From a3f3969fba587895dcb068e6be3fd6711ee2c208 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 26 Oct 2023 13:55:30 -0700 Subject: [PATCH 01/22] saving work --- .../cloud-native-security-index.asciidoc | 1 + .../cspm-get-started-azure.asciidoc | 89 +++++++++++++++++++ .../cspm-get-started-gcp.asciidoc | 6 +- 3 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 docs/cloud-native-security/cspm-get-started-azure.asciidoc diff --git a/docs/cloud-native-security/cloud-native-security-index.asciidoc b/docs/cloud-native-security/cloud-native-security-index.asciidoc index b4597681e5..17d6df243c 100644 --- a/docs/cloud-native-security/cloud-native-security-index.asciidoc +++ b/docs/cloud-native-security/cloud-native-security-index.asciidoc @@ -40,6 +40,7 @@ include::security-posture-management.asciidoc[leveloffset=+1] include::cspm.asciidoc[leveloffset=+1] include::cspm-get-started-aws.asciidoc[leveloffset=+2] include::cspm-get-started-gcp.asciidoc[leveloffset=+2] +include::cspm-get-started-azure.asciidoc[leveloffset=+2] include::cspm-findings.asciidoc[leveloffset=+2] include::cspm-benchmark-rules.asciidoc[leveloffset=+2] include::cspm-cloud-posture-dashboard.asciidoc[leveloffset=+2] diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc new file mode 100644 index 0000000000..90fae30c88 --- /dev/null +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -0,0 +1,89 @@ +[[cspm-get-started-azure]] += Get started with CSPM for Azure + +[discrete] +[[cspm-overview-azure]] +== Overview + +This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. + +.Requirements +[sidebar] +-- +* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +* To view posture data, you need `read` privileges for the following {es} indices: +** `logs-cloud_security_posture.findings_latest-*` +** `logs-cloud_security_posture.scores-*` +** `Logs-cloud_security_posture.findings` +* The user who gives the CSPM integration GCP permissions must be an Azure subscription `admin`. +-- + +[discrete] +[[cspm-setup-azure]] +== Set up CSPM for Azure + +To set up CSPM for Azure, first add the CSPM integration, then enable cloud account access. + + +[discrete] +[[cspm-add-and-name-integration-gcp]] +=== Add your CSPM integration +. From the Elastic Security *Get started* page, click *Add integrations*. +. Search for `CSPM`, then click on the result. +. Click *Add Cloud Security Posture Management (CSPM)*. +. Under **Configure integration**, select **Azure**. +. Give your integration a name that matches the purpose or team of the Azure subscription you want to monitor, for example, `azure-dev-1`. + +[discrete] +[[cspm-set-up-cloud-access-section-azure]] +=== Set up cloud account access + +NOTE: To setup CSPM for an Azure subscription, you will need admin privileges for that subscription. + +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. This method, as well as manual options, are described below. + +[discrete] +[[cspm-set-up-ARM]] +=== ARM template setup (recommended) + +. Under *Setup Access*, select *ARM Template*. +. Under **Where to add this integration**: +.. Select **New Hosts**. +.. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-1`. Click **Save and continue**. +.. Log into the Azure portal, then return to {kib} and click **Launch ARM Template**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your Azure subscription. +. Click **Save and continue**. ++ +image::images/cspm-cloudshell-trust.png[The cloud shell confirmation popup] ++ +. In Azure, . Once it finishes, return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. + +NOTE: During Cloud Shell setup, the CSPM integration adds roles to Google's default service account, which enables custom role creation and attachment of the service account to a compute instance. +After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account: +https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin[Project IAM Admin], https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin[Role Administrator]. + +[discrete] +[[cspm-set-up-manual-gcp]] +=== Manual authentication + +To authenticate manually, you'll first need to generate credentials for a new GCP service account with the necessary roles, then provide those credentials to the CSPM integration. + +Generate GCP credentials: + +The credentials JSON will download to your local machine. Keep it secure since it provides access to your GCP resources. + +Provide credentials to the CSPM integration: + +. On the CSPM setup screen under **Setup Access**, select **Manual**. +. Enter your GCP **Project ID**. +. Select either **Credentials File** or **Credentials JSON**, and enter the credentials information in your selected format. +. Under **Where to add this integration**: +.. If you want to monitor a GCP project where you have not yet deployed {agent}: +... Select **New Hosts**. +... Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. +... Click **Save and continue**, then **Add {agent} to your hosts**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your GCP account. +.. If you want to monitor a GCP project where you have already deployed {agent}: +... Select **Existing hosts**. +... Select an agent policy that applies the GCP project you want to monitor. +. Click **Save and continue**. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index b459bff2de..21257fa6b5 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -22,7 +22,7 @@ This page explains how to get started monitoring the security posture of your cl [[cspm-setup-gcp]] == Set up CSPM for GCP -To set up CSPM for GCP, first add the CSPM integration, then enable cloud account access. +To set up CSPM for GCP, you need to first add the CSPM integration, then enable cloud account access. [discrete] @@ -31,12 +31,14 @@ To set up CSPM for GCP, first add the CSPM integration, then enable cloud accoun . From the Elastic Security *Get started* page, click *Add integrations*. . Search for `CSPM`, then click on the result. . Click *Add Cloud Security Posture Management (CSPM)*. +. Under *Configure integration*, select *GCP*, and either . Give your integration a name that matches the purpose or team of the GCP account you want to monitor, for example, `dev-gcp-project`. [discrete] [[cspm-set-up-cloud-access-section-gcp]] === Set up cloud account access -To setup CSPM for a GCP project, you will need to have admin privileges for the project. + +NOTE: To setup CSPM for a GCP project, you need admin privileges for the project. For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described below. From 5694ec073f27ead76c3365d992487296097d06ff Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Fri, 27 Oct 2023 07:57:44 -0700 Subject: [PATCH 02/22] preliminary draft --- .../cspm-get-started-azure.asciidoc | 26 ++++++++----------- .../cspm-get-started-gcp.asciidoc | 11 ++++---- 2 files changed, 17 insertions(+), 20 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 90fae30c88..930fa22808 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -49,38 +49,34 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te . Under *Setup Access*, select *ARM Template*. . Under **Where to add this integration**: .. Select **New Hosts**. -.. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-1`. Click **Save and continue**. -.. Log into the Azure portal, then return to {kib} and click **Launch ARM Template**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your Azure subscription. -. Click **Save and continue**. -+ -image::images/cspm-cloudshell-trust.png[The cloud shell confirmation popup] -+ -. In Azure, . Once it finishes, return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. +.. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-1`. Click **Save and continue**. The *ARM Template deployment* window appears. +.. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. +.. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click *Review + create*. +. Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. -NOTE: During Cloud Shell setup, the CSPM integration adds roles to Google's default service account, which enables custom role creation and attachment of the service account to a compute instance. -After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account: -https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin[Project IAM Admin], https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin[Role Administrator]. +NOTE: Should there be a note here similar to what's in the GCP setup guide? [discrete] [[cspm-set-up-manual-gcp]] === Manual authentication -To authenticate manually, you'll first need to generate credentials for a new GCP service account with the necessary roles, then provide those credentials to the CSPM integration. +To authenticate manually, you'll first need to generate credentials for a new Azure SOME PARTICULAR KIND OF ACCOUNT? with the necessary roles, then provide those credentials to the CSPM integration. -Generate GCP credentials: +Generate Azure credentials: The credentials JSON will download to your local machine. Keep it secure since it provides access to your GCP resources. Provide credentials to the CSPM integration: . On the CSPM setup screen under **Setup Access**, select **Manual**. -. Enter your GCP **Project ID**. -. Select either **Credentials File** or **Credentials JSON**, and enter the credentials information in your selected format. + +???????????? + . Under **Where to add this integration**: .. If you want to monitor a GCP project where you have not yet deployed {agent}: ... Select **New Hosts**. ... Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. -... Click **Save and continue**, then **Add {agent} to your hosts**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your GCP account. +... Click **Save and continue**, then **Add {agent} to your hosts**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your Azure account. .. If you want to monitor a GCP project where you have already deployed {agent}: ... Select **Existing hosts**. ... Select an agent policy that applies the GCP project you want to monitor. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 21257fa6b5..fc18621b19 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -31,9 +31,10 @@ To set up CSPM for GCP, you need to first add the CSPM integration, then enable . From the Elastic Security *Get started* page, click *Add integrations*. . Search for `CSPM`, then click on the result. . Click *Add Cloud Security Posture Management (CSPM)*. -. Under *Configure integration*, select *GCP*, and either +. Under *Configure integration*, select *GCP*, then either *GCP Organization* (recommended) or *Single Account*. . Give your integration a name that matches the purpose or team of the GCP account you want to monitor, for example, `dev-gcp-project`. + [discrete] [[cspm-set-up-cloud-access-section-gcp]] === Set up cloud account access @@ -44,9 +45,9 @@ For most users, the simplest option is to use a Google Cloud Shell script to aut [discrete] [[cspm-set-up-cloudshell]] -=== Cloud Shell script setup (recommended) +==== Cloud Shell script setup (recommended) -. Under **Setup Access**, select **Google Cloud Shell**. +. Under **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID. . Under **Where to add this integration**: .. Select **New Hosts**. .. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. @@ -57,7 +58,7 @@ For most users, the simplest option is to use a Google Cloud Shell script to aut + image::images/cspm-cloudshell-trust.png[The cloud shell confirmation popup] + -. In Google Cloud Shell, execute the command you copied earlier. Once it finishes, return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. +. In Google Cloud Shell, execute the command you copied. Once it finishes, return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. NOTE: During Cloud Shell setup, the CSPM integration adds roles to Google's default service account, which enables custom role creation and attachment of the service account to a compute instance. After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account: @@ -65,7 +66,7 @@ https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIam [discrete] [[cspm-set-up-manual-gcp]] -=== Manual authentication +==== Manual authentication To authenticate manually, you'll first need to generate credentials for a new GCP service account with the necessary roles, then provide those credentials to the CSPM integration. From b92816d131e192686c5a1dbe4670cf9339469ac4 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Fri, 27 Oct 2023 08:31:27 -0700 Subject: [PATCH 03/22] fixes build errors --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 930fa22808..03c6b6386a 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -26,7 +26,7 @@ To set up CSPM for Azure, first add the CSPM integration, then enable cloud acco [discrete] -[[cspm-add-and-name-integration-gcp]] +[[cspm-add-and-name-integration-azure]] === Add your CSPM integration . From the Elastic Security *Get started* page, click *Add integrations*. . Search for `CSPM`, then click on the result. @@ -57,7 +57,7 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te NOTE: Should there be a note here similar to what's in the GCP setup guide? [discrete] -[[cspm-set-up-manual-gcp]] +[[cspm-set-up-manual-azure]] === Manual authentication To authenticate manually, you'll first need to generate credentials for a new Azure SOME PARTICULAR KIND OF ACCOUNT? with the necessary roles, then provide those credentials to the CSPM integration. From 8c7558ebd1183a3d5039c1c9f1abfaa8e20ec131 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 2 Nov 2023 19:33:16 -0700 Subject: [PATCH 04/22] Incorporates new information received today for Azure and GCP --- .../cspm-get-started-azure.asciidoc | 77 +++++++++---- .../cspm-get-started-gcp.asciidoc | 109 +++++++++++++----- 2 files changed, 138 insertions(+), 48 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 03c6b6386a..3dec88db68 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -14,7 +14,7 @@ This page explains how to get started monitoring the security posture of your cl * To view posture data, you need `read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` -** `Logs-cloud_security_posture.findings` +** `logs-cloud_security_posture.findings` * The user who gives the CSPM integration GCP permissions must be an Azure subscription `admin`. -- @@ -32,7 +32,7 @@ To set up CSPM for Azure, first add the CSPM integration, then enable cloud acco . Search for `CSPM`, then click on the result. . Click *Add Cloud Security Posture Management (CSPM)*. . Under **Configure integration**, select **Azure**. -. Give your integration a name that matches the purpose or team of the Azure subscription you want to monitor, for example, `azure-dev-1`. +. Give your integration a name that matches the purpose or team of the Azure subscription you want to monitor, for example, `azure-dev-policy`. [discrete] [[cspm-set-up-cloud-access-section-azure]] @@ -40,7 +40,7 @@ To set up CSPM for Azure, first add the CSPM integration, then enable cloud acco NOTE: To setup CSPM for an Azure subscription, you will need admin privileges for that subscription. -For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. This method, as well as manual options, are described below. +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of manual setup options described below. [discrete] [[cspm-set-up-ARM]] @@ -49,37 +49,72 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te . Under *Setup Access*, select *ARM Template*. . Under **Where to add this integration**: .. Select **New Hosts**. -.. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-1`. Click **Save and continue**. The *ARM Template deployment* window appears. +.. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. .. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. .. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click *Review + create*. . Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. -NOTE: Should there be a note here similar to what's in the GCP setup guide? - [discrete] [[cspm-set-up-manual-azure]] === Manual authentication -To authenticate manually, you'll first need to generate credentials for a new Azure SOME PARTICULAR KIND OF ACCOUNT? with the necessary roles, then provide those credentials to the CSPM integration. +For manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. Both methods involve deploying {agent} to a VM in the Azure subscription you want to monitor with CSPM. -Generate Azure credentials: +[discrete] +[[cspm-azure-managed-identity-setup]] +==== Option 1: Managed identity (recommended) -The credentials JSON will download to your local machine. Keep it secure since it provides access to your GCP resources. +This method involves creating an Azure VM (or using an existing one), giving it read access to the subscription you want to monitor with CSPM, and installing {agent} on it. -Provide credentials to the CSPM integration: +. Go to the Azure portal to https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM[create a new Azure VM]. +. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. +. Go to your Azure subscription list and select the subscription you want to monitor with CSPM. +. Go to **Access control (IAM)**, and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to `Managed Identity`, then select your VM. -. On the CSPM setup screen under **Setup Access**, select **Manual**. +After assigning the role: -???????????? +. Return to the **Add CSPM** page in {kib}. +. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. -. Under **Where to add this integration**: -.. If you want to monitor a GCP project where you have not yet deployed {agent}: -... Select **New Hosts**. -... Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. -... Click **Save and continue**, then **Add {agent} to your hosts**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your Azure account. -.. If you want to monitor a GCP project where you have already deployed {agent}: -... Select **Existing hosts**. -... Select an agent policy that applies the GCP project you want to monitor. -. Click **Save and continue**. +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-azure-environment-variables-setup]] +==== Option 2: Environment variables with authentication secrets + +Before using this method, you must have https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[set up a Microsoft Entra application and service principal that can access resources]. +​ +. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. +. Click on **New Registration**, name your app and click **Register**. +. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. +. Select **Certificates & secrets**, then select **New client secret**. Copy the new secret. +. Go to your Azure subscription list and select the subscription you want to monitor with CSPM. +. Go to **Access control (IAM)** and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to `User, group, or service principal`, and select your new app. +​ +On the VM where you plan to install {agent}, create the file `/etc/sysconfig/elastic-agent`. Paste the following content into the new file, substituting the values you copied for the placeholder values: + +``` +AZURE_TENANT_ID= +AZURE_CLIENT_ID= +AZURE_CLIENT_SECRET= +``` +​ +After assigning the role: + +. Return to the **Add CSPM** page in {kib}. +. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. + +NOTE: If you created `/etc/sysconfig/elastic-agent` after installing {agent}, you might need to restart it with the following commands: ++ +``` +systemctl daemon-reload +systemctl restart elastic-agent +``` Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index fc18621b19..3db1a3c99d 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -65,40 +65,95 @@ After setup, these roles are removed from the service account. If you attempt to https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin[Project IAM Admin], https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin[Role Administrator]. [discrete] -[[cspm-set-up-manual-gcp]] -==== Manual authentication +[[cspm-set-up-manual-gcp-org]] +==== Manual authentication (GCP organization) -To authenticate manually, you'll first need to generate credentials for a new GCP service account with the necessary roles, then provide those credentials to the CSPM integration. +To authenticate manually to monitor a GCP organization, you'll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. -Generate GCP credentials: +Use the following commands, after replacing `` with the name of your new service account, `` with your GCP organization's ID, and `` with the GCP project ID of the project where you want to provision the compute instance that will run CSPM. -. Access the GCP console and select your project. -. Navigate to **IAM & Admin -> Service accounts**. -. Click **Create Service Account**. -. Provide an account name. -. Enable the required roles: -.. `Cloud Asset Viewer`: Grants read access to cloud asset metadata. -.. `Browser`: Grants read access to the project hierarchy. -. Click **Continue**, then click **Done**. -. Select the new service account from the list. -. Go to the **KEYS** tab, then click **ADD KEY**. -. Select **JSON** as the key type, then click **CREATE**. +Create a new service account: +``` +gcloud iam service-accounts create \ + --description="Elastic agent service account for CSPM" \ + --display-name="Elastic agent service account for CSPM" \ + --project= +``` -The credentials JSON will download to your local machine. Keep it secure since it provides access to your GCP resources. +Assign the necessary roles to the service account: +``` +gcloud organizations add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/cloudasset.viewer + +gcloud organizations add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/browser +``` +NOTE: The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. + +Download the credentials JSON: +``` +gcloud iam service-accounts keys create \ + --iam-account=@.iam.gserviceaccount.com +``` + +Keep the credentials JSON in a secure location, you will need it later. Provide credentials to the CSPM integration: . On the CSPM setup screen under **Setup Access**, select **Manual**. -. Enter your GCP **Project ID**. -. Select either **Credentials File** or **Credentials JSON**, and enter the credentials information in your selected format. -. Under **Where to add this integration**: -.. If you want to monitor a GCP project where you have not yet deployed {agent}: -... Select **New Hosts**. -... Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. -... Click **Save and continue**, then **Add {agent} to your hosts**. The **Add agent** wizard appears and provides {agent} binaries, which you can download and deploy to a VM in your GCP account. -.. If you want to monitor a GCP project where you have already deployed {agent}: -... Select **Existing hosts**. -... Select an agent policy that applies the GCP project you want to monitor. -. Click **Save and continue**. +. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run CSPM. +. Select **Credentials JSON**, and enter the value you generated earlier. +. Under **Where to add this integration**, select **New Hosts**. +. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. +. Click **Save and continue**, then follow the instructions to install {agent} in your chosen GCP project. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-set-up-manual-gcp-project]] +==== Manual authentication (GCP project) + +To authenticate manually to monitor an individual GCP project, you'll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. + +Use the following commands, after replacing `` with the name of your new service account, and `` with your GCP project ID + +Create a new service account: +``` +gcloud iam service-accounts create \ + --description="Elastic agent service account for CSPM" \ + --display-name="Elastic agent service account for CSPM" \ + --project= +``` + +Assign the necessary roles to the service account: +``` +gcloud organizations add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/cloudasset.viewer + +gcloud organizations add-iam-policy-binding \ + --member=serviceAccount:@.iam.gserviceaccount.com \ + --role=roles/browser +``` +NOTE: The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. + +Download the credentials JSON: +``` +gcloud iam service-accounts keys create \ + --iam-account=@.iam.gserviceaccount.com +``` + +Keep the credentials JSON in a secure location, you will need it later. + +Provide credentials to the CSPM integration: + +. On the CSPM setup screen under **Setup Access**, select **Manual**. +. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run CSPM. +. Select **Credentials JSON**, and enter the value you generated earlier. +. Under **Where to add this integration**, select **New Hosts**. +. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. +. Click **Save and continue**, then follow the instructions to install {agent} in your chosen GCP project. Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. From 11cce55ff04802dcb6908551382a125b65ac19d5 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 2 Nov 2023 19:56:52 -0700 Subject: [PATCH 05/22] formatting fix for azure --- .../cspm-get-started-azure.asciidoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 3dec88db68..97b2acafcc 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -86,7 +86,7 @@ Wait for the confirmation that {kib} received data from your new integration. Th ==== Option 2: Environment variables with authentication secrets Before using this method, you must have https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[set up a Microsoft Entra application and service principal that can access resources]. -​ + . Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. . Click on **New Registration**, name your app and click **Register**. . Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. @@ -94,7 +94,7 @@ Before using this method, you must have https://learn.microsoft.com/en-us/entra/ . Go to your Azure subscription list and select the subscription you want to monitor with CSPM. . Go to **Access control (IAM)** and select **Add Role Assignment**. . Select the `Reader` function role, assign access to `User, group, or service principal`, and select your new app. -​ + On the VM where you plan to install {agent}, create the file `/etc/sysconfig/elastic-agent`. Paste the following content into the new file, substituting the values you copied for the placeholder values: ``` @@ -102,7 +102,7 @@ AZURE_TENANT_ID= AZURE_CLIENT_ID= AZURE_CLIENT_SECRET= ``` -​ + After assigning the role: . Return to the **Add CSPM** page in {kib}. @@ -110,8 +110,8 @@ After assigning the role: . Under **Where to add this integration**, select **New hosts**. . Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. -NOTE: If you created `/etc/sysconfig/elastic-agent` after installing {agent}, you might need to restart it with the following commands: -+ +If you created `/etc/sysconfig/elastic-agent` after installing {agent}, you might need to restart it with the following commands: + ``` systemctl daemon-reload systemctl restart elastic-agent From 748adc542427d614451f399ed7d4582f67cb769e Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 2 Nov 2023 19:57:54 -0700 Subject: [PATCH 06/22] add missing punctuation --- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 3db1a3c99d..861abc5197 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -117,7 +117,7 @@ Wait for the confirmation that {kib} received data from your new integration. Th To authenticate manually to monitor an individual GCP project, you'll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. -Use the following commands, after replacing `` with the name of your new service account, and `` with your GCP project ID +Use the following commands, after replacing `` with the name of your new service account, and `` with your GCP project ID. Create a new service account: ``` From f58f9ba0203d655a4bb944f4b605b5faaaaa1248 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 2 Nov 2023 19:58:50 -0700 Subject: [PATCH 07/22] minor update --- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 861abc5197..82bdaea3fa 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -150,7 +150,7 @@ Keep the credentials JSON in a secure location, you will need it later. Provide credentials to the CSPM integration: . On the CSPM setup screen under **Setup Access**, select **Manual**. -. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run CSPM. +. Enter your GCP **Project ID**. . Select **Credentials JSON**, and enter the value you generated earlier. . Under **Where to add this integration**, select **New Hosts**. . Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. From 7293deb094956757726ca57badd9f542827f1df4 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 2 Nov 2023 21:06:10 -0700 Subject: [PATCH 08/22] adjust internal ToC --- .../cloud-native-security/cspm-get-started-azure.asciidoc | 8 ++++---- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 97b2acafcc..a5d90ddad4 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -44,7 +44,7 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te [discrete] [[cspm-set-up-ARM]] -=== ARM template setup (recommended) +== ARM template setup (recommended) . Under *Setup Access*, select *ARM Template*. . Under **Where to add this integration**: @@ -56,13 +56,13 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te [discrete] [[cspm-set-up-manual-azure]] -=== Manual authentication +== Manual setup For manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. Both methods involve deploying {agent} to a VM in the Azure subscription you want to monitor with CSPM. [discrete] [[cspm-azure-managed-identity-setup]] -==== Option 1: Managed identity (recommended) +=== Option 1: Managed identity (recommended) This method involves creating an Azure VM (or using an existing one), giving it read access to the subscription you want to monitor with CSPM, and installing {agent} on it. @@ -83,7 +83,7 @@ Wait for the confirmation that {kib} received data from your new integration. Th [discrete] [[cspm-azure-environment-variables-setup]] -==== Option 2: Environment variables with authentication secrets +=== Option 2: Environment variables with authentication secrets Before using this method, you must have https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[set up a Microsoft Entra application and service principal that can access resources]. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 82bdaea3fa..8dfae5df1f 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -20,7 +20,7 @@ This page explains how to get started monitoring the security posture of your cl [discrete] [[cspm-setup-gcp]] -== Set up CSPM for GCP +== Initial setup To set up CSPM for GCP, you need to first add the CSPM integration, then enable cloud account access. @@ -45,7 +45,7 @@ For most users, the simplest option is to use a Google Cloud Shell script to aut [discrete] [[cspm-set-up-cloudshell]] -==== Cloud Shell script setup (recommended) +== Cloud Shell script setup (recommended) . Under **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID. . Under **Where to add this integration**: @@ -66,7 +66,7 @@ https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIam [discrete] [[cspm-set-up-manual-gcp-org]] -==== Manual authentication (GCP organization) +== Manual authentication (GCP organization) To authenticate manually to monitor a GCP organization, you'll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. @@ -113,7 +113,7 @@ Wait for the confirmation that {kib} received data from your new integration. Th [discrete] [[cspm-set-up-manual-gcp-project]] -==== Manual authentication (GCP project) +== Manual authentication (GCP project) To authenticate manually to monitor an individual GCP project, you'll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. From 39e03c7b34cc5e17fefe5c56e6d0db5ebec56864 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Fri, 3 Nov 2023 12:24:03 -0700 Subject: [PATCH 09/22] Update docs/cloud-native-security/cspm-get-started-azure.asciidoc Co-authored-by: Orestis Floros --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index a5d90ddad4..6830ed8048 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -15,7 +15,7 @@ This page explains how to get started monitoring the security posture of your cl ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` ** `logs-cloud_security_posture.findings` -* The user who gives the CSPM integration GCP permissions must be an Azure subscription `admin`. +* The user who gives the CSPM integration permissions must be an Azure subscription `admin`. -- [discrete] From 788eb306f4c8be7337b0ac658cdf4d2f2c129d79 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Fri, 3 Nov 2023 12:31:32 -0700 Subject: [PATCH 10/22] Update docs/cloud-native-security/cspm-get-started-azure.asciidoc Co-authored-by: Orestis Floros --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 6830ed8048..d849e576e8 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -93,7 +93,7 @@ Before using this method, you must have https://learn.microsoft.com/en-us/entra/ . Select **Certificates & secrets**, then select **New client secret**. Copy the new secret. . Go to your Azure subscription list and select the subscription you want to monitor with CSPM. . Go to **Access control (IAM)** and select **Add Role Assignment**. -. Select the `Reader` function role, assign access to `User, group, or service principal`, and select your new app. +. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. On the VM where you plan to install {agent}, create the file `/etc/sysconfig/elastic-agent`. Paste the following content into the new file, substituting the values you copied for the placeholder values: From f3f00b78a5cf8ae663d9736f4c403a82fda704b9 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Fri, 3 Nov 2023 12:32:21 -0700 Subject: [PATCH 11/22] Update docs/cloud-native-security/cspm-get-started-azure.asciidoc Co-authored-by: Orestis Floros --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index d849e576e8..c9a8e381f0 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -70,7 +70,7 @@ This method involves creating an Azure VM (or using an existing one), giving it . Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. . Go to your Azure subscription list and select the subscription you want to monitor with CSPM. . Go to **Access control (IAM)**, and select **Add Role Assignment**. -. Select the `Reader` function role, assign access to `Managed Identity`, then select your VM. +. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. After assigning the role: From b5c767e5933626f1a476b3a82ce401fc5ff63a83 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Fri, 3 Nov 2023 12:32:47 -0700 Subject: [PATCH 12/22] Update docs/cloud-native-security/cspm-get-started-azure.asciidoc Co-authored-by: Orestis Floros --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index c9a8e381f0..35033b76dd 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -103,7 +103,7 @@ AZURE_CLIENT_ID= AZURE_CLIENT_SECRET= ``` -After assigning the role: +After creating the file: . Return to the **Add CSPM** page in {kib}. . Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. From 055d32da2a8fdba2c3f3f007a64ff1a7ca81073e Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Sun, 5 Nov 2023 13:44:04 -0800 Subject: [PATCH 13/22] Update docs/cloud-native-security/cspm-get-started-gcp.asciidoc Co-authored-by: Amir Ben Nun <34831306+amirbenun@users.noreply.github.com> --- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 2c28ac92ce..51060a24ec 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -129,7 +129,7 @@ gcloud iam service-accounts create \ Assign the necessary roles to the service account: ``` -gcloud organizations add-iam-policy-binding \ +gcloud projects add-iam-policy-binding \ --member=serviceAccount:@.iam.gserviceaccount.com \ --role=roles/cloudasset.viewer From 28b6010c3835b096d3271042aa9eecb71f338316 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Sun, 5 Nov 2023 13:44:16 -0800 Subject: [PATCH 14/22] Update docs/cloud-native-security/cspm-get-started-gcp.asciidoc Co-authored-by: Amir Ben Nun <34831306+amirbenun@users.noreply.github.com> --- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 51060a24ec..fe2f6502b6 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -133,7 +133,7 @@ gcloud projects add-iam-policy-binding \ --member=serviceAccount:@.iam.gserviceaccount.com \ --role=roles/cloudasset.viewer -gcloud organizations add-iam-policy-binding \ +gcloud projects add-iam-policy-binding \ --member=serviceAccount:@.iam.gserviceaccount.com \ --role=roles/browser ``` From 0fddb18336820aebbd6ae03e6948c85219ce7c3d Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Sun, 5 Nov 2023 13:48:32 -0800 Subject: [PATCH 15/22] incorporate feedback --- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 8dfae5df1f..7b9747eb99 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -92,7 +92,7 @@ gcloud organizations add-iam-policy-binding \ ``` NOTE: The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. -Download the credentials JSON: +Download the credentials JSON (first, replace `` with the location where you want to save it): ``` gcloud iam service-accounts keys create \ --iam-account=@.iam.gserviceaccount.com @@ -139,7 +139,7 @@ gcloud organizations add-iam-policy-binding \ ``` NOTE: The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. -Download the credentials JSON: +Download the credentials JSON (first, replace `` with the location where you want to save it): ``` gcloud iam service-accounts keys create \ --iam-account=@.iam.gserviceaccount.com From 39235b59aae92944575a5bdc3c2f194fd41fe9bd Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Sun, 5 Nov 2023 13:58:48 -0800 Subject: [PATCH 16/22] incorporates feedback --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 35033b76dd..0d360de3ba 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -51,6 +51,7 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te .. Select **New Hosts**. .. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. .. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. +.. (Optional) Change the Resource Group Name parameter. Otherwise the name of the resource group defaults to `cloudbeat-` and a timestamp. .. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click *Review + create*. . Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. @@ -58,7 +59,7 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te [[cspm-set-up-manual-azure]] == Manual setup -For manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. Both methods involve deploying {agent} to a VM in the Azure subscription you want to monitor with CSPM. +For manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. The first method requires you to deploy {agent} to a VM in the Azure subscription you want to monitor with CSPM, the second method allows {agent} to be deployed anywhere, including a VM outside Azure or a personal laptop. [discrete] [[cspm-azure-managed-identity-setup]] From fbdca77694ce588d4799a919e9d9205ad090284a Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Sun, 5 Nov 2023 15:53:55 -0800 Subject: [PATCH 17/22] minor formatting fix --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 0d360de3ba..edaa1f1d6e 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -51,7 +51,7 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te .. Select **New Hosts**. .. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. .. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. -.. (Optional) Change the Resource Group Name parameter. Otherwise the name of the resource group defaults to `cloudbeat-` and a timestamp. +.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to `cloudbeat-` and a timestamp. .. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click *Review + create*. . Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. From 1b4ee2cf7adb455092e082586c2ec643d8b347cd Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Sun, 5 Nov 2023 16:53:31 -0800 Subject: [PATCH 18/22] Update docs/cloud-native-security/cspm-get-started-gcp.asciidoc --- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 33708af89d..661feb2c0f 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -39,7 +39,7 @@ To set up CSPM for GCP, you need to first add the CSPM integration, then enable [[cspm-set-up-cloud-access-section-gcp]] === Set up cloud account access -NOTE: To setup CSPM for a GCP project, you need admin privileges for the project. +NOTE: To set up CSPM for a GCP project, you need admin privileges for the project. For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described below. From 35b1239f2107b75981d78bc6a141531d0537be9f Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Sun, 5 Nov 2023 18:38:15 -0800 Subject: [PATCH 19/22] setup -> set up --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index edaa1f1d6e..56c1bbe461 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -38,7 +38,7 @@ To set up CSPM for Azure, first add the CSPM integration, then enable cloud acco [[cspm-set-up-cloud-access-section-azure]] === Set up cloud account access -NOTE: To setup CSPM for an Azure subscription, you will need admin privileges for that subscription. +NOTE: To set up CSPM for an Azure subscription, you will need admin privileges for that subscription. For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of manual setup options described below. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 33708af89d..661feb2c0f 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -39,7 +39,7 @@ To set up CSPM for GCP, you need to first add the CSPM integration, then enable [[cspm-set-up-cloud-access-section-gcp]] === Set up cloud account access -NOTE: To setup CSPM for a GCP project, you need admin privileges for the project. +NOTE: To set up CSPM for a GCP project, you need admin privileges for the project. For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described below. From 232550dfa7927c3be757fd1f119e4122e3584dcb Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 6 Nov 2023 13:12:31 -0800 Subject: [PATCH 20/22] incorporates Joe's feedback --- .../cloud-native-security/cspm-get-started-azure.asciidoc | 8 ++++---- docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 56c1bbe461..420c98799a 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -32,7 +32,7 @@ To set up CSPM for Azure, first add the CSPM integration, then enable cloud acco . Search for `CSPM`, then click on the result. . Click *Add Cloud Security Posture Management (CSPM)*. . Under **Configure integration**, select **Azure**. -. Give your integration a name that matches the purpose or team of the Azure subscription you want to monitor, for example, `azure-dev-policy`. +. Give your integration a name that matches the purpose or team of the Azure subscription you want to monitor, for example, `azure-CSPM-1`. [discrete] [[cspm-set-up-cloud-access-section-azure]] @@ -51,7 +51,7 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te .. Select **New Hosts**. .. Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. .. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. -.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to `cloudbeat-` and a timestamp. +.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. .. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click *Review + create*. . Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. @@ -59,7 +59,7 @@ For most users, the simplest option is to use an Azure Resource Manager (ARM) te [[cspm-set-up-manual-azure]] == Manual setup -For manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. The first method requires you to deploy {agent} to a VM in the Azure subscription you want to monitor with CSPM, the second method allows {agent} to be deployed anywhere, including a VM outside Azure or a personal laptop. +For manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. The first method requires you to deploy {agent} to a VM in the Azure subscription you want to monitor with CSPM; the second method allows {agent} to be deployed anywhere, including a VM outside Azure or a personal laptop. [discrete] [[cspm-azure-managed-identity-setup]] @@ -86,7 +86,7 @@ Wait for the confirmation that {kib} received data from your new integration. Th [[cspm-azure-environment-variables-setup]] === Option 2: Environment variables with authentication secrets -Before using this method, you must have https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[set up a Microsoft Entra application and service principal that can access resources]. +Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. . Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. . Click on **New Registration**, name your app and click **Register**. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 661feb2c0f..2da882f502 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -98,7 +98,7 @@ gcloud iam service-accounts keys create \ --iam-account=@.iam.gserviceaccount.com ``` -Keep the credentials JSON in a secure location, you will need it later. +Keep the credentials JSON in a secure location; you will need it later. Provide credentials to the CSPM integration: @@ -145,7 +145,7 @@ gcloud iam service-accounts keys create \ --iam-account=@.iam.gserviceaccount.com ``` -Keep the credentials JSON in a secure location, you will need it later. +Keep the credentials JSON in a secure location; you will need it later. Provide credentials to the CSPM integration: From 9f4a9df1b93307f1895881be8d35d95ee2e94dde Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 6 Nov 2023 19:05:37 -0800 Subject: [PATCH 21/22] typo fix --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 420c98799a..a87cb81fdb 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -40,7 +40,7 @@ To set up CSPM for Azure, first add the CSPM integration, then enable cloud acco NOTE: To set up CSPM for an Azure subscription, you will need admin privileges for that subscription. -For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of manual setup options described below. +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. [discrete] [[cspm-set-up-ARM]] From 779d32aeadc6b49a5642542423d51ee9ecf58569 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 6 Nov 2023 19:07:43 -0800 Subject: [PATCH 22/22] minor fix --- docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index a87cb81fdb..0e59f502d6 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -109,7 +109,7 @@ After creating the file: . Return to the **Add CSPM** page in {kib}. . Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. . Under **Where to add this integration**, select **New hosts**. -. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. +. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. If you created `/etc/sysconfig/elastic-agent` after installing {agent}, you might need to restart it with the following commands: