diff --git a/docs/cnspec/supplychain/registry/azure_acr.md b/docs/cnspec/supplychain/registry/azure_acr.md index 20a0ffe63..1b4d02dea 100644 --- a/docs/cnspec/supplychain/registry/azure_acr.md +++ b/docs/cnspec/supplychain/registry/azure_acr.md @@ -1,5 +1,5 @@ --- -title: Azure Container Registry (ACR) +title: Assess Risk in the Azure Container Registry (ACR) sidebar_label: Azure Container Registry (ACR) sidebar_position: 3 displayed_sidebar: cnspec diff --git a/docs/platform/infra/cloud/azure/azure-integration-scan-group.mdx b/docs/platform/infra/cloud/azure/_azure-integration-scan-group.mdx similarity index 100% rename from docs/platform/infra/cloud/azure/azure-integration-scan-group.mdx rename to docs/platform/infra/cloud/azure/_azure-integration-scan-group.mdx diff --git a/docs/platform/infra/cloud/azure/_include-keyvault.mdx b/docs/platform/infra/cloud/azure/_include-keyvault.mdx index cfac5f300..6528d646a 100644 --- a/docs/platform/infra/cloud/azure/_include-keyvault.mdx +++ b/docs/platform/infra/cloud/azure/_include-keyvault.mdx @@ -1,4 +1,4 @@ -If you use key vault access policy, this step is required. +If you use legacy access policy permission model for key vaults, this step is required. A key vault access policy determines whether a given security principal (a user, application or user group) can perform different operations on key vault secrets, keys, and certificates. diff --git a/docs/platform/infra/cloud/azure/azure-integration-scan-subscription.mdx b/docs/platform/infra/cloud/azure/azure-integration-scan-subscription.mdx index a19e38254..c5e2205c5 100644 --- a/docs/platform/infra/cloud/azure/azure-integration-scan-subscription.mdx +++ b/docs/platform/infra/cloud/azure/azure-integration-scan-subscription.mdx @@ -1,369 +1,106 @@ --- -title: Quick Setup - Azure Subscription Continuous Scanning -sidebar_label: Quick Setup - Azure Subscription Continuous Scanning +title: Automatically Set Up Azure Continuous Scanning +sidebar_label: Automatically Set Up Continuous Scanning sidebar_position: 2 -description: Configure the Mondoo Azure Integration to scan Azure subscriptions +description: Use the automated setup to configure the Mondoo Azure integration to scan Azure subscriptions image: /img/featured_img/mondoo-azure.jpg --- The Mondoo Azure integration lets you continuously scan Azure resources, such as compute instances and databases, in one or more Azure subscriptions. -You can also scan an Azure management group. For instructions, read [Continuously Scan an Azure Management Group](/platform/infra/cloud/azure/azure-integration-scan-group/). +## Choose the manual or automated setup -## Prerequisites - -Before you integrate Microsoft Azure with Mondoo, be sure you have: - -- A Mondoo account with Editor or Owner permissions for the space in which you want to add the integration. - -- An [Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these [Entra built-in roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) include the required permissions: - - - [Global Administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator) - - - [Application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator) - - - [Cloud application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator) - - In the Azure portal you can see what roles your user account has: Go to **Microsoft Entra ID > Users > (your user account) > Assigned roles**. - -- Command-line access to Azure using either: - - - [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli) - - -
- - The Azure CLI in either the Linux shell or the macOS shell - -
-
    -
  1. - - Install the Azure CLI. - -
    2. -
  2. - Log into the Azure CLI from PowerShell or a Linux/macOS CLI by - entering: -
    - az login -
    - Azure opens your web browser and prompts you to log in. After you do - so, you can return to the CLI. -
    3. -
-
-
- -## Register and grant permissions to an Azure app - -Like any service that integrates with Azure, Mondoo must have Microsoft Entra ID app registration in your Azure tenant. To learn more about creating a new app registration and service principal, read [App registration, app objects, and service principals](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) in the Azure documentation. - -Registering Mondoo with Entra establishes a trust relationship between Mondoo and the Microsoft identity platform. The trust is unidirectional: Mondoo trusts the Microsoft identity platform, and not the other way around. The Entra app registration creates a [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#what-are-service-principals-and-where-do-they-come-from) to represent Mondoo in any tenants and subscriptions. - -The app registration you create gives Mondoo