TABLE OF CONTENTS
Azure Account Connection Overview
Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For Azure, this is done through the use of an application. An application is an entity that can be assumed by a third-party and secured to only access resources in a scope. The applications created here will be scoped to a subscription and have read-only access to Azure resources.
Default Setup
Step 1: Navigate to the "Cloud Accounts" page
- Click on Connect Account on the top right
Step 2: Choose Microsoft Azure under "Account Type" and Default Setup under "Method"
Step 3: Create a new application in the Azure portal
- Log into your Azure Portal and navigate to the Azure Active Directory service.
- Select App registrations and then select New registration.
- Enter "Aqua" or a descriptive name in the "Name" field and take note of it; it will be used again.
- Leave the "Supported account types" default: "Accounts in this organizational directory only (your directory name).
- Click on Register.
- Paste the Application ID of the newly created application in the Aqua connection wizard.
- Copy the Directory(tenant) ID of the application and paste it in the Aqua connection wizard
Step 4: Create a client secret
- Enter the newly created application.
- Select the Certificates & secrets blade.
- Under Client secrets, select New client secret.
- Enter a description (i.e. Aqua-2020) and select Expires "Never"
- Click on Add.
- The client secret value will only be visible once, copy and paste it in the Aqua connection wizard.
Step 5: Retrieve the Subscription ID and add a role assignment to the application
- Navigate to Subscriptions.
- Click on the relevant Subscription ID, copy and paste the ID in the Aqua connection wizard.
- Select Access Control (IAM).
- Click on Add under "Add Role Assignment" on the right side
- In the "Role" drop-down, select Security Reader.
- Leave the "Assign access to" default value.
- In the "Select" drop-down, type the name of the app registration (e.g. "Aqua") you created and select it.
- Save the role assignment.
- Repeat the process for the role "Log Analytics Reader"
Bulk Upload
Step 1: Navigate to the "Cloud Accounts" page
- Click on Connect Account on the top right
Step 2: Choose Azure under "Account Type" and Bulk Upload under "Method"
Step 3: Download the CSV template file
Step 4: Use the Manual Setup steps to create an application and connect it to all your subscriptions
Step 5: For each subscription you connect, add the subscription ID, Application ID and Key Value to the CSV
Add a maximum of 50 Azure subscriptions