to deploy Cloud Asset Discovery to this EC2 instance. When completing setup in {{kib}}, in the **Setup Access** section, select **Assume role**. Leave **Role ARN** empty for agentless deployments. For agent-based deployments, leave it empty unless you want to specify a role the {{agent}} should assume instead of the default role for your EC2 instance. Click **Save and continue**. +:::: + + + +#### Option 2 - Direct access keys [cad-aws-use-keys-directly] + +Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. After you provide credentials, [finish manual setup](/solutions/security/cloud/asset-disc-aws.md#cad-aws-finish-manual). + +For more details, refer to [Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html). + +::::{important} +You must select **Programmatic access** when creating the IAM user. +:::: + + + +#### Option 3 - Temporary security credentials [cad-aws-temp-credentials] + +You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a session token, which is typically found using `GetSessionToken`. + +Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration’s configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss. + +::::{note} +IAM users with multi-factor authentication (MFA) enabled need to submit an MFA code when calling `GetSessionToken`. For more details, refer to AWS’s [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) documentation. +:::: + + +You can use the AWS CLI to generate temporary credentials. For example, you could use the following command if you have MFA enabled: + +```console +sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 +``` + +The output from this command includes the following fields, which you should provide when configuring the integration: + +* `Access key ID`: The first part of the access key. +* `Secret Access Key`: The second part of the access key. +* `Session Token`: The required token when using temporary security credentials. + +After you provide credentials, [finish manual setup](/solutions/security/cloud/asset-disc-aws.md#cad-aws-finish-manual). + + +#### Option 4 - Shared credentials file [cad-aws-use-a-shared-credentials-file] + +If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS' [Shared Credentials Files](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html) documentation. + +Instead of providing the `Access key ID` and `Secret Access Key` to the integration, provide the information required to locate the access keys within the shared credentials file: + +* `Credential Profile Name`: The profile name in the shared credentials file. +* `Shared Credential File`: The directory of the shared credentials file. + +If you don’t provide values for all configuration fields, the integration will use these defaults: + +* If `Access key ID`, `Secret Access Key`, and `ARN Role` are not provided, then the integration will check for `Credential Profile Name`. +* If there is no `Credential Profile Name`, the default profile will be used. +* If `Shared Credential File` is empty, the default directory will be used. +* For Linux or Unix, the shared credentials file is located at `~/.aws/credentials`. + +After providing credentials, [finish manual setup](/solutions/security/cloud/asset-disc-aws.md#cad-aws-finish-manual). + + +#### Option 5 - IAM role Amazon Resource Name (ARN) [cad-aws-use-iam-arn] + +An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role’s permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. + +To use an IAM role ARN, select **Assume role** for **Preferred manual method**, enter the ARN, and continue to Finish manual setup. + + +### Finish manual setup [cad-aws-finish-manual] + +Once you’ve provided AWS credentials, proceed to **Where to add this integration**: + +If you want to monitor an AWS account or organization where you have not yet deployed {{agent}}: + +* Select **New Hosts**. +* Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-aws-account`. +* Click **Save and continue**, then **Add {{agent}} to your hosts**. The **Add agent** wizard appears and provides {{agent}} binaries, which you can download and deploy to your AWS account. + +If you want to monitor an AWS account or organization where you have already deployed {{agent}}: + +* Select **Existing hosts**. +* Select an agent policy that applies the AWS account you want to monitor. +* Click **Save and continue**. diff --git a/solutions/security/cloud/asset-disc-azure.md b/solutions/security/cloud/asset-disc-azure.md new file mode 100644 index 0000000000..995740f6f3 --- /dev/null +++ b/solutions/security/cloud/asset-disc-azure.md @@ -0,0 +1,194 @@ +--- +applies_to: + stack: all + serverless: + security: all +--- + +# Set up Cloud Asset Discovery for Azure + +## Overview [cad-overview-azure] + +This page explains how to set up the Cloud Asset Discovery integration to inventory assets in Azure. + + +## Requirements + +* The user who gives the Cloud Asset Discovery integration permissions in Azure must be an Azure subscription `admin`. +* The Cloud Asset Discovery integration is available to all {{ecloud}} users. On-premise deployments require the [appropriate subscription](https://www.elastic.co/pricing) level. +* The Cloud Asset Discovery integration is supported only on Azure, not on Azure Government. To request support, [open a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). + + + +## Set up Cloud Asset Discovery for Azure [cad-setup-azure] + +You can set up Cloud Asset Discovery for Azure by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, you will first add the Cloud Asset Discovery integration, then enable cloud account access. + +Two deployment technologies are available: agentless and agent-based. + +* [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. +* [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. + + +## Agentless deployment [cad-azure-agentless] + +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Search for and select `Cloud asset discovery`. +3. Click **Add Cloud Asset Discovery**. +4. Select **Azure**, then either **Azure Organization** to onboard your whole organization, or **Single Subscription** to onboard an individual subscription. +5. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. +6. In **Deployment options**, select **Agentless**. +7. Next, you’ll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/asset-disc-azure.md#cad-azure-client-secret). +8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. + +## Agent-based deployment [cad-azure-agent-based] + + +### Add your Cloud Asset Discovery integration [cad-add-and-name-integration-azure] + +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Search for and select `Cloud asset discovery`. +3. Click **Add Cloud Asset Discovery**. +4. In **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. +5. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CAD-dev-1`. + + +### Set up cloud account access [cad-set-up-cloud-access-section-azure] + +::::{note} +To set up Cloud Asset Discovery for an Azure organization or subscription, you will need admin privileges for that organization or subscription. +:::: + +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described next on this page. + + +## ARM template setup (recommended) [cad-set-up-ARM] + +::::{note} +If you are deploying to an Azure organization, you need the following permissions: `Microsoft.Resources/deployments/*`, `Microsoft.Authorization/roleAssignments/write`. You also need to [elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin). +:::: + + +1. In **Setup Access**, select **ARM Template**. +2. In **Where to add this integration**: + + 1. Select **New Hosts**. + 2. Name the {{agent}} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The **ARM Template deployment** window appears. + 3. In a new tab, log in to the Azure portal, then return to {{kib}} and click **Launch ARM Template**. This will open the ARM template in Azure. + 4. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. + 5. Copy the `Fleet URL` and `Enrollment Token` that appear in {{kib}} to the corresponding fields in the ARM Template, then click **Review + create**. + 6. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. + +3. Return to {{kib}} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. + + +## Manual setup [cad-set-up-manual-azure] + +For manual setup, multiple authentication methods are available: + +* Managed identity (recommended) +* Service principal with client secret +* Service principal with client certificate + + +### Option 1: Managed identity (recommended) [cad-azure-managed-identity-setup] + +This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with Cloud Asset Discovery, and installing {{agent}} on it. + +1. Go to the Azure portal to [create a new Azure VM](https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM). +2. Follow the setup process, and make sure you enable **System assigned managed identity** in the **Management** tab. +3. Go to your Azure subscription list and select the subscription or management group you want to monitor with Cloud Asset Discovery. +4. Go to **Access control (IAM)**, and select **Add Role Assignment**. +5. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. + +After assigning the role: + +1. Return to the **Add Cloud Asset Discovery** page in {{kib}}. +2. In **Configure integration**, select **Azure**. In **Setup access**, select **Manual**. +3. In **Where to add this integration**, select **New hosts**. +4. Click **Save and continue**, then follow the instructions to install {{agent}} on your Azure VM. + +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. + + +### Option 2: Service principal with client secret [cad-azure-client-secret] + +Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). + +1. On the **Add Cloud Asset Discovery integration** page, scroll to the **Setup access** section, then select **Manual**. +2. For **Preferred manual method**, select **Service principal with Client Secret**. +3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). +4. Click on **New Registration**, name your app and click **Register**. +5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. +6. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. +7. Copy the new secret. Paste it into the corresponding field in {{kib}}. +8. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with Cloud Asset Discovery. +9. Go to **Access control (IAM)** and select **Add Role Assignment**. +10. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. +11. Return to the **Add Cloud Asset Discovery integration** page in {{kib}}. +12. In **Where to add this integration**, select **New hosts**. +13. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. + +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. + + +### Option 3: Service principal with client certificate [cad-azure-client-certificate] + +Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). + +1. From the **Add Cloud Asset Discovery integration** page, in **Setup access**, select **Manual**. +2. For **Preferred manual method**, select **Service principal with client certificate**. +3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). +4. Click on **New Registration**, name your app and click **Register**. +5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. +6. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with Cloud Asset Discovery. +7. Go to **Access control (IAM)** and select **Add Role Assignment**. +8. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. + +Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. + +Create a pkcs12 certificate, for example: + +```shell +# Create PEM file +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + +# Create pkcs12 bundle using legacy flag (CLI will ask for export password) +openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem +``` + +Create a PEM certificate, for example: + +```shell +# Generate certificate signing request (csr) and key +openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr + +# Generate PEM and self-sign with key +openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem + +# Create bundle +cat cert.key > bundle.pem +cat signed.pem >> bundle.pem +``` + +After creating your certificate: + +1. Return to Azure. +2. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. +3. Click **Upload certificate**. + + 1. If you’re using a PEM certificate that was created using the example commands above, upload `signed.pem`. + 2. If you’re using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. + +4. Upload the certificate bundle to the VM where you will deploy {{agent}}. + + 1. If you’re using a PEM certificate that was created using the example commands above, upload `bundle.pem`. + 2. If you’re using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. + +5. Return to the **Add Cloud Asset Discovery** page in {{kib}}. +6. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {{agent}}. +7. If you used a pkcs12 certificate, enter its password for **Client Certificate Password**. +8. For **Where to add this integration**, select **New hosts**. +9. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. + +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/solutions/security/cloud/asset-disc-gcp.md b/solutions/security/cloud/asset-disc-gcp.md new file mode 100644 index 0000000000..14fa442752 --- /dev/null +++ b/solutions/security/cloud/asset-disc-gcp.md @@ -0,0 +1,201 @@ +--- +applies_to: + stack: preview + serverless: + security: preview +--- + +# Set up Cloud Asset Discovery for GCP + +## Overview [cad-overview-gcp] + +This page explains how to set up the Cloud Asset Discovery integration to inventory assets in GCP. + +## Requirements + +* The user who gives the integration GCP permissions must be a GCP project `admin`. +* The Cloud Asset Discovery integration is available to all {{ecloud}} users. On-premise deployments require an [appropriate subscription](https://www.elastic.co/pricing) level. +* The Cloud Asset Discovery integration is supported only on GCP, not Google Public Sector. To request support, [open a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). + + + + +## Set up Cloud Asset Discovery for GCP [cad-setup-gcp] + +You can set up Cloud Asset Discovery for GCP either by enrolling a single project, or by enrolling an organization containing multiple projects. Either way, you need