read-only access to Azure resources, web apps, key vault, and Graph API. - -These instructions describe how to use Microsoft's "automatic" method of registering an Azure app. If you want to use your own certificates for authentication, if you use the [_key vault access policy_ permission model](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy), or if your Azure environment is unusually large, follow the instructions in [Manually Set up an Azure Integration](/platform/infra/cloud/azure/manual-reg-path/) instead. - -To configure your Azure resources, you must: - -Step A. Retrieve the subscription ID - -Step B. Create the app registration and certificate and grant READ access - -Step C. Grant web app and key vault READ permissions to the registered app - -Step D. Grant permissions to access Microsoft Graph (API permissions) - -### Step A: Retrieve your subscription ID and tenant ID - -You can give your app READ access to one or several subscriptions. +Mondoo offers two approaches to setting up an integration for continuous Azure scanning: automated and manual. -1. In the Azure CLI, find the ID(s) of the subscription(s) you want to monitor by entering: +Follow the [**manual setup**](/platform/infra/cloud/azure/manual-reg-path/) in these rare cases: - ```bash - az account subscription list - ``` +- You want to integrate Mondoo with all subscriptions in a management group - OR +- You use the [legacy access policy permission model](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy) for your key vaults (instead of RBAC) - ```bash - az account list - ``` +- Your Azure environment is unusually large -The Azure CLI provides information about all your subscriptions across all tenants. Each entry has an `id` value. +All other users can follow the **automatic setup** described below. -2. Copy the `id` value for each of the subscriptions you want to integrate with Mondoo. Paste the value(s) somewhere handy to use later. - -3. Copy the `tenantId` value and paste it somewhere handy to use later. +## Prerequisites -### Step B: Create the app, service principal, and certificate and grant READ access +Before you integrate Microsoft Azure with Mondoo, be sure you have: -A single command in the Azure CLI performs these tasks: +- A Mondoo account with Editor or Owner permissions for the space in which you want to add the integration. -- Creates the application registration and service principal in Microsoft Entra ID +- [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/overview) -- Grants READ access (using RBAC) to the new application at the defined level +- An [Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these [Entra built-in roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) include the required permissions: -- Creates a certificate and assigns it to the newly created app + - [Application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator) -In the Azure CLI, enter: + - [Cloud application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator) -```bash -az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/YOUR-SUBSCRIPTION-ID --create-cert -``` +- If you want to set up the integration to scan Azure virtual machines (VMs), you must have one of these built-in roles: -For `YOUR-SUBSCRIPTION-ID`, substitute the `subscriptionId` value you copied in the instruction above. For example, this command creates a service principal and an application named `mondoo-security` that provides access to a subscription with the ID `e4e2600a-2d3d-2600-aa70-b9d8c8ec2600`: + - [Global Administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator) -```bash -az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/e4e2600a-2d3d-2600-aa70-b9d8c8ec2600 --create-cert -``` + - [Privileged Role Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) :::tip -To scan multiple subscriptions, in the Azure CLI, provide multiple subscription IDs: - -```bash -az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/YOUR-SUBSCRIPTION-ID-1 /subscriptions/YOUR-SUBSCRIPTION-ID-2 /subscriptions/YOUR-SUBSCRIPTION-ID-3 --create-cert -``` +In the Azure portal you can see what roles your user account has: Go to **Microsoft Entra ID > Users > (your user account) > Assigned roles**. ::: -When successful, the Azure CLI returns results like these: - -```bash -"appId": "63c35483-c62f-2600-a097-a6e44d8dcdf6", -"displayName": "Mondoo", -"fileWithCertAndPrivateKey": "/Users/stella/tmpkqyme3rm.pem", -"password": null, -"tenant": "e4e2600a-2d3d-2600-aa70-b9d8c8ec2600" -``` +## Add a new Azure integration in the Mondoo console -Copy your results and paste them somewhere handy; you'll need them in later steps. +Create an integration to set up continuous Mondoo scanning of your Azure