on 06-25-2024 10:00 AM - edited 2 weeks ago
Before scanning your cloud provider, you’ll first need to set up your infrastructure to allow Cloud Discovery to access your environment. Depending on your cloud provider, these steps may differ, but setting up authentication to your cloud environment is crucial.
On this page, we'll go over the steps needed to set up your Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) environments.
Integrating Azure with Auth0 for Workload Identity Federation involves several steps, ensuring a secure and seamless authentication process without traditional credentials. This setup allows our scanning application to authenticate with Azure services using tokens from Auth0, leveraging federated identities.
You’ll first need to register a new application in the Azure portal. You can find detailed instructions in Quickstart: Register an app in the Microsoft identity platform.
After registering the app, copy the Application (client) ID and the Directory (tenant) ID and save them for later.
Next, you’ll need to grant the correct permissions to the newly created app registration. You can find detailed instructions on adding permissions in Quickstart: Configure an app to access a web API.
From the list of permissions, add the following permissions based on the data you want to retrieve. Ensure you grant admin consent for each permissions added.
Data | Permission Type | Permission name |
---|---|---|
M365 Organization and Users | Application | Organization.Read.All Directory.Read.All |
Intune | Application | DeviceManagementManagedDevices.Read.All |
Federated credentials are what enable workload identity federation for software workloads. You can find detailed information about Federated credentials in Create a trust relationship between an app and an external identity provider.
To configure Federated credentials for Lansweeper Discovery:
<https://dev-734bjlip.eu.auth0.com/>
.D9vGk9gXUNtrwWdifIe0BWC865gu8oHd@clients
.<https://cloud-scanning-api>
(no trailing space or “/” character).To allow your app registration to read resources under a specific subscription, you must assign the necessary role to your new application. Repeat this process for every subscription you wish to scan. You can find detailed instructions on assigning roles in Assign Azure roles using the Azure portal.
The Reader role should be an appropriate role for Lansweeper Discovery.
The final step in setting up Azure for Lansweeper Discovery is creating an Azure key vault. You can find detailed instructions on creating a key vault in Quickstart - Create an Azure Key Vault with the Azure portal.
After creating a default key vault, you need to configure the permissions:
After configuring the Azure key vault, copy the Vault URI and save it for later.
You can now create a Cloud Discovery action to schedule your cloud asset scanning.
Integrating AWS with Auth0 for Workload Identity Federation involves several steps, ensuring a secure and seamless authentication process without traditional credentials. This setup allows our scanning application to authenticate with AWS services using tokens from Auth0, leveraging federated identities.
You’ll first need to create an OpenID Connect (OIDC) provider. You can find detailed instructions in Create an OpenID Connect (OIDC) identity provider in IAM.
To configure the OIDC provider for Lansweeper Discovery:
https://dev-734bjlip.eu.auth0.com/
.D9vGk9gXUNtrwWdifIe0BWC865gu8oHd
.Next, you’ll need to create and configure a custom policy. You can find detailed instructions on IAM policies in Creating IAM policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"sts:GetCallerIdentity",
"iam:GetRole",
"organizations:DescribeOrganization"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/siteId": ["<YOUR SITE ID>"]
}
}
}
]
}
"StringEquals": {
"aws:PrincipalTag/siteId": ["site id #1", "site id #2"]
}
For a full list of actions performed by our scanning application, expand the following list:
