Cloud connector deployment guides (elastic#3355)

Fixes elastic#2891 by creating documentation for the new technical preview
deployment method for the CSPM and Asset Discovery security
integrations. This deployment method provides secure-by-default,
reusable deployment for cloud service provider (Azure, AWS, GCP)
integrations by handling authentication behind the scenes. It uses a
different method for each CSP.

The current phase (phase 1) only supports Azure and AWS, and only for
the CSPM and Asset Discovery integrations

Author: benironside

solutions/security/cloud/asset-disc-aws.md

@@ -36,15 +36,23 @@ Two deployment technologies are available: agentless and agent-based.
 4. Select **AWS**, then either **AWS Organization** to onboard multiple accounts, or **Single Account** to onboard an individual account.
 5. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`.
 6. In **Deployment options**, select **Agentless**.
-7. Next, you’ll need to authenticate to AWS. Two methods are available:
+7. Next, you’ll need to authenticate to AWS. The following methods are available:
 
-    * Option 1: Direct access keys/CloudFormation (Recommended). For **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation.
+    * Option 1: Cloud connector (recommended). {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` 
+      * To use a pre-existing cloud connector for this deployment, select it under **Existing connection**. 
+      * To use a new cloud connector: under **New connection**, expand the **Steps to assume role** section. Complete the instructions to generate a `Role ARN` and `External ID`; enter them in {{kib}}.
+
+      ::::{important}
+      In order to use cloud connector for an AWS integration, your {{kib}} instance must be hosted on AWS. In other words, you must have chosen AWS hosting during {{kib}} setup.
+      ::::
+
+    * Option 2: Direct access keys/CloudFormation. For **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation.
 
        ::::{note}
        If you don’t want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**.
        ::::
 
-    * Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/asset-disc-aws.md#cad-aws-temp-credentials).
+    * Option 3: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/asset-disc-aws.md#cad-aws-temp-credentials).
 
 8. Once you’ve selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
 

solutions/security/cloud/asset-disc-azure.md

@@ -38,7 +38,12 @@ Two deployment technologies are available: agentless and agent-based.
 4. Select **Azure**, then either **Azure Organization** to onboard your whole organization, or **Single Subscription** to onboard an individual subscription.
 5. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`.
 6. In **Deployment options**, select **Agentless**.
-7. Next, you’ll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/asset-disc-azure.md#cad-azure-client-secret).
+7. Next, you’ll need to authenticate to Azure. The following methods are available:
+    
+    * Option 1: Cloud connector (recommended). {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview`  
+      Under **New connection**, expand the **Steps to create Managed User Identity in Azure** section. Complete the instructions to generate a `Client ID`, `Tenant ID`, and `Cloud Connector ID`, then enter them in {{kib}}.
+    
+    * Option 2: Azure Client ID with Client Secret. Provide a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/asset-disc-azure.md#cad-azure-client-secret).
 8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
 
 ## Agent-based deployment [cad-azure-agent-based]

solutions/security/cloud/get-started-with-cspm-for-aws.md

@@ -47,15 +47,23 @@ Two deployment technologies are available: agentless and agent-based.
 :::
 
 7. In **Deployment options** select **Agentless**.
-8. Next, you’ll need to authenticate to AWS. Two methods are available:
+8. Next, you’ll need to authenticate to AWS. The following methods are available:
 
-    * Option 1: Direct access keys/CloudFormation (Recommended). For **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation.
+    * Option 1: Cloud connector (recommended). {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` 
+      * To use a pre-existing cloud connector for this deployment, select it under **Existing connection**. 
+      * To use a new cloud connector: under **New connection**, expand the **Steps to assume role** section. Complete the instructions to generate a `Role ARN` and `External ID`; enter them in {{kib}}.
+
+      ::::{important}
+      In order to use cloud connector for an AWS integration, your {{kib}} instance must be hosted on AWS. In other words, you must have chosen AWS hosting during {{kib}} setup.
+      ::::
+
+    * Option 2: Direct access keys/CloudFormation. For **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the instructions to automatically create the necessary credentials using CloudFormation.
 
        ::::{note}
        If you don’t want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**.
        ::::
 
-    * Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-temp-credentials).
+    * Option 3: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-temp-credentials).
 
 9. Once you’ve selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
 

solutions/security/cloud/get-started-with-cspm-for-azure.md

@@ -31,7 +31,7 @@ This page explains how to get started monitoring the security posture of your cl
 
 You can set up CSPM for Azure by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. 
 
-Two deployment technologies are available: agentless and agent-based. 
+The following deployment technologies are available: agentless and agent-based. 
 
 * [Agentless deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. 
 * [Agent-based deployment](/solutions/security/cloud/asset-disc-azure.md#cad-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor.
@@ -50,7 +50,14 @@ Two deployment technologies are available: agentless and agent-based.
 :::
 
 7. For **Deployment options**, select **Agentless**.
-8. For **Setup Access**, authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-client-secret).
+8. Next, you’ll need to authenticate to Azure. The following methods are available:
+    
+    * Option 1: Cloud connector (recommended). {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview`  
+      Under **New connection**, expand the **Steps to create Managed User Identity in Azure** section. Complete the instructions to generate a `Client ID`, `Tenant ID`, and `Cloud Connector ID`, then enter them in {{kib}}.
+    
+    * Option 2: Azure Client ID with Client Secret. Provide a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-client-secret).
+
+
 9. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
 
 ## Agent-based deployment [cspm-azure-agent-based]

solutions/security/get-started/cloud-connector-deployment.md

@@ -0,0 +1,24 @@
+---
+navigation_title: Cloud connector authentication for agentless
+applies_to:
+  stack: preview 9.2
+  serverless:
+    security: preview
+---
+
+# Authenticate agentless integrations using cloud connectors
+
+Cloud connector authentication for agentless integrations reduces the administrative burden of authentating to third-party cloud service providers by eliminating the need to keep track of credentials such as API keys or passwords. Cloud connectors provide a reusable, secure-by-default means of authentication, helping you to manage deployments with many integrations collecting data from multiple cloud security providers. 
+
+## Where is cloud connector authentication supported?
+
+At the current stage of this technical preview, a limited selection of cloud providers and integrations are supported.
+
+You can use cloud connector deployment to authenticate with AWS and Azure while deploying either Elastic's Cloud Security Posture Management (CSPM) or Asset Discovery integration. For deployment instructions, refer to:
+
+- Asset Discovery: [Asset Discovery on Azure](/solutions/security/cloud/asset-disc-azure.md); [Asset Discovery on AWS](/solutions/security/cloud/asset-disc-aws.md)
+- CSPM: [CSPM on Azure](/solutions/security/cloud/get-started-with-cspm-for-azure.md); [CSPM on AWS](/solutions/security/cloud/get-started-with-cspm-for-aws.md)
+
+::::{important}
+In order to use cloud connector for an AWS integration, your {{kib}} instance must be hosted on AWS. In other words, you must have chosen AWS hosting during {{kib}} setup.
+::::

solutions/toc.yml

@@ -531,7 +531,9 @@ toc:
               - file: security/get-started/automatic-import.md
               - file: security/get-started/content-connectors.md
               - file: security/get-started/agentless-integrations.md
-              - file: security/get-started/agentless-integrations-faq.md
+                children:
+                  - file: security/get-started/cloud-connector-deployment.md
+                  - file: security/get-started/agentless-integrations-faq.md
           - file: security/get-started/spaces-elastic-security.md
             children:
               - file: security/get-started/spaces-defend-faq.md