to first add the integration, then enable cloud account access. + +Two deployment technologies are available: agentless and agent-based. + +* [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. +* [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. + +## Agentless deployment [cad-gcp-agentless] + +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Search for and select `Cloud asset discovery`. +3. Click **Add Cloud Asset Discovery**. +4. Select **GCP**, then either **GCP Organization** to onboard your whole organization, or **Single Project** to onboard an individual account. +5. Give your integration a name that matches the purpose or team of the GCP subscription/organization you want to monitor, for example, `dev-gcp-account`. +6. In **Deployment Options**, select **Agentless**. +7. Next, you’ll need to authenticate to GCP. Expand the **Steps to Generate GCP Account Credentials** section, then follow the instructions that appear to automatically create the necessary credentials using Google Cloud Shell. +8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. + +## Agent-based deployment [cad-gcp-agent-based] + + +### Add the Cloud Asset Discovery integration [cad-add-and-name-integration-gcp] + +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Search for and select `Cloud asset discovery`. +3. Click **Add Cloud Asset Discovery**. +4. In **Configure integration**, select **GCP**, then either **GCP Organization** (recommended) or **Single Project**. +5. Give your integration a name that matches the purpose or team of the GCP account you want to monitor, for example, `dev-gcp-project`. + + +### Set up cloud account access [cad-set-up-cloud-access-section-gcp] + +::::{note} +To set up Cloud Asset Discovery for a GCP project, you need admin privileges for the project. +:::: + + +For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described next on this page. + + +## Cloud Shell script setup (recommended) [cad-set-up-cloudshell] + +1. In **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID. +2. In **Where to add this integration**: + + 1. Select **New Hosts**. + 2. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. + 3. Click **Save and continue**, then **Add {{agent}} to your hosts**. The **Add agent** wizard appears and provides {{agent}} binaries, which you can download and deploy to a VM in your GCP account. + +3. Click **Save and continue**. +4. Copy the command that appears, then click **Launch Google Cloud Shell**. It opens in a new window. +5. Check the box to trust Elastic’s `cloudbeat` repo, then click **Confirm** +6. In Google Cloud Shell, execute the command you copied. Once it finishes, return to {{kib}} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. + +::::{note} +If you encounter any issues running the command, return to {{kib}} and navigate again to Google Cloud Shell. +:::: + + +::::{note} +During Cloud Shell setup, Cloud Asset Discovery adds roles to Google’s default service account, which enables custom role creation and attachment of the service account to a compute instance. After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account: [Project IAM Admin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin), [Role Administrator](https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin). +:::: + + + +## Manual authentication (GCP organization) [cad-set-up-manual-gcp-org] + +To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to your integration. + +Use the following commands, after replacing `` with the name of your new service account, `` with your GCP organization’s ID, and `` with the GCP project ID of the project where you want to provision the compute instance that will run Cloud Asset Discovery. + +Create a new service account: + +``` +gcloud iam service-accounts create \ + --description="Elastic agent service account for Cloud Asset Discovery" \ + --display-name="Elastic agent service account for Cloud Asset Discovery" \ + --project= +``` + +Assign the necessary roles to the service account: + +``` +gcloud organizations add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/cloudasset.viewer + +gcloud organizations add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/browser +``` + +::::{important} +If running this command results in a warning related to conditions, try running it again with `--condition=None`. +:::: + +::::{note} +The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. +:::: + + +Download the credentials JSON (first, replace `` with the location where you want to save it): + +``` +gcloud iam service-accounts keys create \ + --iam-account=@.iam.gserviceaccount.com +``` + +Keep the credentials JSON in a secure location; you will need it later. + +Provide credentials to the Cloud Asset Discovery integration: + +1. On the Cloud Asset Discovery integration setup screen in **Setup Access**, select **Manual**. +2. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run Cloud Asset Discovery. +3. In **Credential**, select **Credentials JSON** and enter the value you generated earlier. +4. In **Where to add this integration**, select **New Hosts**. +5. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. +6. Click **Save and continue**, then follow the instructions to install {{agent}} in your chosen GCP project. + +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. + + +## Manual authentication (GCP project) [cad-set-up-manual-gcp-project] + +To authenticate manually to monitor an individual GCP project, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the Cloud Asset Discovery integration. + +Use the following commands, after replacing `` with the name of your new service account, and `` with your GCP project ID. + +Create a new service account: + +``` +gcloud iam service-accounts create \ + --description="Elastic agent service account for Cloud Asset Discovery" \ + --display-name="Elastic agent service account for Cloud Asset Discovery" \ + --project= +``` + +Assign the necessary roles to the service account: + +``` +gcloud projects add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/cloudasset.viewer + +gcloud projects add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/browser +``` + +::::{important} +If running this command results in a warning related to conditions, try running it again with `--condition=None`. +:::: + +::::{note} +The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. +:::: + + +Download the credentials JSON (first, replace `` with the location where you want to save it): + +``` +gcloud iam service-accounts keys create \ + --iam-account=@.iam.gserviceaccount.com +``` + +Keep the credentials JSON in a secure location; you will need it later. + +Provide credentials to the Cloud Asset Discovery integration: + +1. On the Cloud Asset Discovery setup screen in **Setup Access**, select **Manual**. +2. Enter your GCP **Project ID**. +3. For **Credential**, select **Credentials JSON**, and enter the value you generated earlier. +4. For **Where to add this integration**, select **New Hosts**. +5. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. +6. Click **Save and continue**, then follow the instructions to install {{agent}} in your chosen GCP project. + +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/solutions/security/cloud/asset-disc.md b/solutions/security/cloud/asset-disc.md new file mode 100644 index 0000000000..ed1f6b7024 --- /dev/null +++ b/solutions/security/cloud/asset-disc.md @@ -0,0 +1,43 @@ +--- +applies_to: + stack: preview + serverless: + security: preview +--- + +# Cloud Asset Discovery + +The Cloud Asset Discovery integration creates an up-to-date, unified inventory of your cloud resources from AWS, GCP, and Azure. + +This feature currently supports agentless and agent-based deployments on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. + +For step-by-step getting started guides, refer to the following getting started guides: + +* [Cloud Asset Discovery for AWS](/solutions/security/cloud/asset-disc-aws.md) +* [Cloud Asset Discovery for GCP](/solutions/security/cloud/asset-disc-gcp.md) +* [Cloud Asset Discovery for Azure](/solutions/security/cloud/asset-disc-azure.md). + +## Requirements + +* The Cloud Asset Discovery integration is available to all {{ecloud}} users. On-premise deployments require an [appropriate subscription](https://www.elastic.co/pricing) level. +* Cloud Asset Discovery supports only the AWS, GCP, and Azure commercial cloud platforms. Government cloud platforms are not supported. To request support for other platforms, [open a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). + + +## How Cloud Asset Discovery works [cad-how-it-works] + +Cloud Asset Discovery creates an up-to-date, unified inventory of your cloud resources from AWS, GCP, and Azure. Once you connect your cloud accounts, this integration automatically finds and lists your cloud services and assets, such as: + +* **AWS:** S3 buckets, EC2 instances, EKS clusters, and more. +* **GCP:** Cloud Storage buckets, Compute Engine instances, Kubernetes clusters, and more. +* **Azure:** Virtual Machines, Blob Storage, Azure Kubernetes Service (AKS), and more. + +Using the read-only credentials you will provide during the setup process, it will evaluate the configuration of resources in your environment every 24 hours. After each evaluation, the integration sends findings to Elastic. + + + + + + + + + diff --git a/solutions/security/cloud/cloud-native-vulnerability-management.md b/solutions/security/cloud/cloud-native-vulnerability-management.md index 9372846258..cc7e657dbe 100644 --- a/solutions/security/cloud/cloud-native-vulnerability-management.md +++ b/solutions/security/cloud/cloud-native-vulnerability-management.md @@ -23,7 +23,7 @@ CNVM currently only supports AWS EC2 Linux workloads in AWS commercial cloud. AW ::::{admonition} Requirements -* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing). +* {{stack}} users: {{stack}} version 8.8 or higher and an [appropriate subscription](https://www.elastic.co/pricing). * CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work. * CNVM can only be deployed on ARM-based VMs. * You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances. diff --git a/solutions/security/cloud/cloud-security-posture-management.md b/solutions/security/cloud/cloud-security-posture-management.md index 15d1f6e8f4..58d0b8a207 100644 --- a/solutions/security/cloud/cloud-security-posture-management.md +++ b/solutions/security/cloud/cloud-security-posture-management.md @@ -15,11 +15,17 @@ products: The Cloud Security Posture Management (CSPM) feature discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the [Center for Internet Security](https://www.cisecurity.org/) (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data. -This feature currently supports agentless and agent-based deployments on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. For step-by-step getting started guides, refer to [Get started with CSPM for AWS](/solutions/security/cloud/get-started-with-cspm-for-aws.md), [Get started with CSPM for GCP](/solutions/security/cloud/get-started-with-cspm-for-gcp.md), or [Get started with CSPM for Azure](/solutions/security/cloud/get-started-with-cspm-for-azure.md). +This feature currently supports agentless and agent-based deployments on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. + +For step-by-step getting started guides, refer to: + +* [CSPM for AWS](/solutions/security/cloud/get-started-with-cspm-for-aws.md) +* [CSPM for GCP](/solutions/security/cloud/get-started-with-cspm-for-gcp.md) +* [CSPM for Azure](/solutions/security/cloud/get-started-with-cspm-for-azure.md). ::::{admonition} Requirements * Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](/solutions/security/cloud/cspm-privilege-requirements.md). -* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). +* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [appropriate subscription](https://www.elastic.co/pricing) level. * CSPM supports only the AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. AWS GovCloud is only supported for agent-based deployments — agentless deployments do not work on this platform. Other government cloud platforms are not supported. To request support for other platforms, [open a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). :::: diff --git a/solutions/security/cloud/cnvm-privilege-requirements.md b/solutions/security/cloud/cnvm-privilege-requirements.md index f918bc6a07..ffd0de1f9c 100644 --- a/solutions/security/cloud/cnvm-privilege-requirements.md +++ b/solutions/security/cloud/cnvm-privilege-requirements.md @@ -7,7 +7,7 @@ applies_to: # CNVM privilege requirements [cnvm-required-permissions] -This page lists required privileges for {{elastic-sec}}'s CNVM features. There are three access levels: `read`, `write`, and `manage`. Each access level and its requirements are described below. +This page lists required privileges for {{elastic-sec}}'s CNVM features. There are three access levels: `read`, `write`, and `manage`. Each access level and its requirements are described next on this page. ## Read diff --git a/solutions/security/cloud/cspm-privilege-requirements.md b/solutions/security/cloud/cspm-privilege-requirements.md index 719bfbd26e..4c8d03dea1 100644 --- a/solutions/security/cloud/cspm-privilege-requirements.md +++ b/solutions/security/cloud/cspm-privilege-requirements.md @@ -13,7 +13,7 @@ products: # CSPM privilege requirements -This page lists required privileges for {{elastic-sec}}'s CSPM features. There are three access levels: read, write, and manage. Each access level and its requirements are described below. +This page lists required privileges for {{elastic-sec}}'s CSPM features. There are three access levels: read, write, and manage. Each access level and its requirements are described next on this page. ## Read [_read] diff --git a/solutions/security/cloud/get-started-with-cnvm.md b/solutions/security/cloud/get-started-with-cnvm.md index a16e405014..11e84e290f 100644 --- a/solutions/security/cloud/get-started-with-cnvm.md +++ b/solutions/security/cloud/get-started-with-cnvm.md @@ -3,7 +3,7 @@ mapped_pages: - https://www.elastic.co/guide/en/security/current/vuln-management-get-started.html - https://www.elastic.co/guide/en/serverless/current/security-vuln-management-get-started.html