subscription. -Copy the created PEM file (in the example above, it's named tmpkqyme3rm.pem) and save it; you'll need it in later steps. - -:::tip - -In the Azure portal, you can make sure that the created application has the required READ access at the subscription level: Go to **Azure portal > [your subscription] > Access control (IAM) > Roles (choose Reader and View) > Assessments**. If you see the `mondoo-security` application, you've succeeded. - -::: - -### Step C: Grant web app and key vault READ permissions to the registered app +1. Access the Integrations > Add > Azure page in one of two ways: -:::note + - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Azure**. -The key vault permissions below are from Microsoft's "Key Vault Reader" role. The [Microsoft documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) describes this role: + ![Welcome to Mondoo Page](/img/platform/start/welcome_to_mondoo.png) -> _Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model._ + - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **Azure**. -::: + ![Automated approach to adding an Azure integration to Mondoo](/img/platform/infra/cloud/azure/auto-int.png) -Follow these steps, substituting the subscription ID(s) you copied in Step A for YOUR-SUBSCRIPTION-ID: - -1. Copy this content and paste it into a new file named `mondoo-role.json`: - - ```json - { - "Name": "mondoo-role", - "IsCustom": true, - "description": "Custom role for Mondoo integration", - "assignableScopes": ["/subscriptions/YOUR-SUBSCRIPTION-ID"], - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/listSitesAssignedToHostName/read", - "Microsoft.Web/serverFarms/read", - "Microsoft.Web/sites/config/read", - "Microsoft.Web/sites/config/web/appsettings/read", - "Microsoft.Web/sites/config/web/connectionstrings/read", - "Microsoft.Web/sites/config/appsettings/read", - "Microsoft.web/sites/config/snapshots/read", - "Microsoft.Web/sites/config/list/action", - "Microsoft.Web/sites/read", - "Microsoft.KeyVault/checkNameAvailability/read", - "Microsoft.KeyVault/deletedVaults/read", - "Microsoft.KeyVault/locations/*/read", - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/operations/read", - "Microsoft.Compute/virtualMachines/runCommands/read", - "Microsoft.Compute/virtualMachines/runCommands/write", - "Microsoft.Compute/virtualMachines/runCommand/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/vaults/secrets/readMetadata/action" - ], - "notDataActions": [] - } - ``` - - To integrate with more than one subscription, list them: - - ```bash - "assignableScopes": [ - - "/subscriptions/YOUR-SUBSCRIPTION-ID-1" - - "/subscriptions/YOUR-SUBSCRIPTION-ID-2" - - "/subscriptions/YOUR-SUBSCRIPTION-ID-3" - - ] - ``` - -2. Create a custom role in the specified subscription: - - ```bash - az role definition create --role-definition mondoo-role.json - ``` - -3. Make sure you successfully created the role: - - ```bash - az role definition list --output json --query '[].{roleName:roleName, description:description}' --name "mondoo-role" - ``` - -4. Assign the created custom role to the app you registered: - - ```bash - az role assignment create --role mondoo-role --assignee --scope /subscriptions/YOUR-SUBSCRIPTION-ID - ``` - -### Step D: Grant permissions to access Microsoft Graph (API permissions) - -1. Copy this content and paste it into a new file on your local system named `app-manifest.json`: - -```json -[ - { - "resourceAppId": "00000003-0000-0000-c000-000000000000", - "resourceAccess": [ - { - "id": "246dd0d5-5bd0-4def-940b-0421030a5b68", - "type": "Role" - }, - { - "id": "e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0", - "type": "Role" - }, - { - "id": "5e0edab9-c148-49d0-b423-ac253e121825", - "type": "Role" - }, - { - "id": "bf394140-e372-4bf9-a898-299cfc7564e5", - "type": "Role" - }, - { - "id": "6e472fd1-ad78-48da-a0f0-97ab2c6b769e", - "type": "Role" - }, - { - "id": "dc5007c0-2d7d-4c42-879c-2dab87571379", - "type": "Role" - }, - { - "id": "b0afded3-3588-46d8-8b3d-9842eff778da", - "type": "Role" - }, - { - "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", - "type": "Role" - }, - { - "id": "197ee4e9-b993-4066-898f-d6aecc55125b", - "type": "Role" - }, - { - "id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30", - "type": "Role" - }, - { - "id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48", - "type": "Role" - }, - { - "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664", - "type": "Role" - }, - { - "id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd", - "type": "Role" - }, - { - "id": "37730810-e9ba-4e46-b07e-8ca78d182097", - "type": "Role" - }, - { - "id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4", - "type": "Role" - } - ] - } -] -``` - -2. Execute these commands to grant the permissions in the JSON file and give administrator consent. For YOUR-APP-ID, substitute the `appId` value from the results you copied in Step B: - - ``` - az ad app update --id YOUR-APP-ID --required-resource-accesses @app-manifest.json - - az ad app permission admin-consent --id YOUR-APP-ID - ``` - -## Add a new Azure integration in the Mondoo Console - -After you've created, granted permissions to, and tested a new app registration, you can create a Mondoo Azure integration. You need some values from the app registration you created in the instructions above. +2. To automatically discover all Linux and Windows virtual machines (VMs) in your subscription and scan them using Azure Run Command, enable **Scan virtual machines**. If you choose this option, completing the integration setup gives Mondoo permission to read, write, and delete Azure VM run commands through a new role definition named `mondoo_security`. -1. Access the Integrations > Add > Azure page in one of two ways: +3. Choose which subscriptions to scan and which to skip in your Azure tenant. To see a list of your subscriptions and their IDs, go to **Subscriptions** in the [Azure portal](https://portal.azure.com). - - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Azure**. + - To continuously scan all subscriptions in the tenant, leave the **Scan all subscriptions connected to the Directory (tenant) ID** toggle enabled. - ![Welcome to Mondoo Page](/img/platform/start/welcome_to_mondoo.png) + - To scan only certain subscriptions, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle. Select **Allow list** and enter the IDs of the subscriptions to scan. Type each subscription ID on a new line. - - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **Azure**. + - To scan all subscriptions except those you specify, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle. Select **Deny list** and enter the IDs of the subscriptions you don't want Mondoo to scan. Type each subscription ID on a new line. - ![integration-create-image](/img/platform/infra/cloud/azure/add-int-azure-top.png) +4. Under **Copy the installation command**, you see a custom command that Mondoo generates for you based on your selections above. Running this command in Azure Cloud Shell creates the Mondoo Azure integration for you. -2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the Azure tenant. + Mondoo names the integration for you. Integration names are visible in the Mondoo console and in reports. You can change the name in the command (in quotes after the --integration-name flag) or change it any time after you create the integration. The ID must be between 7 and 34 characters and can include lowercase letters, numbers, single quotes, hyphens, spaces, and exclamation points. It must start with a lowercase letter and end with a letter or number. -3. In the **Enter the application (client) ID** box, enter the value from the `appId` value you copied in Step B. +5. Select the copy icon in the installation command box to copy your customized command. -4. In the **Enter the directory (tenant) ID** box, enter the `tenantId` value you copied in Step A. +6. Select the **AZURE CLOUD SHELL** button to open Azure Cloud Shell. -5. Specify the subscriptions for Mondoo to continuously scan. You copied at least one subscription ID in step A. + ![Azure Cloud Shell](/img/platform/infra/cloud/azure/cloud-shell.png) - - To continuously scan all subscriptions in the tenant, leave the **Scan all subscriptions connected to the directory (tenant) ID** toggle enabled. +7. Paste the copied command in Azure Cloud Shell and press the Enter or Return key. Respond to these prompts: - - To choose the subscriptions to scan, disable the **Scan all subscriptions connected to the directory (tenant) ID** toggle, select **Allow list**, and enter the subscription IDs. Type each subscription on a new line. + ![Select a subscription](/img/platform/infra/cloud/azure/select-sub.png) - - To scan **all** subscriptions except those you specify, disable the **Scan all subscriptions connected to the directory (tenant) ID** toggle, select **Deny list**, and enter the names of the subscriptions you don't want Mondoo to scan. Type each subscription on a new line. + a. When you select this **primary subscription**, you're not choosing which Azure subscription Mondoo scans; you're specifying where Mondoo creates the resources it needs to perform scans. Use the down arrow key to select the subscription you want and then press Enter. -6. To automatically discover all Linux and Windows VMs in your subscription and scan them using Azure Run Command, enable **Scan VMs**. + ![Resources Mondoo will create in