TABLE OF CONTENTS
Azure Account Connection Overview
Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For Azure, this is done through the use of an application. An application is an entity that can be assumed by a third party and secured to only access resources in scope. The applications created here will be scoped to a subscription and have read-only access to Azure resources.
Step 1: Navigate to the Cloud Accounts page. Click Connect Account on the top right.
Step 2: Choose Microsoft Azure under Account Type and Default Setup under Method.
Step 3: Create a new application in the Azure portal
- Log into your Azure Portal and navigate to the Azure Active Directory service.
- Select App registrations and then select New registration.
- Enter Aqua or a descriptive name in the Name field and take note of it; it will be used again.
- Leave the Supported account types default: "Accounts in this organizational directory only (your directory name)".
- Click Register.
- Paste the Application ID of the newly created application in the Aqua connection wizard.
- Copy the Directory(tenant) ID of the application and paste it in the Aqua connection wizard
Step 4: Create a client secret
- Enter the newly created application.
- Select the Certificates & secrets blade.
- Under Client secrets, select New client secret.
- Enter a description (i.e. Aqua-2020) and select Expires: 24 months (the longest duration).
- Click Add.
- The client secret value will only be visible once, copy and paste it in the Aqua connection wizard.
For Expires, you should choose the longest term available.
Step 5: Retrieve the Subscription ID and add a role assignment to the application
- Navigate to Subscriptions.
- Click on the relevant Subscription ID, copy and paste the ID in the Aqua connection wizard.
- Select Access Control (IAM).
- Click on Add under Add Role Assignment on the right side.
- In the Role drop-down, select Security Reader.
- Leave the Assign access to the default value.
- In the Select drop-down, type the name of the app registration (e.g. "Aqua") you created and select it.
- Save the role assignment.