Preparation for Scanning Azure
StorageGuard collects configuration data from an Azure environment by using the Azure Java SDK running read-only Management API calls.
The following table lists the requirements for scanning Azure:
# | Description |
1 | Provide the target Subscription ID. |
2 | Provide Service Principal credentials, including Client ID, Tenant ID, and Client Secret. |
3 | Ensure IP connectivity is available between the StorageGuard server and Azure. |
Creating a User Account for Scanning Azure
The following suggested method can be used to create an IAM user account with appropriate privileges:
Provide the Target Subscription ID:
- Identify and provide the subscription ID of the Azure subscription you want to scan.
- StorageGuard will collect data from all subscriptions that the app registration has permission to access, including all accessible subscriptions.
Provide Service Principal Credentials:
- To create a Service Principal, first login to the Azure Portal.
- Navigate to "Azure Active Directory" in the left-hand menu.
- Under "Manage," select "App registrations," then click "New registration."
- Enter a name for the application (e.g., "StorageGuardReader").
- Choose an appropriate supported account type.
- Click "Register."
Create a Client Secret:
- After registering the application, go to "Certificates & secrets."
- Click "New client secret."
- Add a description and set an expiration period.
- Click "Add" and copy the value of the client secret. You'll need this later.
Assign Reader Role to the Service Principal:
- Navigate to your subscription or resource group.
- Click "Access control (IAM)."
- Click "Add," then "Add role assignment."
- Select the "Reader" role.
- In "Assign access to," choose "Azure AD user, group, or service principal."
- Search for your registered application and select it.
- Click "Save."
Comments
0 comments
Please sign in to leave a comment.