-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc(requirements): Add management group for multiple subscriptions (#…
…4282) Co-authored-by: Pepe Fagoaga <[email protected]>
- Loading branch information
Showing
8 changed files
with
103 additions
and
48 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# How to create Prowler Service Principal | ||
|
||
To allow Prowler assume an identity to start the scan with the required privileges is necesary to create a Service Principal. To create one follow the next steps: | ||
|
||
1. Access to Microsoft Entra ID | ||
2. In the left menu bar, go to "App registrations" | ||
3. Once there, in the menu bar click on "+ New registration" to register a new application | ||
4. Fill the "Name, select the "Supported account types" and click on "Register. You will be redirected to the applications page. | ||
5. Once in the application page, in the left menu bar, select "Certificates & secrets" | ||
6. In the "Certificates & secrets" view, click on "+ New client secret" | ||
7. Fill the "Description" and "Expires" fields and click on "Add" | ||
8. Copy the value of the secret, it is going to be used as `AZURE_CLIENT_SECRET` environment variable. | ||
|
||
![Register an Application page](../../img/create-sp.gif) | ||
|
||
## Assigning the proper permissions | ||
|
||
To allow Prowler to retrieve metadata from the identity assumed and specific Entra checks, it is needed to assign the following permissions: | ||
|
||
1. Access to Microsoft Entra ID | ||
2. In the left menu bar, go to "App registrations" | ||
3. Once there, select the application that you have created | ||
4. In the left menu bar, select "API permissions" | ||
5. Then click on "+ Add a permission" and select "Microsoft Graph" | ||
6. Once in the "Microsoft Graph" view, select "Application permissions" | ||
7. Finally, search for "Directory", "Policy" and "UserAuthenticationMethod" select the following permissions: | ||
- `Directory.Read.All` | ||
- `Policy.Read.All` | ||
- `UserAuthenticationMethod.Read.All` | ||
8. Click on "Add permissions" to apply the new permissions. | ||
9. Finally, click on "Grant admin consent for [your tenant]" to apply the permissions. | ||
|
||
|
||
![EntraID Permissions](../../img/AAD-permissions.png) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,47 @@ | ||
# Azure subscriptions scope | ||
|
||
By default, Prowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one. | ||
By default, Prowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one. | ||
Prowler also has the ability to limit the subscriptions to scan to a set passed as input argument, to do so: | ||
|
||
```console | ||
prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N> | ||
``` | ||
|
||
Where you can pass from 1 up to N subscriptions to be scanned. | ||
|
||
## Assigning proper permissions | ||
|
||
Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool: | ||
|
||
- `Security Reader` | ||
- `Reader` | ||
|
||
To assign this roles, follow the instructions: | ||
|
||
1. Access your subscription, then select your subscription. | ||
2. Select "Access control (IAM)". | ||
3. In the overview, select "Roles". | ||
![IAM Page](../../img/page-IAM.png) | ||
4. Click on "+ Add" and select "Add role assignment". | ||
5. In the search bar, type `Security Reader`, select it and click on "Next". | ||
6. In the Members tab, click on "+ Select members" and add the members you want to assign this role. | ||
7. Click on "Review + assign" to apply the new role. | ||
|
||
*Repeat these steps for `Reader` role* | ||
|
||
Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Please be sure to change the `assignableScopes` field for your subscriptions or management group. Once the cusotm role is created, repeat the steps mentioned above to assign the new `ProwlerRole` to an identity. | ||
|
||
## Recommendation for multiple subscriptions | ||
|
||
While scanning multiple subscriptions could be tedious to create and assign roles for each one. For this reason in Prowler we recommend the usage of *[management groups](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)* to group all subscriptions that are going to be audited by Prowler. | ||
|
||
To do this in a proper way you have to [create a new management group](https://learn.microsoft.com/en-us/azure/governance/management-groups/create-management-group-portal) and add all roles in the same way that have been done for subscription scope. | ||
|
||
![Create management group](../../img/create-management-group.gif) | ||
|
||
Once the management group is properly set you can add all the subscription that you want to audit. | ||
|
||
![Add subscription to management group](../../img/add-sub-to-management-group.gif) | ||
|
||
???+ note | ||
By default, `prowler` will scan all subscriptions in the Azure tenant, use the flag `--subscription-id` to specify the subscriptions to be scanned. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
{ | ||
"properties": { | ||
"roleName": "ProwlerRole", | ||
"description": "", | ||
"assignableScopes": [ | ||
"/providers/Microsoft.Management/managementGroups/<name_management_group> or /subscriptions/<subscription_id>" | ||
], | ||
"permissions": [ | ||
{ | ||
"actions": [ | ||
"Microsoft.Web/sites/host/listkeys/action", | ||
"Microsoft.Web/sites/config/list/Action" | ||
], | ||
"notActions": [], | ||
"dataActions": [], | ||
"notDataActions": [] | ||
} | ||
] | ||
} | ||
} |