Azure Cloud Connector

This topic describes how to onboard the Microsoft Azure Cloud connector. The onboarding process includes the following steps:

To access the latest information about this topic and all Cloud Security releases, check out the Release-notes-and-notices.

Understanding the Azure Cloud Connector

The Microsoft Azure cloud platform provides on-demand infrastructure that scales and adapts to changing business needs. Microsoft Azure is a growing collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of datacenters. Cloud Securitysupports multi-cloud environments through compliance of Microsoft Azure. You can select and configure an Azure cloud connector, collect information from Microsoft Azure resources, and perform compliance and risk assessments on Azure using Cloud Security.

The Azure Cloud Connector collects various data from your Azure account and sends it to Cloud Security for policy validation. The following single policy is available for the Azure Cloud Connector i.e. CIS Microsoft Azure Foundations Benchmark v1.1.0 includes below policies :

  • BMC Azure Network Security Groups. Validates the configuration of security groups, the main tool you use to enforce and control network traffic rules at the network level.
  • BMC Azure Subscription. Validates Azure subscriptions, the details that uniquely identify your subscription to use Azure services. For each tenant, there can be multiple subscriptions. For example, a company that has different subscriptions for different departments (QA, Support, Development) would only have to configure the connector a single time to fetch the information across all subscriptions and display it in Cloud Security.

    azure_multi_script_subscriptions_overview_diagram.PNG

    Cloud Securitychecks for security settings and tracks costs based on the subscription level.
  • BMC Azure Virtual Machine. Validates the configuration of Virtual Machines (VMs), primarily the availability of the VM.
  • BMC Azure Virtual Network. Validates the configuration of Azure Virtual Networks (VNet), a representation of your own network in the cloud. A VNet is a logical isolation of the Azure cloud dedicated to your subscription.

Note

In Azure, every resource has to be a child of a specific Resource Group (basically a container for the resource).

License utilization

The following resources consume a product license:

  • Microsoft Azure Virtual Machine
  • Microsoft Azure SQL Database

Completing prerequisites

Before you can use the Azure Cloud Connector, you must complete the following prerequisites:

  • Create and obtain an Azure subscription and application registration and ID.
  • Configure key vault permissions for the Azure Cloud Connector.

Creating and obtaining an Azure subscription and application registration and ID

  1. Obtain an Azure Subscription ID:
    1. Log on to the Azure portal.
    2. In the left navigation panel, click Subscriptions.
      The list of your subscriptions is displayed along with the subscription ID.
  2. Create an application registration and ensure that you have the required permissions in Azure Active Directory (AAD).
    For more information about creating an application registration, see Create an Azure Active Directory application in the Microsoft documentation.
    For more information about AAD permissions, see Check Azure Active Directory permissions in the Microsoft documentation.
  3. Obtain the Application ID and generate an authentication key for this application.
    For more information, see see Get application ID and authentication key in the Microsoft documentation.

  4. Provide the newly created application with registration access to the subscription.
    For more information, see Assign application to role in the Microsoft documentation.

    Note

    The example role used in the Microsoft documentation uses the example of adding an application to the Reader role. For policy, make sure you use the Contributor role.

  5. In a text editor (such as Notepad), copy the name of the Application ID and label it as Client ID.
  6. Copy the authentication key string to the text editor, and label the string as Client Secret Key.
  7. Obtain the Tenant ID. When you obtain an Azure account, you are given a tenant ID specific to your organization.
    For more information, see Get tenant ID in the Microsoft documentation.
  8. In a text editor (such as Notepad), copy the ID and label it as Tenant ID.

Configuring key vault permissions

Section 8 of CIS specifies additional security recommendations for Azure that contain the following rules related to Azure Key Vaults:

  • 8.1 Ensure that the expiry date is set on all Keys
  • 8.2 Ensure that the expiry date is set on all Secrets

To check for these rules, the Azure Cloud Connector must correctly capture key vault entries. For this to occur you must perform additional configurations to enable the connector app registration to be able to access key vaults and entries within each vault.

The following steps detail how to perform this configuration.

Note

These steps must be performed for all key vaults in your subscription, so that the Azure Cloud Connector can scan and check all the key-entries.




1.

In the Microsoft Azure portal, search for resource types and select App registrations.

A.png

2.

Select the azure-connector registered app and click Settings.

B.png

3.

In the Settings pane, select Required permissions.

C.png

4.

In the Required permissions pane, click Add, choose Select an API, and select azure key vault and then click Select.

D.png

5.

The completed app registration should include two sets of permissions, as illustrated in the following example:

E.png

6.

Search for key vaults.

F.png

7.

1.    For each vault select Access policies and click Add new.

K.png

8.

Click Select principal and choose the connector, then click Select.

H.png

9.

In the Key permissions list, Key Management Operations section, select Get and List.

I.png

10.

In the Secret Permissions section, select Get and List and click OK.

J.png

11.

Click OK, and then click Save.



When the Azure Cloud Connector is onboarded and begins running, it will evaluate the two CIS rules related to key vaults.

Back to top

Onboarding the Azure Cloud Connector

  1. Log in to Cloud Security with your registered credentials.
  2. Select Configure icon > Connectors
  3. Click Add Connector.
  4. Under Connector Type > Cloud Connectors click Azure Cloud Connector and then click Continue for the following page to appear.
    image2019-4-5_15-2-14.png
  5. In the Name your connector field, specify a name for the connector.
    This name must be unique and must not have already been created.
    If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label will appear next to the field.
  6. Specify the Azure Tenant ID for the tenant to be scanned.
    This is the ID specific to the tenant you obtained when you opened your Azure account.
  7. Specify the Azure Client ID for the account to be scanned.
    This is the Application ID used to generate an authentication key for this application.
  8. Specify the Azure Client Secret for the account to be scanned.
    This is the authentication key string.
  9. Select the method for triggering collection cycles from the Collection Mode menu:
    On Demand    : Enables on-demand scanning.
    Scheduled    : Specifies the hours or minutes for which Azure resources will be periodically collected and evaluated.
  10. Select the preferred resources from the Azure Environment menu:
    Global Azure (default option): Selects resources associated with Global Azure Cloud. 
    Azure Government: Selects resources associated with Azure Government Cloud. 
    Azure Enterprise: Selects resources associated with Azure Enterprise Cloud.

image2019-4-5_15-2-53.png

    1. Note

      The time to complete data collection depends upon the number of targets that you have in your environment. Leave the command window open and switch over to the UI.

  2. Click Continue.
  3. Select the compliance policy i.e. CIS Microsoft Azure Foundations Benchmark v1.1.0 that you want to use to evaluate your Azure account.
    To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears..
    policy_version_updateinfobanner_msgonly.PNG

  4. Click Continue.
    The connector is available in Cloud Security and the policies can be evaluated on the schedule you have set. 

    image2019-4-5_15-6-0.png
    As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.

    If you scanned for multiple subscriptions, those subscriptions will be displayed as tags. So, in the following example, the Azure Client ID is mapped to two subscriptions, which display on the Dashboard and Resources page in the Tags menu when that Azure Cloud Connector is selected.

    image2019-4-5_15-9-51.png

    You can select each subscription to display the resources for that specific subscription, and you can apply the necessary filters to customize the results as you want.

           Resource Types:

           Below are the resource types that are supported for Azure Cloud Connector:

networkSecurityGroups
Microsoft.Network

servers
Microsoft.Sql

sites
Microsoft.Web

locks
Microsoft.Authorization

storageAccounts
Microsoft.Storage

vaults
Microsoft.KeyVault

virtualMachines
Microsoft.Compute

Azure Subscription
Subscription

databases
Microsoft.Sql/servers

postgreSql Server
Microsoft.DBforPostgreSQL

servers
Microsoft.DBforMySQL

ManagedClusters
Microsoft.ContainerService

Creating custom roles in Azure

The following procedure details how to customize a role in Microsoft Azure that restricts permissions by creating more granular roles:

  • Reader role
  • "Microsoft.Network/networkWatchers/queryFlowLogStatus/action" role
  • "Microsoft.Storage/storageAccounts/listkeys/action" role

Many of the steps in the procedure reference the Microsoft Azure documentation and show the specific link to the pertinent information.

  1. Install the Azure CLI according to the Microsoft Azure documentation. Refer Install the Azure CLI 2.0.

  2. Log in to the Azure account according to the Microsoft Azure documentation. Refer to Log in with Azure CLI 2.0.

    The user that logs in to the Azure account must have the Owner built-in role that has full access to all the subscriptions of the Azure tenant.

List all subscriptions available by entering the following CLI command:

Note

Take note of the SubscriptionId of each subscription, because you will use this value later in the procedure.

az account list --output table

Create a .json file that will include the content to represent the custom role in Azure. The .json should contain the following content, with the required replacement strings noted in the following step:


  • For compliance alone, use the code below:


{

  "Name": "

BMC Helix Cloud Security

 Azure Cloud Connector Editor",

  "IsCustom": true,

  "Description": "Custom Role which can read all resources required by 

BMC Helix Cloud Security

 Azure Cloud Connector Editor",

  "Actions": [
    "*/read",
    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
    "Microsoft.Storage/storageAccounts/listkeys/action"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/11111111-1111-1111-1111-111111111111",
    "/subscriptions/22222222-2222-2222-2222-222222222222",
    "/subscriptions/33333333-3333-3333-3333-333333333333"
  ]
}
  • For compliance and remediation with minimum permissions, use the following code instead:


{

  "Name": "

BMC Helix Cloud Security

 Azure Cloud Connector Editor",

  "IsCustom": true,

  "Description": "Custom Role which can read all resources required by 

BMC Helix Cloud Security

 Azure Cloud Connector Editor",

  "Actions": [
    "*/read",

"Microsoft.Network/networkWatchers/queryFlowLogStatus/action",


"Microsoft.Storage/storageAccounts/listkeys/action",       


"Microsoft.Security/policies/write",


"Microsoft.Network/networkSecurityGroups/securityRules/delete",

        

"Microsoft.Network/networkSecurityGroups/securityRules/write",
  

"Microsoft.Authorization/policyAssignments/write"

  ],

  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/11111111-1111-1111-1111-111111111111",
    "/subscriptions/22222222-2222-2222-2222-222222222222",
    "/subscriptions/33333333-3333-3333-3333-333333333333"
  ]
}
  1. Replace “11111111-1111-1111-1111-111111111111” with your first subscription ID, and then replace “22222222-2222-2222-2222-222222222222” with your second subscription ID.

  2. Repeat Step 6 until all your subscriptions are complete and save the file as BMC-Custom-Role.json.

    Note

    Take note of the location of BMC-Custom-Role.json, because you will use this path later in the procedure.

  3. Execute the command az role definition create --role-definition “<Path to BMC-Custom-Role.json >” to create the custom role in Azure.
    For example:

    az role definition create --role-definition "C:\temp\BMC-Custom-Role.json"
  4. Verify that the custom role was created for each of the subscriptions.
    1. Click Subscription and then click Access Control (IAM).
    2. Click Roles.

      image2018-3-27_8-51-46.png

    3. Verify that the custom role BMC Helix Cloud Security Azure Cloud Connector Editor is listed.

      1.png

    4. Repeat steps 8a. through 8c. for all subscriptions that you want to scan.
  5. (Required only if you have an existing app registration with a Contributor role associated with an Azure Cloud Connector). Remove access to the app registration with the Contributor role.
    1. From the Access Control (IAM) tab, filter by Type Apps and Name (the name of the application registration used with the Azure Cloud Connector that has the Contributor role associated with it).
    2. Select the Contributor app and click Remove.

      image2018-3-27_9-16-50.png

  6. Click Add.

    image2018-3-27_9-17-18.png

  7. In the Add permissions section, select the custom role created in the previous step from the Roles menu.

    2.png

  8. In the Select field, type the name of your app registration.
    3.png
  9. Click the name of the app registration to select it.

    4.png

    The app registration for the subscription containing the custom role is displayed in the Access Control (IAM) tab.

    5.png

  10. Repeat steps 8 through 13 for each of your subscriptions.
  11. Run the Azure Cloud Connector.
    The connector runs with the minimum required permissions.

Performing next steps

To manage connector configuration and settings, see Managing-connectors.

To assess the resources including why a rule failed, see Managing-resources.

Back to top

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*