Skip to content

Commit

Permalink
Adds kibana namespace requirement to CNVM and CSPM (#5154)
Browse files Browse the repository at this point in the history 
* Updates requirements section for CNVM and CSPM

* minor updates - adds attribute

(cherry picked from commit 5df1b3a)

# Conflicts:
#	docs/cloud-native-security/cspm-get-started-azure.asciidoc
#	docs/cloud-native-security/cspm-get-started-gcp.asciidoc
#	docs/cloud-native-security/cspm-get-started.asciidoc
#	docs/cloud-native-security/cspm.asciidoc
  • Loading branch information
@benironside @mergify
benironside authored and mergify[bot] committed May 7, 2024
1 parent e22eb6e commit 1abf6dc
Show file tree
Hide file tree
Showing 6 changed files with 354 additions and 1 deletion.
171 changes: 171 additions & 0 deletions docs/cloud-native-security/cspm-get-started-azure.asciidoc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
[[cspm-get-started-azure]]
= Get started with CSPM for Azure

[discrete]
[[cspm-overview-azure]]
== Overview

This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature.

.Requirements
[sidebar]
--
* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription].
* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work.
* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]).
* To view posture data, you need `read` privileges for the following {es} indices:
** `logs-cloud_security_posture.findings_latest-*`
** `logs-cloud_security_posture.scores-*`
** `logs-cloud_security_posture.findings`
* The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`.
--

[discrete]
[[cspm-setup-azure]]
== Set up CSPM for Azure

You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access.


[discrete]
[[cspm-add-and-name-integration-azure]]
=== Add your CSPM integration
. From the Elastic Security *Get started* page, click *Add integrations*.
. Search for `CSPM`, then click on the result.
. Click *Add Cloud Security Posture Management (CSPM)*.
. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor.
. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`.

[discrete]
[[cspm-set-up-cloud-access-section-azure]]
=== Set up cloud account access

NOTE: To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription.

For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below.

[discrete]
[[cspm-set-up-ARM]]
== ARM template setup (recommended)

NOTE: If you are deploying to an Azure organization, you need the following permissions: `Microsoft.Resources/deployments/*`, `Microsoft.Authorization/roleAssignments/write`. You also need to https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin[elevate access to manage all Azure subscriptions and management groups].

. Under *Setup Access*, select *ARM Template*.
. Under **Where to add this integration**:
.. Select **New Hosts**.
.. Name the {agent} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears.
.. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure.
.. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources.
.. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click **Review + create**.
.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`.
. Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data.

[discrete]
[[cspm-set-up-manual-azure]]
== Manual setup

For manual setup, multiple authentication methods are available:

* Managed identity (recommended)
* Service principal with client secret
* Service principal with client certificate

[discrete]
[[cspm-azure-managed-identity-setup]]
=== Option 1: Managed identity (recommended)

This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {agent} on it.

. Go to the Azure portal to https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM[create a new Azure VM].
. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab.
. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
. Go to **Access control (IAM)**, and select **Add Role Assignment**.
. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM.

After assigning the role:

. Return to the **Add CSPM** page in {kib}.
. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**.
. Under **Where to add this integration**, select **New hosts**.
. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM.

Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data.

[discrete]
[[cspm-azure-client-secret]]
=== Option 2: Service principal with client secret

Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources].

. On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**.
. Under **Preferred manual method**, select **Service principal with Client Secret**.
. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID].
. Click on **New Registration**, name your app and click **Register**.
. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}.
. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**.
. Copy the new secret. Paste it into the corresponding field in {kib}.
. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
. Go to **Access control (IAM)** and select **Add Role Assignment**.
. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app.
. Return to the **Add CSPM** page in {kib}.
. Under **Where to add this integration**, select **New hosts**.
. Click **Save and continue**, then follow the instructions to install {agent} on your selected host.

Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data.

[discrete]
[[cspm-azure-client-certificate]]
=== Option 3: Service principal with client certificate

Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources].

. On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**.
. Under **Preferred manual method**, select **Service principal with client certificate**.
. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID].
. Click on **New Registration**, name your app and click **Register**.
. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}.
. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
. Go to **Access control (IAM)** and select **Add Role Assignment**.
. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app.

Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate.

Create a pkcs12 certificate, for example:
```shell
# Create PEM file
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Create pkcs12 bundle using legacy flag (CLI will ask for export password)
openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem
```

Create a PEM certificate, for example:
```shell
# Generate certificate signing request (csr) and key
openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr

# Generate PEM and self-sign with key
openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem

# Create bundle
cat cert.key > bundle.pem
cat signed.pem >> bundle.pem
```

After creating your certificate:

. Return to Azure.
. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab.
. Click **Upload certificate**.
.. If you're using a PEM certificate that was created using the example commands above, upload `signed.pem`.
.. If you're using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`.
. Upload the certificate bundle to the VM where you will deploy {agent}.
.. If you're using a PEM certificate that was created using the example commands above, upload `bundle.pem`.
.. If you're using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`.
. Return to the **Add CSPM** page in {kib}.
. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {agent}.
. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**.
. Under **Where to add this integration**, select **New hosts**.
. Click **Save and continue**, then follow the instructions to install {agent} on your selected host.

Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data.
168 changes: 168 additions & 0 deletions docs/cloud-native-security/cspm-get-started-gcp.asciidoc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
[[cspm-get-started-gcp]]
= Get started with CSPM for GCP

[discrete]
[[cspm-overview-gcp]]
== Overview

This page explains how to get started monitoring the security posture of your GCP cloud assets using the Cloud Security Posture Management (CSPM) feature.