[
"resource-groups:Get*",
"resource-groups:List*",
"resource-groups:Search*",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"codepipeline:Get*",
"codepipeline:List*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"appfabric:Get*",
"appfabric:List*",
"dms:Describe*",
"dms:List*",
"ds:Describe*",
"ds:Get*",
"ds:List*",
"route53-recovery-readiness:Get*",
"route53-recovery-readiness:List*",
"iam:Get*",
"iam:List*",
"autoscaling:Describe*",
"autoscaling:Get*",
"securityhub:Describe*",
"securityhub:Get*",
"securityhub:List*",
"network-firewall:Describe*",
"network-firewall:List*",
"sqs:Get*",
"sqs:List*",
"launchwizard:Describe*",
"launchwizard:Get*",
"launchwizard:List*",
"compute-optimizer:Describe*",
"compute-optimizer:Get*",
"dlm:Get*",
"savingsplans:Describe*",
"savingsplans:List*",
"sagemaker-groundtruth-synthetic:Get*",
"sagemaker-groundtruth-synthetic:List*",
"emr-serverless:Get*",
"emr-serverless:List*",
"route53domains:Get*",
"route53domains:List*",
"ses:Describe*",
"ses:Get*",
"ses:List*",
"codeartifact:Describe*",
"codeartifact:Get*",
"codeartifact:List*",
"networkmanager:Describe*",
"networkmanager:Get*",
"networkmanager:List*",
"athena:Get*",
"athena:List*",
"iot:Describe*",
"iot:Get*",
"iot:List*",
"appsync:Get*",
"appsync:List*",
"ce:Describe*",
"ce:Get*",
"ce:List*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"iotwireless:Get*",
"iotwireless:List*",
"sdb:Get*",
"sdb:List*",
"application-autoscaling:Describe*",
"application-autoscaling:List*",
"glacier:Describe*",
"glacier:Get*",
"glacier:List*",
"lambda:Get*",
"lambda:List*",
"s3:Describe*",
"s3:Get*",
"s3:List*",
"trustedadvisor:Describe*",
"apprunner:Describe*",
"apprunner:List*",
"iotevents:Describe*",
"iotevents:List*",
"sagemaker:Describe*",
"sagemaker:Get*",
"sagemaker:List*",
"sagemaker:Search*",
"clouddirectory:Get*",
"clouddirectory:List*",
"iotroborunner:Get*",
"iotroborunner:List*",
"account:Get*",
"account:List*",
"rds:Describe*",
"rds:List*",
"serverlessrepo:Get*",
"serverlessrepo:List*",
"serverlessrepo:Search*",
"lakeformation:Describe*",
"lakeformation:Get*",
"lakeformation:List*",
"lakeformation:Search*",
"appstream:Describe*",
"appstream:List*",
"glue:Get*",
"glue:List*",
"glue:Search*",
"elastic-inference:Describe*",
"elastic-inference:List*",
"logs:Describe*",
"logs:Get*",
"logs:List*",
"iotanalytics:Describe*",
"iotanalytics:Get*",
"iotanalytics:List*",
"ecr:Describe*",
"ecr:Get*",
"ecr:List*",
"kafka:Describe*",
"kafka:Get*",
"kafka:List*",
"scheduler:Get*",
"scheduler:List*",
"codedeploy:Get*",
"codedeploy:List*",
"servicediscovery:Get*",
"servicediscovery:List*",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"ecr-public:Describe*",
"ecr-public:Get*",
"ecr-public:List*",
"workspaces-web:Get*",
"workspaces-web:List*",
"elasticfilesystem:Describe*",
"elasticfilesystem:List*",
"route53-recovery-control-config:Describe*",
"route53-recovery-control-config:Get*",
"route53-recovery-control-config:List*",
"batch:Describe*",
"batch:List*",
"events:Describe*",
"events:List*",
"waf-regional:Get*",
"waf-regional:List*",
"workspaces:Describe*",
"redshift:Describe*",
"redshift:Get*",
"organizations:Describe*",
"organizations:List*",
"emr-containers:Describe*",
"emr-containers:List*",
"kafkaconnect:Describe*",
"kafkaconnect:List*",
"datapipeline:Describe*",
"datapipeline:Get*",
"datapipeline:List*",
"dynamodb:Describe*",
"dynamodb:Get*",
"dynamodb:List*",
"sts:Get*",
"lightsail:Get*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*",
"cloudfront-keyvaluestore:Describe*",
"cloudfront-keyvaluestore:Get*",
"cloudfront-keyvaluestore:List*",
"firehose:Describe*",
"firehose:List*",
"codebuild:Describe*",
"codebuild:List*",
"notifications:Get*",
"notifications:List*",
"cloudfront:Describe*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"autoscaling-plans:Describe*",
"autoscaling-plans:Get*",
"backup:Describe*",
"backup:Get*",
"backup:List*",
"kinesisvideo:Describe*",
"kinesisvideo:Get*",
"kinesisvideo:List*",
"eks:Describe*",
"eks:List*",
"pipes:Describe*",
"pipes:List*",
"ec2messages:Get*",
"mq:Describe*",
"mq:List*",
"identitystore-auth:List*",
"tag:Describe*",
"tag:Get*",
"config:Describe*",
"config:Get*",
"config:List*",
"es:Describe*",
"es:Get*",
"lookoutvision:List*",
"sns:Get*",
"sns:List*",
"cloudsearch:Describe*",
"cloudsearch:List*",
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*",
"notifications-contacts:Get*",
"notifications-contacts:List*",
"elasticloadbalancing:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"elasticmapreduce:Describe*",
"elasticmapreduce:Get*",
"elasticmapreduce:List*",
"waf:Get*",
"waf:List*",
"elasticache:Describe*",
"elasticache:List*",
"route53-recovery-cluster:Get*",
"route53-recovery-cluster:List*",
"swf:Describe*",
"swf:Get*",
"swf:List*",
"ec2:Describe*",
"ec2:Get*",
"ec2:List*",
"ec2:Search*",
"transfer:Describe*",
"transfer:List*",
"iot1click:Describe*",
"iot1click:Get*",
"iot1click:List*",
"wafv2:Describe*",
"wafv2:Get*",
"wafv2:List*",
"ecs:Describe*",
"ecs:List*",
"kinesisanalytics:Describe*",
"kinesisanalytics:Get*",
"kinesisanalytics:List*",
"route53:Get*",
"route53:List*",
"route53resolver:Get*",
"route53resolver:List*",
]
The final step in setting up AWS for Lansweeper Discovery is creating a role and trust entity. You can find detailed instructions in Creating a role using custom trust policies (console).
To configure the role for Lansweeper Discovery:
https://dev-734bjlip.eu.auth0.com/
.D9vGk9gXUNtrwWdifIe0BWC865gu8oHd
.{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<OIDC Provider ARN>"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"dev-734bjlip.eu.auth0.com/:aud": "D9vGk9gXUNtrwWdifIe0BWC865gu8oHd"
}
}
}
]
}
After creating the role, copy the Role ARN and save it for later.
Integrating GCP with Auth0 for Workload Identity Federation involves several steps, ensuring a secure and seamless authentication process without traditional credentials. This setup allows our scanning application to authenticate with GCP services using tokens from Auth0, leveraging federated identities.
You’ll first need to create a Workload Identity Pool. You can find detailed instructions on creating Workload Identity Pools in Manage workload identity pools and providers.
To configure the Workload Identity Pool for Lansweeper Discovery:
https://dev-734bjlip.eu.auth0.com/
. https://cloud-scanning-api
.attribute.site_id == '<your-site-id>'
After creating the Workload Identity Pool, copy the pool ID and save it for later.
Next, you’ll need to create a service account that grants permissions to the application. You can find detailed instructions in Create service accounts.
The Viewer role should be an appropriate role for Lansweeper Discovery. After creating the service account, copy the account email address and save it for later.
Your service account needs access to your organization and folders. You can find detailed instructions on granting the appropriate roles in Manage access to projects, folders, and organizations.
The service account will need the Folder Viewer and Organization Viewer roles.
The Workload Identity Pool needs to be configured to allow impersonation of the service account by the federated identity. You can find detailed instructions in Manage workload identity pools and providers.
In the Attribute name field, select subject and enter D9vGk9gXUNtrwWdifIe0BWC865gu8oHd@clients
.
If you want to scan multiple GCP projects, you will have to grant the Viewer role to the service account you created for every project you want to scan. You can find detailed instructions on granting the appropriate roles in Manage access to projects, folders, and organizations.
Now that you've set up Cloud Discovery, learn how to Configure Cloud Discovery.
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try NowExperience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now