Azure Account Connection Overview

Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For Azure, this is done through the use of an application. An application is an entity that can be assumed by a third-party and secured to only access resources in a scope. The applications created here will be scoped to a subscription and have read-only access to Azure resources.

Default Setup

Step 1: Navigate to the "Cloud Accounts" page

  • Click on Connect Account on the top right

Step 2: Choose Microsoft Azure under "Account Type" and Default Setup under "Method"

Step 3: Create a new application in the Azure portal

  1. Log into your Azure Portal and navigate to the Azure Active Directory service.
  2. Select App registrations and then select New registration.
  3. Enter "Aqua" or a descriptive name in the "Name" field and take note of it; it will be used again.
  4. Leave the "Supported account types" default: "Accounts in this organizational directory only (your directory name).
  5. Click on Register.
  6. Paste the Application ID of the newly created application in the Aqua connection wizard.
  7. Copy the Directory(tenant) ID of the application and paste it in the Aqua connection wizard

Step 4: Create a client secret

  1. Enter the newly created application.
  2. Select the Certificates & secrets blade.
  3. Under Client secrets, select New client secret.
  4. Enter a description (i.e. Aqua-2020) and select Expires "Never"
  5. Click on Add.
  6. The client secret value will only be visible once, copy and paste it in the Aqua connection wizard.

Step 5: Retrieve the Subscription ID and add a role assignment to the application

  1. Navigate to Subscriptions.
  2. Click on the relevant Subscription ID, copy and paste the ID in the Aqua connection wizard.
  3. Select Access Control (IAM).
  4. Click on Add under "Add Role Assignment" on the right side
  5. In the "Role" drop-down, select Security Reader.
  6. Leave the "Assign access to" default value.
  7. In the "Select" drop-down, type the name of the app registration (e.g. "Aqua") you created and select it.
  8. Save the role assignment.
  9. Repeat the process for the role "Log Analytics Reader"

Bulk Upload

Step 1: Navigate to the "Cloud Accounts" page

  • Click on Connect Account on the top right

Step 2: Choose Azure under "Account Type" and Bulk Upload under "Method"

Step 3: Download the CSV template file

Step 4: Use the Manual Setup steps to create an application and connect it to all your subscriptions

Step 5: For each subscription you connect, add the subscription ID, Application ID and Key Value to the CSV

  • Add a maximum of 50 Azure subscriptions

Step 6: Drop the completed CSV file onto the Aqua connection wizard and select Connect Accounts