.Requirements
[sidebar]
--
* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription].
* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work.
* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]).
* To view posture data, you need `read` privileges for the following {es} indices:
** `logs-cloud_security_posture.findings_latest-*`
** `logs-cloud_security_posture.scores-*`
** `Logs-cloud_security_posture.findings`
* The user who gives the CSPM integration GCP permissions must be a GCP project `admin`.
--

[discrete]
[[cspm-setup-gcp]]
== Initial setup

You can set up CSPM for GCP either by enroling a single project, or by enroling an organization containing multiple projects. Either way, you need to first add the CSPM integration, then enable cloud account access.


[discrete]
[[cspm-add-and-name-integration-gcp]]
=== Add your CSPM integration
. From the Elastic Security *Get started* page, click *Add integrations*.
. Search for `CSPM`, then click on the result.
. Click *Add Cloud Security Posture Management (CSPM)*.
. Under *Configure integration*, select *GCP*, then either *GCP Organization* (recommended) or *Single Account*.
. Give your integration a name that matches the purpose or team of the GCP account you want to monitor, for example, `dev-gcp-project`.


[discrete]
[[cspm-set-up-cloud-access-section-gcp]]
=== Set up cloud account access

NOTE: To set up CSPM for a GCP project, you need admin privileges for the project.

For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described below.

[discrete]
[[cspm-set-up-cloudshell]]
== Cloud Shell script setup (recommended)

. Under **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID.
. Under **Where to add this integration**:
.. Select **New Hosts**.
.. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`.
.. Click **Save and continue**, then **Add {agent} to your hosts**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your GCP account.
. Click **Save and continue**.
. Copy the command that appears, then click **Launch Google Cloud Shell**. It opens in a new window.
. Check the box to trust Elastic's `cloudbeat` repo, then click **Confirm**
+
image::images/cspm-cloudshell-trust.png[The cloud shell confirmation popup]
+
NOTE: Google has deprecated its old Cloud Shell editor. If you continue to use it, you may encounter the following message:
+
image::images/cspm-cloudshell-old-editor.png[The cloud shell switch editor popup]
+
If the message appears, click **X** or **Try the new Editor** and follow the next steps. When you switch to the new editor, your context should remain unchanged.
. In Google Cloud Shell, execute the command you copied. Once it finishes, return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data.

NOTE: If you encounter any issues running the command, return to {kib} and navigate again to Google Cloud Shell.

NOTE: During Cloud Shell setup, the CSPM integration adds roles to Google's default service account, which enables custom role creation and attachment of the service account to a compute instance.
After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account:
https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin[Project IAM Admin], https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin[Role Administrator].

[discrete]
[[cspm-set-up-manual-gcp-org]]
== Manual authentication (GCP organization)

To authenticate manually to monitor a GCP organization, you'll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration.

Use the following commands, after replacing `<SA_NAME>` with the name of your new service account, `<ORG_ID>` with your GCP organization's ID, and `<PROJECT_ID>` with the GCP project ID of the project where you want to provision the compute instance that will run CSPM.

Create a new service account:
```
gcloud iam service-accounts create <SA_NAME> \
--description="Elastic agent service account for CSPM" \
--display-name="Elastic agent service account for CSPM" \
--project=<PROJECT_ID>
```

Assign the necessary roles to the service account:
```
gcloud organizations add-iam-policy-binding <ORG_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/cloudasset.viewer

gcloud organizations add-iam-policy-binding <ORG_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/browser
```
NOTE: The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy.

Download the credentials JSON (first, replace `<KEY_FILE>` with the location where you want to save it):
```
gcloud iam service-accounts keys create <KEY_FILE> \
--iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
```

Keep the credentials JSON in a secure location; you will need it later.

Provide credentials to the CSPM integration:

. On the CSPM setup screen under **Setup Access**, select **Manual**.
. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run CSPM.
. Select **Credentials JSON**, and enter the value you generated earlier.
. Under **Where to add this integration**, select **New Hosts**.
. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`.
. Click **Save and continue**, then follow the instructions to install {agent} in your chosen GCP project.

Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data.

[discrete]
[[cspm-set-up-manual-gcp-project]]
== Manual authentication (GCP project)

To authenticate manually to monitor an individual GCP project, you'll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration.

Use the following commands, after replacing `<SA_NAME>` with the name of your new service account, and `<PROJECT_ID>` with your GCP project ID.

Create a new service account:
```
gcloud iam service-accounts create <SA_NAME> \
--description="Elastic agent service account for CSPM" \
--display-name="Elastic agent service account for CSPM" \
--project=<PROJECT_ID>
```

Assign the necessary roles to the service account:
```
gcloud projects add-iam-policy-binding <PROJECT_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/cloudasset.viewer

gcloud projects add-iam-policy-binding <PROJECT_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/browser
```
NOTE: The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy.

Download the credentials JSON (first, replace `<KEY_FILE>` with the location where you want to save it):
```
gcloud iam service-accounts keys create <KEY_FILE> \
--iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
```

Keep the credentials JSON in a secure location; you will need it later.

Provide credentials to the CSPM integration:

. On the CSPM setup screen under **Setup Access**, select **Manual**.
. Enter your GCP **Project ID**.
. Select **Credentials JSON**, and enter the value you generated earlier.
. Under **Where to add this integration**, select **New Hosts**.
. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`.
. Click **Save and continue**, then follow the instructions to install {agent} in your chosen GCP project.

Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data.
Loading

0 comments on commit 1abf6dc

Please sign in to comment.