applies_to: - stack: all + stack: ga 8.8 serverless: security: all products: @@ -16,18 +16,14 @@ products: This page explains how to set up Cloud Native Vulnerability Management (CNVM). -::::{admonition} Requirements -* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing). + +## Requirements +* {{stack}} users: {{stack}} version 8.8 or higher and an [appropriate subscription](https://www.elastic.co/pricing) level. * CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work. * CNVM can only be deployed on ARM-based VMs. * You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances. * Depending on whether you want to `read`, `write`, or `manage` CNVM data, you need [specific privileges](/solutions/security/cloud/cnvm-privilege-requirements.md). -:::: - - -::::{note} -CNVM currently only supports AWS EC2 Linux workloads (not supported on AWS GovCloud). -:::: +* CNVM is supported only on AWS. AWS GovCloud is not supported. To request support, [open a GitHub ticket](https://github.com/elastic/kibana/issues/new/choose). @@ -44,7 +40,7 @@ Do not add the integration to an existing {{agent}} policy. It should always be ### Step 1: Add the CNVM integration [vuln-management-setup-step-1] 1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Search for **Cloud Native Vulnerability Management**, then click on the result. +2. Search for and select **Cloud Native Vulnerability Management**. 3. Click **Add Cloud Native Vulnerability Management**. 4. Give your integration a name that matches its purpose or the AWS account region you want to scan for vulnerabilities (for example, `uswest2-aws-account`.) diff --git a/solutions/security/cloud/get-started-with-cspm-for-aws.md b/solutions/security/cloud/get-started-with-cspm-for-aws.md index 05aa4444a2..90d39458bf 100644 --- a/solutions/security/cloud/get-started-with-cspm-for-aws.md +++ b/solutions/security/cloud/get-started-with-cspm-for-aws.md @@ -15,22 +15,24 @@ products: ## Overview [cspm-overview] -This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. +This page explains how to start monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. -::::{admonition} Requirements +## Requirements * Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](/solutions/security/cloud/cspm-privilege-requirements.md). -* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). +* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [appropriate subscription](https://www.elastic.co/pricing) level. * CSPM supports only the AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. AWS GovCloud is only supported for agent-based deployments — agentless deployments do not work on this platform. Other government cloud platforms are not supported. To request support for other platforms, [open a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). * The user who gives the CSPM integration AWS permissions must be an AWS account `admin`. -:::: - ## Set up CSPM for AWS [cspm-setup] -You can set up CSPM for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](/solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-aws-agentless) allows you to collect cloud posture data without having to manage the deployment of {{agent}} in your cloud. [Agent-based deployment](/solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-aws-agent-based) requires you to deploy and manage {{agent}} in the cloud account you want to monitor. +You can set up CSPM for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the CSPM integration, then enable cloud account access. + +Two deployment technologies are available: agentless and agent-based. +* [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. +* [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. ## Agentless deployment [cspm-aws-agentless] @@ -44,16 +46,16 @@ You can set up CSPM for AWS either by enrolling a single cloud account, or by en :::{include} _snippets/cspm-namespace.md ::: -7. Under **Deployment options** select **Agentless**. +7. In **Deployment options** select **Agentless**. 8. Next, you’ll need to authenticate to AWS. Two methods are available: - 1. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. + * Option 1: Direct access keys/CloudFormation (Recommended). For **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. ::::{note} If you don’t want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. :::: - 2. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-temp-credentials). + * Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-temp-credentials). 9. Once you’ve selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. @@ -78,19 +80,19 @@ You can set up CSPM for AWS either by enrolling a single cloud account, or by en The CSPM integration requires access to AWS’s built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor) in order to discover and evaluate resources in your cloud account. There are several ways to provide access. -For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described below. +For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described next on this page. ### CloudFormation (recommended) [cspm-set-up-cloudformation] -1. In the **Add Cloud Security Posture Management (CSPM) integration** menu, under **Setup Access**, select **CloudFormation**. +1. In the **Add Cloud Security Posture Management (CSPM) integration** menu, for **Setup Access**, select **CloudFormation**. 2. In a new browser tab or window, log in as an admin to the AWS account or organization you want to onboard. 3. Return to your {{kib}} tab. Click **Save and continue** at the bottom of the page. 4. Review the information, then click **Launch CloudFormation**. 5. A CloudFormation template appears in a new browser tab. -6. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template’s `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under **AWS Organizations → AWS Accounts** (under each organization’s name). You can also use this field to specify which accounts in your organization to monitor, and which to skip. +6. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template’s `OrganizationalUnitIds` field. You can find the organizational unit IDs in the AWS console (**AWS Organizations → AWS Accounts**). You can also use this field to specify which accounts in your organization to monitor, and which to skip. 7. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. -8. Tick the checkbox under **Capabilities** to authorize the creation of necessary resources. +8. Tick the **Capabilities** checkbox to authorize the creation of necessary resources. :::{image} /solutions/images/security-cspm-cloudformation-template.png :alt: The Add permissions screen in AWS @@ -152,7 +154,7 @@ When using manual authentication to onboard at the organization level, you need { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam:::root" + "AWS": "arn:aws:iam:::root" <1> }, "Action": "sts:AssumeRole" }, @@ -167,16 +169,11 @@ When using manual authentication to onboard at the organization level, you need } ``` +1. Replace `` in the trust policy with your AWS account ID. :::: - * The AWS-managed `SecurityAudit` policy. -::::{important} -You must replace `` in the trust policy with your AWS account ID. -:::: - - * Next, for each account you want to scan in the organization, create an IAM role named `cloudbeat-securityaudit` with the following policies: * The AWS-managed `SecurityAudit` policy. @@ -191,7 +188,7 @@ You must replace `` in the trust policy with your AWS acc { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam:::role/cloudbeat-root" + "AWS": "arn:aws:iam:::role/cloudbeat-root" <1> }, "Action": "sts:AssumeRole" } @@ -199,18 +196,14 @@ You must replace `` in the trust policy with your AWS acc } ``` -:::: - - -::::{important} -You must replace `` in the trust policy with your AWS account ID. +1. Replace `` in the trust policy with your AWS account ID. :::: After creating the necessary roles, authenticate using one of the manual authentication methods. ::::{important} -When deploying to an organization using any of the authentication methods below, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-root` privileges. +When deploying to an organization using any of the authentication methods on this page, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-root` privileges. :::: @@ -241,8 +234,8 @@ Follow AWS’s [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/lat 1. Create an IAM role: 1. In AWS, go to your IAM dashboard. Click **Roles**, then **Create role**. - 2. On the **Select trusted entity** page, under **Trusted entity type**, select **AWS service**. - 3. Under **Use case**, select **EC2**. Click **Next**. + 2. On the **Select trusted entity** page, in **Trusted entity type**, select **AWS service**. + 3. For **Use case**, select **EC2**. Click **Next**. :::{image} /solutions/images/security-cspm-aws-auth-1.png :alt: The Select trusted entity screen in AWS @@ -337,20 +330,20 @@ After providing credentials, [finish manual setup](/solutions/security/cloud/get An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role’s permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. -To use an IAM role ARN, select **Assume role** under **Preferred manual method**, enter the ARN, and continue to Finish manual setup. +To use an IAM role ARN, select **Assume role** for **Preferred manual method**, enter the ARN, and continue to Finish manual setup. ### Finish manual setup [cspm-finish-manual] -Once you’ve provided AWS credentials, under **Where to add this integration**: +Once you’ve provided AWS credentials, proceed to **Where to add this integration**: -If you want to monitor an AWS account or organization where you have not yet deployed {{agent}}: +To monitor an AWS account or organization where you have not yet deployed {{agent}}: * Select **New Hosts**. * Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-aws-account`. * Click **Save and continue**, then **Add {{agent}} to your hosts**. The **Add agent** wizard appears and provides {{agent}} binaries, which you can download and deploy to your AWS account. -If you want to monitor an AWS account or organization where you have already deployed {{agent}}: +To monitor an AWS account or organization where you have already deployed {{agent}}: * Select **Existing hosts**. * Select an agent policy that applies the AWS account you want to monitor. diff --git a/solutions/security/cloud/get-started-with-cspm-for-azure.md b/solutions/security/cloud/get-started-with-cspm-for-azure.md index 6a28a11dbb..30f09bd5a4 100644 --- a/solutions/security/cloud/get-started-with-cspm-for-azure.md +++ b/solutions/security/cloud/get-started-with-cspm-for-azure.md @@ -17,19 +17,24 @@ products: This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. -::::{admonition} Requirements +## Requirements + * Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](/solutions/security/cloud/cspm-privilege-requirements.md). -* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. [Click here to request support](https://github.com/elastic/kibana/issues/new/choose). +* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require [appropriate subscription](https://www.elastic.co/pricing) level. +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. To request support, [open a GitHub ticket](https://github.com/elastic/kibana/issues/new/choose). * The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`. -:::: ## Set up CSPM for Azure [cspm-setup-azure] -You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](/solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. [Agent-based deployment](/solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. +You can set up CSPM for Azure by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. + +Two deployment technologies are available: agentless and agent-based. + +* [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. +* [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. ## Agentless deployment [cspm-azure-agentless] @@ -39,14 +44,14 @@ You can set up CSPM for Azure by by enrolling an Azure organization (management 3. Click **Add Cloud Security Posture Management (CSPM)**. 4. Select **Azure**, then either **Azure Organization** to onboard your whole organization, or **Single Subscription** to onboard an individual subscription. 5. Give your integration a name and description that match the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. -6. (Optional) under **Advanced options**, you can add a `Namespace` to the integration's data stream. +6. (Optional) Expand the **Advanced options** menu and add a `Namespace` to the integration's data stream. :::{include} _snippets/cspm-namespace.md ::: -7. Under **Deployment options**, select **Agentless**. -7. Under **Setup Access**, authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-client-secret). -8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. +7. For **Deployment options**, select **Agentless**. +8. For **Setup Access**, authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-client-secret). +9. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. ## Agent-based deployment [cspm-azure-agent-based] @@ -56,7 +61,7 @@ You can set up CSPM for Azure by by enrolling an Azure organization (management 1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Search for `CSPM`, then click on the result. 3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. +4. In **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. 5. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. 6. (Optional) under **Advanced options**, you can add a `Namespace` to the integration's data stream. @@ -72,7 +77,7 @@ To set up CSPM for an Azure organization or subscription, you will need admin pr :::: -For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described on this page. ## ARM template setup (recommended) [cspm-set-up-ARM] @@ -82,8 +87,8 @@ If you are deploying to an Azure organization, you need the following permission :::: -1. Under **Setup Access**, select **ARM Template**. -2. Under **Where to add this integration**: +1. For **Setup Access**, select **ARM Template**. +2. In **Where to add this integration**: 1. Select **New Hosts**. 