Azure Node

10/01/2023 Cliff Hobbs   ID: 900580

Guardian scans cloud services on your behalf by first authenticating to an exposed API. The credentials required to successfully authenticate to a cloud service fall into either key pair or password-based authentication categories. Where possible, Guardian will only request what API access it actually needs.

Prerequisites

Preparing a Microsoft Azure Account

  1. Log into the Microsoft Azure Portal.
  2. Navigate to Settings, select the appropriate Azure subscription if more than one is available, and note the ID associated with that selection. This will be used as Subscription ID required to scan a node.
  3. Under the main menu select Azure Active Directory and note the Tenant ID from the Basic Information Section at the top of the page.
  4. Select App Registration from the main menu and click +New Registration to add a new Client. Follow the on screen prompts and select Register once completed. This will generate a new Client ID (interchangeably known as Application ID). Make a note of this ID.
  5. From the App Registration page, click on the newly registered Application, then select Certificates & Secrets from the menu pane, and click on + New Client Secret. By following the on screen prompts, a Client Secret will be generated. Make note of this as it will be required in the following steps.
  6. Once a subscription ID, tenant ID, client ID and client secret have been generated, the Azure account within the subscription is ready to be scanned.

Supported Azure Services

App Services

 Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. More…

Key Vault

 Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. More… 

MySQL Server

Azure Database for MySQL is a fully managed database service, which means that Microsoft automates the management and maintenance of your infrastructure and database server, including routine updates, backups, and security. More… 

PostgreSQL Server

Azure Database for PostgreSQL is a fully-managed database as a service with built-in capabilities, such as high availability and intelligence. More… 

Security Group

A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. More…

SQL Servers

Azure Database for Microsoft SQL is a fully-managed database as a service with built-in capabilities, such as high availability and intelligence. More…

Storage Account

An Azure storage account contains all of your Azure Storage data objects, including blobs, file shares, queues, tables, and disks. More… 

Virtual Machine

Azure Virtual Machines are image service instances that provide on-demand and scalable computing resources with usage-based pricing. More…

Required Service Permissions

The following read-only permissions are required for scanning each of the supported services.

SERVICE PERMISSIONS
App Services Website Reader
Key Vault Key Vault Reader
MySQL Server db_datareader
PostgreSQL Server db_datareader
Security Group Key Vault Reader, CDN Profile Reader, CDN Endpoint Reader
SQL Servers db_datareader
Storage Account Disk Backup Reader, Backup Reader, Storage Blob Data Reader
Virtual Machine Disk Backup Reader, Backup Reader, Storage Blob Data Reader, Domain Services Reader, Key Vault Reader, CDN Profile Reader, CDN Endpoint Reader

Adding Azure Nodes

  1. Log into Guardian and click Add Node.
  2. From the node select screen locate Azure and then select the Azure node type you want to add. Then select Go Agentless.

FIELD DESCRIPTION
Connection Manager Group The connection manager required to perform the scan
Resource Group Name The name of the resource group to which this service belongs
Subscription ID The ID associated with the Azure subscription in which the service to be scanned is hosted
Tenant ID The Active Directory Tenant ID
Client ID The Client/Application ID created within the current subscription and tenant for scanning
Client Secret A secret token associated with the client ID, generated above
Entity Name The unique name of the service instant to be scanend. This refers to database server names, storage account names, virtual machine names, app service names and key vault names.
  1. Click Scan Node to complete node registration and scan the node for the first time.
Source:
Was this article helpful?

Table of Contents

    Can't find what you're looking for?

    Contact Support