From a6d206c8f81b3fc2daada20a2810579693d389d5 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:29:49 -0700 Subject: [PATCH] CSPM onboarding updates (#3990) * addresses tech feedback for 8.10 * bug fix * minor edits * Update docs/cloud-native-security/cspm-get-started-aws.asciidoc Co-authored-by: Joe Peeples * Update docs/cloud-native-security/cspm-get-started-gcp.asciidoc Co-authored-by: Joe Peeples * Update docs/cloud-native-security/cspm-get-started-gcp.asciidoc Co-authored-by: Joe Peeples * adds missing section to side-nav --------- Co-authored-by: Joe Peeples (cherry picked from commit ecb1e63594885c9e9716ce7007b2379462706639) --- .../cspm-get-started-aws.asciidoc | 6 ++-- .../cspm-get-started-gcp.asciidoc | 29 +++++++++++++++---- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc index 9689d75870..1473af5afb 100644 --- a/docs/cloud-native-security/cspm-get-started-aws.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-aws.asciidoc @@ -62,7 +62,7 @@ When you return to {kib}, click *View assets* to review the data being collected [discrete] [[cspm-setup-organization-manual]] -=== Manual authentication for organization-level onboarding +== Manual authentication for organization-level onboarding NOTE: If you're onboarding a single account instead of an organization, skip this section. @@ -156,7 +156,9 @@ IMPORTANT: You must replace `` in the trust policy with y IMPORTANT: You must replace `` in the trust policy with your AWS account ID. -After creating the necessary roles, authenticate using the <> method. +After creating the necessary roles, authenticate using one of the manual authentication methods. + +IMPORTANT: When deploying to an organization using any of the authentication methods below, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-root` privileges. [discrete] [[cspm-set-up-manual]] diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index b4fe822ad0..b459bff2de 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -63,13 +63,32 @@ https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIam [discrete] [[cspm-set-up-manual-gcp]] -=== Manual setup +=== Manual authentication -. Under **Setup Access** select **Manual**. +To authenticate manually, you'll first need to generate credentials for a new GCP service account with the necessary roles, then provide those credentials to the CSPM integration. + +Generate GCP credentials: + +. Access the GCP console and select your project. +. Navigate to **IAM & Admin -> Service accounts**. +. Click **Create Service Account**. +. Provide an account name. +. Enable the required roles: +.. `Cloud Asset Viewer`: Grants read access to cloud asset metadata. +.. `Browser`: Grants read access to the project hierarchy. +. Click **Continue**, then click **Done**. +. Select the new service account from the list. +. Go to the **KEYS** tab, then click **ADD KEY**. +. Select **JSON** as the key type, then click **CREATE**. + +The credentials JSON will download to your local machine. Keep it secure since it provides access to your GCP resources. + +Provide credentials to the CSPM integration: + +. On the CSPM setup screen under **Setup Access**, select **Manual**. . Enter your GCP **Project ID**. -. Select either **Credentials File** or **Credentials JSON**. -. Enter the credentials information in your selected format. -. Under **Where to add this integration**, +. Select either **Credentials File** or **Credentials JSON**, and enter the credentials information in your selected format. +. Under **Where to add this integration**: .. If you want to monitor a GCP project where you have not yet deployed {agent}: ... Select **New Hosts**. ... Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`.