Azure](/img/platform/infra/cloud/azure/resources.png) -7. Provide the certificate (a [PEM](https://aboutssl.org/what-is-pem-certificate-file/) (privacy-enhanced mail) file) for Mondoo to securely authenticate with the app (service principal) you created. You created this certificate in Step B. + b. The Mondoo automation shows how many resources it must create so it can scan your Azure environment. Press the down arrow key to select **2. Show details** and then press Enter. - The certificate file must have the `.pem` extension and must contain both the private key and the certificate in this order: + ![Details of Azure automated integration setup](/img/platform/infra/cloud/azure/details.png) - ``` - -----BEGIN PRIVATE KEY----- - key goes here - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- - certificate goes here - -----END CERTIFICATE----- - ``` + c. Review the list of resources the Mondoo automation must create so it can scan your Azure environment. Press Enter to continue the integration setup. - Upload the certificate to Mondoo: In the **Drag and drop your .pem file here** box, select the cloud icon and choose the file to upload. + ![Success creating a Mondoo Azure integration](/img/platform/infra/cloud/azure/success.png) - ![integration-create-image](/img/platform/infra/cloud/azure/add-int-azure-bottom.png) + - When the Mondoo automation reports success, you're finished in Azure Cloud Shell. If you don't see the success message within 5 minutes, read the [Troubleshoot](#troubleshoot) section below. -8. Select the **START SCANNING** button. +8. Return to the Mondoo console and select the **START SCANNING** button. 9. On the Recommended Policies page, enable the policies on which you want to base assessments of your Azure environment. To learn more, read [Manage Policies](/platform/security/posture/policies/). @@ -371,12 +108,20 @@ After you've created, granted permissions to, and tested a new app registration, Mondoo begins scanning your Azure resources. When it completes, you can see results on the INVENTORY page. To learn more, read [Monitor Your Infrastructure Security](/platform/security/posture/monitor/). -If your integration is unsuccessful, read [Troubleshoot an Azure Configuration](/platform/infra/cloud/azure/troubleshoot/). +## Troubleshoot + +- If the Mondoo automation pauses more than two minutes after you choose the primary subscription, press Control+C to end the process. Paste the copied command and press Enter to run it a second time. + +- If the automation fails, be sure you're logged in with an Azure user account that has the required privileges. To learn more, read the [Prerequisites](#prerequisites) section above. + +- If you don't see your newly created integration in the Mondoo Console after you select policies and finalize setup, try refreshing the page in your browser. ## Next steps - [Learn more about Mondoo](/platform/start/plat-what-is/) +- [Test or troubleshoot an Azure integration](/platform/infra/cloud/azure/troubleshoot/) + - [Integrate Mondoo with other cloud platforms in your infrastructure](/platform/infra/cloud/overview/) --- diff --git a/docs/platform/infra/cloud/azure/manual-reg-path.mdx b/docs/platform/infra/cloud/azure/manual-reg-path.mdx index 4ec48134d..03c856870 100644 --- a/docs/platform/infra/cloud/azure/manual-reg-path.mdx +++ b/docs/platform/infra/cloud/azure/manual-reg-path.mdx @@ -1,24 +1,28 @@ --- -title: Manual Setup - Azure Continuous Scanning -sidebar_label: Manual Setup - Azure Continuous Scanning -sidebar_position: 5 +title: Manually Set Up Azure Continuous Scanning +sidebar_label: Manually Set Up Continuous Scanning +sidebar_position: 50 description: Take the manual approach to configuring the Mondoo Azure Integration to scan Azure resources. image: /img/featured_img/mondoo-azure.jpg --- -Mondoo integration with Azure requires that you register and grant permissions to an Azure app. Follow this "manual" approach to app registration and configuration if: +## Are you sure you want to set up Azure manually? -- You want to use your own certificates for authentication +Mondoo offers two approaches to setting up an integration for continuous Azure scanning: automated and manual. -- You use the [key vault access policy](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy) permission model for your key vaults +Follow the **manual setup** described below only in these rare cases: -- Your unique Azure infrastructure doesn't support Microsoft's "automatic" app registration method +- You want to integrate Mondoo with all subscriptions in a management group -- You followed the steps in [Continuously Scan an Azure Management Group](/platform/infra/cloud/azure/azure-integration-scan-group/) or [Continuously Scan an Azure Subscription](/platform/infra/cloud/azure/azure-integration-scan-subscription/) and didn't successfully integrate Mondoo with Azure. +- You use the [legacy access policy permission model](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy) for your key vaults (instead of RBAC) + +- Your Azure environment is unusually large + +All other users can follow the [**automatic Azure integration setup**](/platform/infra/cloud/azure/azure-integration-scan-subscription), which takes a fraction of the time. ## Prerequisites -Before you integrate Microsoft Azure with Mondoo, be sure you have: +Before you manually integrate Microsoft Azure with Mondoo, be sure you have: - A Mondoo account with Editor or Owner permissions for the space in which you want to add the integration. @@ -289,4 +293,6 @@ If your integration is unsuccessful, read [Troubleshoot an Azure Configuration]( - [Learn more about Mondoo](/platform/start/plat-what-is/) +- [Test or troubleshoot an Azure integration](/platform/infra/cloud/azure/troubleshoot/) + - [Integrate Mondoo with other cloud platforms in your infrastructure](/platform/infra/cloud/overview/) diff --git a/docs/platform/infra/cloud/azure/overview.mdx b/docs/platform/infra/cloud/azure/overview.mdx index ac5740266..d7f69ed71 100644 --- a/docs/platform/infra/cloud/azure/overview.mdx +++ b/docs/platform/infra/cloud/azure/overview.mdx @@ -20,7 +20,7 @@ With the API-driven Mondoo Azure integration, you deploy the integration once an ## Scan during build time -- [Risk assessment for Azure Container Registry](/cnspec/supplychain/registry/azure_acr.md) +- [Assess Risk in the Azure Container Registry](/cnspec/supplychain/registry/azure_acr.md) - [Build VM Images with Packer](/cnspec/supplychain/packer.md) diff --git a/docs/platform/infra/cloud/azure/troubleshoot.mdx b/docs/platform/infra/cloud/azure/troubleshoot.mdx index fac7d5742..7116166df 100644 --- a/docs/platform/infra/cloud/azure/troubleshoot.mdx +++ b/docs/platform/infra/cloud/azure/troubleshoot.mdx @@ -1,7 +1,7 @@ --- -title: Test or troubleshoot an Azure Integration -sidebar_label: Troubleshoot Azure -sidebar_position: 4 +title: Test or Troubleshoot an Azure Integration +sidebar_label: Test or Troubleshoot +sidebar_position: 100 description: Troubleshoot integrations between Mondoo and Microsoft Azure. image: /img/featured_img/mondoo-azure.jpg --- diff --git a/docusaurus.config.js b/docusaurus.config.js index 9c2f64522..a6d87520f 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -5,6 +5,11 @@ const { themes } = require("prism-react-renderer"); const legacyRedirects = [ // NOTE: Path / is equivalent to https://mondoo.com/docs/ // + // From Azure simplification November 2024 + { + from: "/platform/infra/cloud/azure/azure-integration-scan-group", + to: "/platform/infra/cloud/azure/manual-reg-path", + }, //// July 2024 moved Jira/Cases content to its own high-level section, where it'll grow { from: "/platform/maintain/jira", diff --git a/static/img/platform/infra/cloud/azure/auto-int.png b/static/img/platform/infra/cloud/azure/auto-int.png new file mode 100644 index 000000000..5810df872 Binary files /dev/null and b/static/img/platform/infra/cloud/azure/auto-int.png differ diff --git a/static/img/platform/infra/cloud/azure/cloud-shell.png b/static/img/platform/infra/cloud/azure/cloud-shell.png new file mode 100644 index 000000000..7d5a13ac1 Binary files /dev/null and b/static/img/platform/infra/cloud/azure/cloud-shell.png differ diff --git a/static/img/platform/infra/cloud/azure/details.png b/static/img/platform/infra/cloud/azure/details.png new file mode 100644 index 000000000..f39f2243a Binary files /dev/null and b/static/img/platform/infra/cloud/azure/details.png differ diff --git a/static/img/platform/infra/cloud/azure/resources.png b/static/img/platform/infra/cloud/azure/resources.png new file mode 100644 index 000000000..60038ef7f Binary files /dev/null and b/static/img/platform/infra/cloud/azure/resources.png differ diff --git a/static/img/platform/infra/cloud/azure/select-sub.png b/static/img/platform/infra/cloud/azure/select-sub.png new file mode 100644 index 000000000..b1ba3a30a Binary files /dev/null and b/static/img/platform/infra/cloud/azure/select-sub.png differ diff --git a/static/img/platform/infra/cloud/azure/success.png b/static/img/platform/infra/cloud/azure/success.png new file mode 100644 index 000000000..cba80e2c1 Binary files /dev/null and b/static/img/platform/infra/cloud/azure/success.png differ diff --git a/static/img/platform/security/spaces.png b/static/img/platform/security/spaces.png index 15b012b34..3d76f862f 100644 Binary files a/static/img/platform/security/spaces.png and b/static/img/platform/security/spaces.png differ