Fortanix Key Insight - Azure Configuration for Scanning Using Custom Roles

1.0 Introduction

1.1 Purpose

The purpose of this guide is to describe the least privileged permissions that Fortanix Key Insight requires to use an Azure custom role using an Azure script.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Cloud Security Engineer, who will use an Azure script to configure a single Azure subscription or management group for scanning the keys and services.

2.0 Additional References

3.0 Azure Custom Roles

Fortanix Key Insight prioritizes customer trust and security. By enabling the least privileged permissions through Azure custom roles, Fortanix Key Insight users can grant the required access to scan an Azure resource without requiring elevated capabilities.

Benefits of custom roles include granular access control and adherence to the principle of least privilege.

4.0 Setup an Azure Cloud Using Custom Roles

Use the Azure command line interface (CLI) script to set up your Azure cloud with custom roles that provide permissions for Fortanix Key Insight to scan.

The Azure script helps you to:

  • Create an Azure service principal.
  • Create a custom role with specific permissions.
  • Assign a custom role to the created service principal within the appropriate scope.

Perform the following steps to configure an Azure cloud using the Azure script with subscription or management group scopes in Fortanix Key Insight:

Ensure you have the bash environment in your local Azure CLI or Azure Cloudshell before using the script.
  1. Select an active subscription using the following command:
    az account set <subscription-id>
  2. Download the script file (your script file name) from here.
  3. Use the following command to make the script executable:
    chmod +x  # Use your script file name.
  4. Use the various options listed below to run the script at different scopes:
    • Use the following command to run the script with the active subscription as the specified scope:
    • Use the following command to run the script with a specific subscription as the specified scope:
      ./fortanix_key_insight_azure_cloud_onboarding -s <subscription-id> 
    • Use the following command to run the script at a specific management group as the specified scope:
      ./fortanix_key_insight_azure_cloud_onboarding -m <management-group-name-or-id>
      At once, you can only specify either a subscription ID or a management group ID as the specified scope.
    • Use the following command to get all the available options:
      ./ -h 
  5. After executing the script successfully, you can retrieve the Subscription ID or Management Group ID, Client ID, Client Secret, and Tenant ID. You must use these credentials to set up an Azure cloud in Fortanix Key Insight.

    Custom Role Scanning.png Figure 1: Azure Cloud Connection - Subscription Scope Credentials

  6. After you complete the configuration and scan your Azure resources, you can view the discovery and assessment results in the Fortanix Key Insight dashboard. The dashboard provides a detailed overview of your scanned key vaults and the keys in those vaults, along with using these keys in services such as Azure SQL, Azure storage accounts, and Azure Managed disks. You will see an assessment of the keys with a risk score, highlighting any violations, expired keys, disabled key rotation, vulnerable keys, and instances where the same key is shared across multiple resources.

    For more details on the Azure dashboard, refer to Fortanix Key Insight – Azure User Interface Components.

    Azure Dashboard.png Figure 2: View Azure Cloud Dashboard


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful