Azure Account Connection Overview

Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For Azure, this is done through the use of an application. An application is an entity that can be assumed by a third party and secured to only access resources in scope. The applications created here will be scoped to a subscription and have read-only access to Azure resources.

Default Setup

Step 1: Navigate to the Cloud Accounts page. Click Connect Account on the top right.

Step 2: Choose Microsoft Azure under Account Type and Default Setup under Method.

Step 3: Create a new application in the Azure portal

  1. Log into your Azure Portal and navigate to the Azure Active Directory service.
  2. Select App registrations and then select New registration.
  3. Enter Aqua or a descriptive name in the Name field and take note of it; it will be used again.
  4. Leave the Supported account types default: "Accounts in this organizational directory only (your directory name)".
  5. Click Register.
  6. Paste the Application ID of the newly created application in the Aqua connection wizard.
  7. Copy the Directory(tenant) ID of the application and paste it in the Aqua connection wizard

Step 4: Create a client secret

  1. Enter the newly created application.
  2. Select the Certificates & secrets blade.
  3. Under Client secrets, select New client secret.
  4. Enter a description (i.e. Aqua-2020) and select Expires: 24 months (the longest duration)
  5. Click Add.
  6. The client secret value will only be visible once, copy and paste it in the Aqua connection wizard.

For Expires, you should choose the longest term available.

Step 5: Retrieve the Subscription ID and add a role assignment to the application

  1. Navigate to Subscriptions.
  2. Click on the relevant Subscription ID, copy and paste the ID in the Aqua connection wizard.
  3. Select Access Control (IAM).
  4. Click on Add under Add Role Assignment on the right side.
  5. In the Role drop-down, select Security Reader.
  6. Leave the Assign access to the default value.
  7. In the Select drop-down, type the name of the app registration (e.g. "Aqua") you created and select it.
  8. Save the role assignment.
  9. Repeat the process for the role Log Analytics Reader.

Bulk Upload

Step 1: Navigate to the Cloud Accounts page. Click Connect Account on the top right.

Step 2: Choose Azure under Account Type and Bulk Upload under Method.

Step 3: Download the CSV template file.

Step 4: Use the Manual Setup steps to create an application and connect it to all your subscriptions.

Step 5: For each subscription you connect, add the subscription ID, Application ID and Key Value to the CSV. Add a maximum of 50 Azure subscriptions.

Step 6: Drop the completed CSV file onto the Aqua connection wizard and select Connect Accounts.