2. Name the {{agent}} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The **ARM Template deployment** window appears. @@ -109,7 +114,7 @@ For manual setup, multiple authentication methods are available: This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {{agent}} on it. 1. Go to the Azure portal to [create a new Azure VM](https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM). -2. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. +2. Follow the setup process, and make sure you enable **System assigned managed identity** in the **Management** tab. 3. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. 4. Go to **Access control (IAM)**, and select **Add Role Assignment**. 5. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. @@ -117,8 +122,8 @@ This method involves creating an Azure VM (or using an existing one), giving it After assigning the role: 1. Return to the **Add CSPM** page in {{kib}}. -2. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. -3. Under **Where to add this integration**, select **New hosts**. +2. For **Configure integration**, select **Azure**. For **Setup access**, select **Manual**. +3. For **Where to add this integration**, select **New hosts**. 4. Click **Save and continue**, then follow the instructions to install {{agent}} on your Azure VM. Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. @@ -129,7 +134,7 @@ Wait for the confirmation that {{kib}} received data from your new integration. Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). 1. On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**. -2. Under **Preferred manual method**, select **Service principal with Client Secret**. +2. For **Preferred manual method**, select **Service principal with Client Secret**. 3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). 4. Click on **New Registration**, name your app and click **Register**. 5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. @@ -139,7 +144,7 @@ Before using this method, you must have set up a [Microsoft Entra application an 9. Go to **Access control (IAM)** and select **Add Role Assignment**. 10. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. 11. Return to the **Add CSPM** page in {{kib}}. -12. Under **Where to add this integration**, select **New hosts**. +12. For **Where to add this integration**, select **New hosts**. 13. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. @@ -149,8 +154,8 @@ Wait for the confirmation that {{kib}} received data from your new integration. Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). -1. On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**. -2. Under **Preferred manual method**, select **Service principal with client certificate**. +1. On the **Add Cloud Security Posture Management (CSPM) integration** page, for **Setup access**, select **Manual**. +2. For **Preferred manual method**, select **Service principal with client certificate**. 3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). 4. Click on **New Registration**, name your app and click **Register**. 5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. @@ -200,8 +205,8 @@ After creating your certificate: 5. Return to the **Add CSPM** page in {{kib}}. 6. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {{agent}}. -7. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. -8. Under **Where to add this integration**, select **New hosts**. +7. If you used a pkcs12 certificate, enter its password in **Client Certificate Password**. +8. For **Where to add this integration**, select **New hosts**. 9. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/solutions/security/cloud/get-started-with-cspm-for-gcp.md b/solutions/security/cloud/get-started-with-cspm-for-gcp.md index a7e0671425..8a0e26c215 100644 --- a/solutions/security/cloud/get-started-with-cspm-for-gcp.md +++ b/solutions/security/cloud/get-started-with-cspm-for-gcp.md @@ -17,19 +17,23 @@ products: This page explains how to get started monitoring the security posture of your GCP cloud assets using the Cloud Security Posture Management (CSPM) feature. -::::{admonition} Requirements +## Requirements + * Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](/solutions/security/cloud/cspm-privilege-requirements.md). -* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. [Click here to request support](https://github.com/elastic/kibana/issues/new/choose). +* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [appropriate subscription](https://www.elastic.co/pricing) level. +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. To request support [open a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). * The user who gives the CSPM integration GCP permissions must be a GCP project `admin`. -:::: - ## Set up CSPM for GCP [cspm-setup-gcp] -You can set up CSPM for GCP either by enrolling a single project, or by enrolling an organization containing multiple projects. Either way, you need to first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](/solutions/security/cloud/get-started-with-cspm-for-gcp.md#cspm-gcp-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. [Agent-based deployment](/solutions/security/cloud/get-started-with-cspm-for-gcp.md#cspm-gcp-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. +You can set up CSPM for GCP either by enrolling a single project, or by enrolling an organization containing multiple projects. Either way, you need to first add the CSPM integration, then enable cloud account access. + +Two deployment technologies are available: agentless and agent-based. + +* [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. +* [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. ## Agentless deployment [cspm-gcp-agentless] @@ -39,11 +43,12 @@ You can set up CSPM for GCP either by enrolling a single project, or by enrollin 3. Click **Add Cloud Security Posture Management (CSPM)**. 4. Under **Configure integration**, select **GCP**, then either **GCP Organization** to onboard your whole organization, or **Single Project** to onboard an individual account. 5. Give your integration a name and description that match the purpose or team of the GCP subscription/organization you want to monitor, for example, `dev-gcp-account`. -6. (Optional) under **Advanced options**, you can add a `Namespace` to the integration's data stream. +6. (Optional) Expand **Advanced options** and add a `Namespace` to the integration's data stream. :::{include} _snippets/cspm-namespace.md ::: -7. Under **Deployment Options**, select **Agentless**. + +7. For **Deployment options**, select **Agentless**. 8. Next, you’ll need to authenticate to GCP. Expand the **Steps to Generate GCP Account Credentials** section, then follow the instructions that appear to automatically create the necessary credentials using Google Cloud Shell. 9. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. @@ -55,12 +60,12 @@ You can set up CSPM for GCP either by enrolling a single project, or by enrollin 1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Search for `CSPM`, then click on the result. 3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Under **Configure integration**, select **GCP**, then either **GCP Organization** to onboard your whole organization, or **Single Project** to onboard an individual account. +4. For **Configure integration**, select **GCP**, then either **GCP Organization** to onboard your whole organization, or **Single Project** to onboard an individual account. 