Fortanix Key Insight - Azure Configuration for Scanning Using Built-In Roles

1.0 Introduction

1.1 Purpose

The purpose of this guide is to describe the minimum access privileges required for Fortanix Key Insight to scan the Azure cloud subscription(s) or management groups.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Cloud Security Engineer, who will use this feature to configure a single Azure subscription or management group for scanning the keys and services.

2.0 Terminology Reference

For Fortanix key Insight and Azure terminologies, refer to Key Insight - Concepts Guide and Key Insight – Azure Concepts Guide.

3.0 Configure Azure Cloud in Fortanix Key Insight

This section outlines the necessary steps to securely integrate an Azure cloud with Fortanix Key Insight, which enables streamlined monitoring, management, and optimization of key resources. The integration leverages Azure's Role-Based Access Control (RBAC) for granular permission management.

3.1 Prerequisites

The following are the prerequisites to configure an Azure cloud in Fortanix Key Insight.

  • The supported Azure agreement types: Enterprise Agreement, Microsoft Customer Agreement, and Pay-as-you-go.
  • Access to your Azure subscription: You should be a Global Administrator with elevated access to set up Azure integration in Fortanix Key Insight as shown in the following diagram: Refer to Elevated access to manage Azure Management Groups and Subscriptions for more details.

    image-20240313-143554.png Figure 1: Global Administrator with Elevated Access

  • A registered Fortanix Key Insight Account. For detailed steps to get started with Fortanix Key Insight, refer to Fortanix Key Insight – Getting Started Guide.

3.2 Create a Service Principal in Microsoft Entra ID (Azure Active Directory)

Perform the following steps to create a service principal in Microsoft Entra ID:

  1. Navigate to https://portal.azure.com/ and search for Microsoft Entra ID.
  2. Select App registrations under Manage in the left navigation menu on the Microsoft Entra ID page.

    Select Subscription Groups.png
    Figure 2: Access App Registrations

    NOTE
    You can also search for App registrations in the Microsoft Azure search bar.
  3. Click New registration.

    6.png Figure 3: Add a New App Registration

  4. On the Register an application page, configure the following fields:
    • Name: The user-facing display name for this application. For example, key-insight-app.
    • Supported account type: Select Accounts in this organizational directory only (<your organization name> only - Single tenant)
    • Redirect URI: This is optional.

    image-20240313-180859.png Figure 4: Register the New Application

  5. Click Register to register an application. The new application will be registered in Microsoft Azure.

    image-20240313-175134.png Figure 5: View the Registered Application

    NOTE
    Ensure to copy and save the Directory (tenant) ID and Application (client) ID values. These values are required during the Azure cloud connection on the Fortanix Key Insight.
  6. Perform the following steps to create a new client secret:
    • Navigate to Certificates & secrets from the left menu.
    • Click New client secret.
    • On the Add a client secret panel, enter the following:
      • Description: Enter the description for this secret. (For example, key-insight-app-client-secret).
      • Expires: select 730 days (24 months).
    • Click Add.

    image-20240313-181210.png Figure 6: Add a New Client Secret

    NOTE
    You can only view Client secret value immediately after creation. Ensure to copy and save the secret value before leaving the page. This value is required during the Azure cloud connection on Fortanix Key Insight.

3.3 Choose the Scope

You can choose Management Groups or Subscription scopes during Azure cloud setup in Fortanix Key Insight. For more details on Azure cloud setup, refer to User Guide: Key Insight Getting Started Guide.

Select Scope.png Figure 7: Choose Scope

3.3.1 Obtain a Management Group ID

To obtain a management group ID,

  1. Navigate to Management groups on Microsoft Azure.
  2. Copy the value from the column ID in your Azure Management groups. For example, engineering-management-group from the ID column as shown below:

image-20240317-230149.png Figure 8: Get a Management Group ID

3.3.2 Obtain a Subscription ID

To obtain a subscription ID,

  1. Navigate to Management groups on Microsoft Azure.
  2. Select your subscription.
  3. Copy the Subscription ID from your Azure subscription. For example, the Subscription ID is copied from the Fortanix-Internal subscription as shown below:

image-20240318-002646.png Figure 9: Get a Subscription ID

3.4 Provide Permissions in Your Azure Service Principal

You must provide permissions in your Azure service principal at the management group and subscription levels to help users scan the required keys and services on Fortanix Key Insight.

3.4.1 Permissions at the Management Group Level

Perform the following steps to provide permissions at the Management group level:

  1. Navigate to Access control (IAM) in the selected management group.
  2. Click Add role assignment.
  3. Perform Steps 3 to 6 mentioned in Section 3.4.2: Permissions at the Subscriptions Level and provide permissions for the selected management group.
  4. Reader and Key Vault Reader roles will be automatically inherited for all the linked subscriptions. You do not have to go to individual subscriptions to provide the access permissions.

3.4.2 Permissions at the Subscriptions Level

Perform the following steps to provide permissions at the subscription level:

  1. Navigate to Access control (IAM) in the selected subscription.
  2. Click Add role assignment.

    image-20240318-003358.png Figure 10: Add a Role Assignment

  3. Select Reader role and click Next.

    image-20240318-005759.png Figure 11: Select a Reader Role

  4. For the Reader role, perform the following steps to select members:
    1. Click Select members.
    2. Add your app (For example, key-insight-app) created in Section 3.2: Create a Service Principal for Microsoft Entra ID.
    3. Click Select.

    image-20240318-010728.png Figure 12: Add a Role Assignment

  5. Click Review + assign.

    image-20240318-011307.png Figure 13: Reader Role Assignment

  6. Perform the following steps to provide the Key Vault Reader role permission for your Azure app.
    1. Repeat Steps 1 to 2 above.
    2. Select the Key Vault Reader role and click Next.

      image-20240318-023816.png Figure 14: Key Vault Reader Role Assignment

    3. Select members to add a Key Vault Reader role for your app and click Select.

      image-20240318-023856.png Figure 15: Add a Key Vault Reader Role

    4. Click Review + assign.

      image-20240318-023924.png Figure 16: Review and Assign the Permissions

4.0 Help and Support

  • If there are any issues with the configuration or permissions, you may need to review and adjust them accordingly. Refer to User Guide: Key Insight Getting Started Guide for guidance on establishing a connection to Azure within Fortanix Key Insight.
  • If you need further assistance, contact our Fortanix support portal or reach out directly to our support team.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful