diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc index becabfae8f..fc281ffdec 100644 --- a/docs/cloud-native-security/cspm-get-started-aws.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-aws.asciidoc @@ -11,6 +11,11 @@ This page explains how to get started monitoring the security posture of your cl [sidebar] -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +<<<<<<< HEAD +======= +* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. +* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). +>>>>>>> 5df1b3a2 (Adds kibana namespace requirement to CNVM and CSPM (#5154)) * To view posture data, you need `read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` @@ -202,7 +207,7 @@ image::images/cspm-aws-auth-3.png[The EC2 page in AWS, showing the Modify IAM ro .. Click *Update IAM role*. .. Return to {kib} and <>. -IMPORTANT: Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in Kibana, in the *Setup Access* section, select *Assume role* and leave *Role ARN* empty. Click *Save and continue*. +IMPORTANT: Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in {kib}, in the *Setup Access* section, select *Assume role* and leave *Role ARN* empty. Click *Save and continue*. [discrete] [[cspm-use-keys-directly]] diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc new file mode 100644 index 0000000000..732e2ae8cd --- /dev/null +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -0,0 +1,171 @@ +[[cspm-get-started-azure]] += Get started with CSPM for Azure + +[discrete] +[[cspm-overview-azure]] +== Overview + +This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. + +.Requirements +[sidebar] +-- +* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. +* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). +* To view posture data, you need `read` privileges for the following {es} indices: +** `logs-cloud_security_posture.findings_latest-*` +** `logs-cloud_security_posture.scores-*` +** `logs-cloud_security_posture.findings` +* The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`. +-- + +[discrete] +[[cspm-setup-azure]] +== Set up CSPM for Azure + +You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. + + +[discrete] +[[cspm-add-and-name-integration-azure]] +=== Add your CSPM integration +. From the Elastic Security *Get started* page, click *Add integrations*. +. Search for `CSPM`, then click on the result. +. Click *Add Cloud Security Posture Management (CSPM)*. +. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. +. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. + +[discrete] +[[cspm-set-up-cloud-access-section-azure]] +=== Set up cloud account access + +NOTE: To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription. + +For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. + +[discrete] +[[cspm-set-up-ARM]] +== ARM template setup (recommended) + +NOTE: If you are deploying to an Azure organization, you need the following permissions: `Microsoft.Resources/deployments/*`, `Microsoft.Authorization/roleAssignments/write`. You also need to https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin[elevate access to manage all Azure subscriptions and management groups]. + +. Under *Setup Access*, select *ARM Template*. +. Under **Where to add this integration**: +.. Select **New Hosts**. +.. Name the {agent} policy. Use a name that matches the resources you want to monitor. For example, `azure-dev-policy`. Click **Save and continue**. The *ARM Template deployment* window appears. +.. In a new tab, log in to the Azure portal, then return to {kib} and click **Launch ARM Template**. This will open the ARM template in Azure. +.. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. +.. Copy the `Fleet URL` and `Enrollment Token` that appear in {kib} to the corresponding fields in the ARM Template, then click **Review + create**. +.. (Optional) Change the `Resource Group Name` parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. +. Return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-set-up-manual-azure]] +== Manual setup + +For manual setup, multiple authentication methods are available: + +* Managed identity (recommended) +* Service principal with client secret +* Service principal with client certificate + +[discrete] +[[cspm-azure-managed-identity-setup]] +=== Option 1: Managed identity (recommended) + +This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {agent} on it. + +. Go to the Azure portal to https://portal.azure.com/#create/Microsoft.VirtualMachine-ARM[create a new Azure VM]. +. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. +. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. +. Go to **Access control (IAM)**, and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to **Managed Identity**, then select your VM. + +After assigning the role: + +. Return to the **Add CSPM** page in {kib}. +. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your Azure VM. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-azure-client-secret]] +=== Option 2: Service principal with client secret + +Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. + +. On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**. +. Under **Preferred manual method**, select **Service principal with Client Secret**. +. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. +. Click on **New Registration**, name your app and click **Register**. +. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. +. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. +. Copy the new secret. Paste it into the corresponding field in {kib}. +. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. +. Go to **Access control (IAM)** and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. +. Return to the **Add CSPM** page in {kib}. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. + +[discrete] +[[cspm-azure-client-certificate]] +=== Option 3: Service principal with client certificate + +Before using this method, you must have set up a https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in[Microsoft Entra application and service principal that can access resources]. + +. On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**. +. Under **Preferred manual method**, select **Service principal with client certificate**. +. Go to the **Registered apps** section of https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps[Microsoft Entra ID]. +. Click on **New Registration**, name your app and click **Register**. +. Copy your new app's `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {kib}. +. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. +. Go to **Access control (IAM)** and select **Add Role Assignment**. +. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. + +Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. + +Create a pkcs12 certificate, for example: +```shell +# Create PEM file +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + +# Create pkcs12 bundle using legacy flag (CLI will ask for export password) +openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem +``` + +Create a PEM certificate, for example: +```shell +# Generate certificate signing request (csr) and key +openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr + +# Generate PEM and self-sign with key +openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem + +# Create bundle +cat cert.key > bundle.pem +cat signed.pem >> bundle.pem +``` + +After creating your certificate: + +. Return to Azure. +. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. +. Click **Upload certificate**. +.. If you're using a PEM certificate that was created using the example commands above, upload `signed.pem`. +.. If you're using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. +. Upload the certificate bundle to the VM where you will deploy {agent}. +.. If you're using a PEM certificate that was created using the example commands above, upload `bundle.pem`. +.. If you're using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. +. Return to the **Add CSPM** page in {kib}. +. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {agent}. +. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. +. Under **Where to add this integration**, select **New hosts**. +. Click **Save and continue**, then follow the instructions to install {agent} on your selected host. + +Wait for the confirmation that {kib} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index b459bff2de..87c49b9447 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -11,6 +11,11 @@ This page explains how to get started monitoring the security posture of your cl [sidebar] -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +<<<<<<< HEAD +======= +* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. +* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). +>>>>>>> 5df1b3a2 (Adds kibana namespace requirement to CNVM and CSPM (#5154)) * To view posture data, you need `read` privileges for the following {es} indices: ** `logs-cloud_security_posture.findings_latest-*` ** `logs-cloud_security_posture.scores-*` diff --git a/docs/cloud-native-security/cspm.asciidoc b/docs/cloud-native-security/cspm.asciidoc index 6c036f56e4..780e7ec86d 100644 --- a/docs/cloud-native-security/cspm.asciidoc +++ b/docs/cloud-native-security/cspm.asciidoc @@ -10,6 +10,11 @@ This feature currently supports Amazon Web Services (AWS) and Google Cloud Platf -- * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. * {stack} version 8.10 or greater. +<<<<<<< HEAD +======= +* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. +* CSPM is supported on commercial cloud only. Government cloud is not supported (https://github.com/elastic/enhancements[request support]). +>>>>>>> 5df1b3a2 (Adds kibana namespace requirement to CNVM and CSPM (#5154)) -- [discrete] diff --git a/docs/cloud-native-security/vuln-management-get-started.asciidoc b/docs/cloud-native-security/vuln-management-get-started.asciidoc index b65b378158..6736d9a4bc 100644 --- a/docs/cloud-native-security/vuln-management-get-started.asciidoc +++ b/docs/cloud-native-security/vuln-management-get-started.asciidoc @@ -8,6 +8,7 @@ This page explains how to set up Cloud Native Vulnerability Management (CNVM). -- * CNVM is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. * Requires {stack} and {agent} version 8.8 or higher. +* CNVM only works in the `Default` {kib} space. Installing the CNVM integration on a different {kib} space will not work. * To view vulnerability scan findings, you need at least `read` privileges for the following indices: ** `logs-cloud_security_posture.vulnerabilities-*` ** `logs-cloud_security_posture.vulnerabilities_latest-*` diff --git a/docs/cloud-native-security/vuln-management-overview.asciidoc b/docs/cloud-native-security/vuln-management-overview.asciidoc index 894f045b9a..974eb21530 100644 --- a/docs/cloud-native-security/vuln-management-overview.asciidoc +++ b/docs/cloud-native-security/vuln-management-overview.asciidoc @@ -12,6 +12,7 @@ NOTE: CNVM currently only supports AWS EC2 Linux workloads. -- * CNVM is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. * Requires {stack} and {agent} version 8.8 or higher. +* CNVM only works in the `Default` {kib} space. Installing the CNVM integration on a different {kib} space will not work. * To view vulnerability scan findings, you need at least `read` privileges for the following indices: ** `logs-cloud_security_posture.vulnerabilities-*` ** `logs-cloud_security_posture.vulnerabilities_latest-*`