5. Give your integration a name and description that match the purpose or team of the GCP account you want to monitor, for example, `dev-gcp-project`. -6. (Optional) under **Advanced options**, you can add a `Namespace` to the integration's data stream. +6. (Optional) Expand the **Advanced options** menu and add a `Namespace` to the integration's data stream. -:::{include} _snippets/cspm-namespace.md -::: +::::{include} _snippets/cspm-namespace.md +:::: 7. Under **Deployment options** select **Agent-based**. @@ -71,13 +76,13 @@ To set up CSPM for a GCP project, you need admin privileges for the project. :::: -For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described below. +For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described next on this page. ## Cloud Shell script setup (recommended) [cspm-set-up-cloudshell] -1. Under **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID. -2. Under **Where to add this integration**: +1. For **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID. +2. In **Where to add this integration**: 1. Select **New Hosts**. 2. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. @@ -151,10 +156,10 @@ Keep the credentials JSON in a secure location; you will need it later. Provide credentials to the CSPM integration: -1. On the CSPM setup screen under **Setup Access**, select **Manual**. +1. On the CSPM setup screen, for **Setup Access**, select **Manual**. 2. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run CSPM. 3. Select **Credentials JSON**, and enter the value you generated earlier. -4. Under **Where to add this integration**, select **New Hosts**. +4. For **Where to add this integration**, select **New Hosts**. 5. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. 6. Click **Save and continue**, then follow the instructions to install {{agent}} in your chosen GCP project. @@ -208,10 +213,10 @@ Keep the credentials JSON in a secure location; you will need it later. Provide credentials to the CSPM integration: -1. On the CSPM setup screen under **Setup Access**, select **Manual**. +1. On the CSPM setup screen, for **Setup Access**, select **Manual**. 2. Enter your GCP **Project ID**. 3. Select **Credentials JSON**, and enter the value you generated earlier. -4. Under **Where to add this integration**, select **New Hosts**. +4. For **Where to add this integration**, select **New Hosts**. 5. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. 6. Click **Save and continue**, then follow the instructions to install {{agent}} in your chosen GCP project. diff --git a/solutions/security/cloud/get-started-with-kspm.md b/solutions/security/cloud/get-started-with-kspm.md index 1a71506780..fdd750b8ee 100644 --- a/solutions/security/cloud/get-started-with-kspm.md +++ b/solutions/security/cloud/get-started-with-kspm.md @@ -15,8 +15,9 @@ products: This page explains how to configure the Kubernetes Security Posture Management (KSPM) integration. -::::{admonition} Requirements -* The KSPM integration is available to all Elastic Cloud users. For on-prem deployments, it requires an [Enterprise subscription](https://www.elastic.co/pricing). +## Requirements + +* The KSPM integration is available to all Elastic Cloud users. For on-prem deployments, it requires an [appropriate subscription](https://www.elastic.co/pricing) level. * The KSPM integration only works in the `Default` Kibana space. Installing the KSPM integration on a different Kibana space will not work. * KSPM is not supported on EKS clusters in AWS GovCloud. [Click here to request support](https://github.com/elastic/kibana/issues/new/choose). * To view posture data, ensure you have the `read` privilege for the following {{es}} indices: @@ -25,9 +26,7 @@ This page explains how to configure the Kubernetes Security Posture Management ( * `logs-cloud_security_posture.scores-*` * `logs-cloud_security_posture.findings` - -:::: - +## Setup options The instructions differ depending on whether you’re installing on EKS or on unmanaged clusters. diff --git a/solutions/security/cloud/kubernetes-security-posture-management.md b/solutions/security/cloud/kubernetes-security-posture-management.md index e37b977ee6..d5c223b3c9 100644 --- a/solutions/security/cloud/kubernetes-security-posture-management.md +++ b/solutions/security/cloud/kubernetes-security-posture-management.md @@ -27,11 +27,12 @@ The Kubernetes Security Posture Management (KSPM) integration allows you to iden This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setup instructions, refer to [Get started with KSPM](/solutions/security/cloud/get-started-with-kspm.md). -::::{admonition} Requirements -* The KSPM integration is available to all Elastic Cloud users. For on-prem deployments, it requires an [Enterprise subscription](https://www.elastic.co/pricing). -* KSPM is not supported on EKS clusters in AWS GovCloud. [Click here to request support](https://github.com/elastic/kibana/issues/new/choose). -:::: +## Requirements + +* The KSPM integration is available to all Elastic Cloud users. For on-prem deployments, it requires an [appropriate subscription](https://www.elastic.co/pricing) level. +* KSPM for AWS deployments is supported only on AWS, not on AWS GovCloud. To request support, [submit a GitHub issue](https://github.com/elastic/kibana/issues/new/choose). + diff --git a/solutions/security/get-started/agentless-integrations.md b/solutions/security/get-started/agentless-integrations.md index 1dfc75a3c3..db6a53325f 100644 --- a/solutions/security/get-started/agentless-integrations.md +++ b/solutions/security/get-started/agentless-integrations.md @@ -35,18 +35,20 @@ Agentless deployment for the following integrations is in beta and is subject to :::: 1. AbuseCH -2. CrowdStrike -3. Google SecOps -4. Google Security Command Center -5. Google Workspace -6. Microsoft 365 Defender -7. Microsoft Defender for Endpoint -8. Microsoft Sentinel -9. Okta -10. Qualys VMDR -11. SentinelOne -12. Tenable IO -13. Wiz -14. Zscaler ZIA +2. Cloud Asset Discovery +3. CrowdStrike +4. Google SecOps +5. Google Security Command Center +6. Google Workspace +7. Microsoft 365 Defender +8. Microsoft Defender for Endpoint +9. Microsoft Sentinel +10. Okta +11. Qualys VMDR +12. SentinelOne +13. Tenable IO +14. Wiz +15. Zscaler ZIA + To learn more about these integrations and find setup guides, refer to [Elastic integrations](https://docs.elastic.co/en/integrations/). \ No newline at end of file diff --git a/solutions/toc.yml b/solutions/toc.yml index 96992b0b73..bea47b966d 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -614,6 +614,11 @@ toc: - file: security/cloud/kspm-benchmarks.md - file: security/cloud/kspm-dashboard.md - file: security/cloud/kspm-frequently-asked-questions.md + - file: security/cloud/asset-disc.md + children: + - file: security/cloud/asset-disc-aws.md + - file: security/cloud/asset-disc-gcp.md + - file: security/cloud/asset-disc-azure.md - file: security/cloud/cloud-native-vulnerability-management.md children: - file: security/cloud/get-started-with-cnvm.md