For Alert Logic to protect your Azure deployments, you must configure Microsoft Azure resources to allow Alert Logic to monitor your assets. All procedures require administrative permission in the Azure portal.
You must create an app registration, and then use Azure role-based access control (RBAC) to create and assign a role to that app registration. This enables fine-grained access management for Azure accounts.
To further your security configuration measures, you must grant certain permissions to access Microsoft Graph and Azure Key Vault. This practice is required for compliance with Center for Internet Security (CIS) benchmarks for Microsoft Azure, an established best practices baseline configuration guideline, and allows Alert Logic to perform CIS benchmark checks on your deployments that expose vulnerabilities.
For more information about Microsoft Azure CIS Benchmarks, see cisecurity.org/benchmark/azure.
These instructions do not apply in the following cases:
- If you have previously configured RBAC with an app registration. To learn how to update your Azure resources, see Update your Azure Deployment for CIS Foundation Benchmarks .
- If you have previously configured RBAC with user credentials, see Update your Azure Deployment with User Credentials for CIS Foundation Benchmarks.
A remediation to update your Azure resources for Microsoft Azure CIS benchmark requirements will be listed in the Remediations page in the Alert Logic console.
You can also generate a CIS Foundations Benchmark report for Azure in the Alert Logic console. For more information, see CIS Microsoft Azure Foundation Benchmark
To create an RBAC, ensure you have one of the following command line interfaces installed before you begin:
To configure your Azure resources, you must:
- Create an app registration in Azure
- Create a custom RBAC role
- Grant permissions to access Microsoft Graph
- Grant permissions to access Azure Key Vault
- Assign the role to the app registration
Create an app registration in the Azure portal. You will assign an RBAC role to this app registration.
To create an app registration:
- Log into the Azure portal.
- In the left menu, click Azure Active Directory.
- On the left panel, under Manage, click App registrations.
- Click + New registration, and enter a name.
- Click Register. Note the Application (client) ID, and the Directory (tenant) ID, which you will need later.
- On the left panel, under Manage, click Certificates & secrets, and then click + New client secret.
- Enter a description, and then on Expire, select Never.
- Click Add. Note the Value, which you will need later.
After you create an app registration, you must assign an RBAC role to that registration to grant Alert Logic permission to monitor your environments. This allows limited access to your environments, and no further access.
For more information about Azure RBAC or managing roles with command-line applications, see:
- Role based access control custom roles
- Manage Role-Based Access Control with the Azure command-line interface
- Manage Role-Based Access Control with Azure PowerShell
To create a custom RBAC role, you must first create a role document and then create a custom role in the Azure portal.
To create a custom RBAC role, you must:
Create a role document
- Create a new text file and copy the Alert Logic role into it. Note the directory where you save the file. You must know the path and file name for later in the procedure.
- Make the following changes to the file:
- In the "Name": "<Resource Explorer (Alert Logic)>", line, change the <Resource Explorer (Alert Logic)> to a descriptive name.
- In the "/subscriptions/<subscription id>" line, change the <subscription id> value to the subscription ID found on your Azure portal Subscriptions blade. Example: "/subscriptions/00xxx000-x-000-0x0x-0000-000xx000000x"
- Save the text file as a JSON file.
Create a custom role in Azure
- Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription. Azure Azure CLI 2.0 commands
az account set --subscription <your subscription id>Azure Azure PowerShell commands
Get-AzureRmSubscription –SubscriptionName <your subscription name> | Select-AzureRmSubscription
- Create your custom role in Azure.
- In the Azure portal, under Subscriptions, select your subscription, and then click Access control (IAM).
- Click Roles to verify that the RBAC role you created appears in the portal.
If the role does not appear, refresh the list of roles.
You must grant permissions to access Microsoft Graph in the Azure portal, which allows Alert Logic to perform CIS benchmark checks.
To grant permissions to access Microsoft Graph:
- In the Azure portal, click Azure Active Directory.
- On the left panel, click App registrations, and then select your app registration.
- On the left panel, click API permissions, and then click + Add a permission.
- On the Request API permissions blade, click Microsoft Graph.
- Click Application permissions, and then in the list, select the following permissions:
- Click Application to see permissions in this category, and then select Application.Read.All.
- Click Group to see permissions in this category, and then select Group.Read.All.
- Click RoleManagement to see permissions in this category, and then select RoleManagement.Read.Directory.
- Click User to see permissions in this category, and then select User.Read.All.
- Click Add permissions, and then on the API permissions pane, click Grant admin consent for Default Directory.
- In the pop-up window, click Yes to allow the changes you made on the permissions.
You must grant certain permissions to access your Azure Key Vault in the Azure portal, which allows Alert Logic to perform CIS benchmark checks. You must repeat these steps for each of your key vaults.
To grant permissions to access your key vault:
- In the Azure portal, click Key vaults.
- Select a key vault from the list, and then on the left panel, click Access policies.
- Click + Add Access Policy.
- In the Key permissions field, select Get and List.
- In the Secret permissions field, select Get and List.
- Click Select principal, and then from the list, select the app registration you created.
- Click Add.
You must repeat these steps for each key vault in the list.
You must assign the role you created to your registered app.
- In the Azure portal, click Subscriptions.
- In the Subscriptions blade, select the subscription you want Alert Logic to protect, and then click Access Control (IAM). Note the subscription ID, which you will need when you create an Azure deployment.
- Click +Add, and then click Add role assignment.
- Select the RBAC role you created.
- From the list, click the app you registered earlier.
- Click SAVE.
Create a deployment in the Alert Logic console
In the Alert Logic console, fill out the required fields:
- Subscription ID
- Active Directory ID
- Application ID
- Key ID
The steps you must take to create a deployment vary based on your subscription level.
For Essentials subscriptions, see Microsoft Azure Deployment Configuration (Essentials Subscription)
For Professional subscriptions, see Microsoft Azure Deployment Configuration (Professional Subscription).