Run Scans on Cloud Platforms in BeyondInsight

You can run scans on the following cloud types: Amazon EC2, Rackspace, IBM SmartCloud, Microsoft Azure, Microsoft Hyper-V, and Google Cloud.

Before you create a cloud connector, ensure the following requirements are in place.

Amazon EC2 Requirements

To use the Amazon EC2 connector, you must adhere to the following recommendation from Amazon:

• User accounts must have minimal permissions assigned (for example, describe instances).

The following minimum permissions are required to successfully enumerate a list of targets and run a scan:

• elasticloadbalancing:DescribeLoadBalancers
• ec2:DescribeInstances
• ec2:DescribeInstancesTypes
• ec2:DescribeInstanceTypeOfferings
• ec2:DescribeRegions
• ec2:DescribeInstanceStatus
• ec2:DescribeImages

Azure Requirements

The Azure connector extracts virtual machines and load balancers from Resource Manager. You must create an Entra ID application.

You can either use the premade Reader role, or set up a new Virtual Machine Contributor role to the Azure Resource Group. You must choose where in the Azure hierarchy you are giving access — either as high as the subscription, or for a specific Resource Group. If you choose to set up a new role, the minimum permissions that must be granted are:

• Microsoft.Resources/subscriptions/resourceGroups/read
• Microsoft.Compute/virtualMachines/read
• Microsoft.Compute/virtualMachines/instanceView/read
• Microsoft.Network/loadBalancers/read
• Microsoft.Network/loadBalancers/frontendIPConfigurations/read
• Microsoft.Network/networkInterfaces/read
• Microsoft.Network/networkInterfaces/loadBalancers/read
• Microsoft.Network/publicIPAddresses/read

For detailed instructions, please see Create an Entra ID Application.

Google Cloud Requirements

• Key file: You must download a key file from the Google cloud instance. The key file is uploaded when you create the connector in BeyondInsight.

The key file is not required if your BeyondInsight server is hosted on your Google cloud instance.

• Compute Engine Network Viewer Role: The BeyondInsight service account that you create in the Google cloud instance requires the Compute Engine Network Viewer role.

For more information, please see Compute Engine IAM Roles.

Hyper-V Requirements

The steps required for successful authentication vary depending on your environment. These instructions are to connect a Hyper-Vi virtual machine on the CIMV2 namespace off root (not connecting to a Hyper-V server).

Set Firewall

1. Open Windows Firewall (Start > Control Panel > Security > Windows Firewall).
2. Select Allow a program or feature through Windows Firewall.
3. Check the Windows Management Instrumentation (WMI) box, and then check the Public box.
4. At this point you can send requests but receive unauthorized exceptions, whereas previously the host would not be found.

Add WMI user to COM Security

1. Start Component Services (using the Run command, enter dcomcnfg.exe).
2. Expand Component Services > Computers.
3. Right-click My Computer, and then select Properties.
4. Select the COM Security tab, and then in Access Permissions, click Edit Limits.
5. Add the username you are using for WMI, and then select Local Access and Remote Access.
6. Click OK.
7. In Launch and Activation Permissions, click Edit Limits.
8. Add the WMI user, and then select Remote Launch and Remote Activation.

Change WMI Permissions

1. Start the Computer Management snap-in by using the Run command, and entering compmgmt.msc.
2. Expand Services and Applications.
3. Right-click WMI Control, and then select Properties.
4. Click the Security tab.
5. Select Root\CIMV2, and then click Security.
6. Add the user, and then click Advanced.
7. Double-click the user, and then check the following boxes: Enable Account, Remote Enable, and Read Security.
8. From the Apply to list, select This namespace and subnamespaces.
9. Restart the WMI service.

Test Connection

Use WBEMTest on the local machine (not your Hyper-V server) to test your connection.

1. Run wbemtest.exe from the command prompt.
2. Click Connect.
3. Enter the namespace in the format \\HOST\root\CIMV2, where HOST is a computer name on a domain or an IP address.
4. Enter a username and password.
5. Click Connect.

Configure a Cloud Connector

1. In the BeyondInsight console, go to Configuration > General > Connectors.
2. In the Connectors pane, click Create New Connector.
3. Provide a name for the connector, and then select a Connector Type from the list:
   • AWS Scan Target Collector
   • Azure Scan Target Collector
   • Google Cloud Scan Target Collector
   • Hyper-V Scan Target Collector
   • Rackspace Scan Target Collector
4. Click Create Connector.
5. Enter the connector information in the right pane:
   • For AWS cloud connections, required fields are: Region, Access Key ID, and Secret Access Key ID.

     Instances associated with the region are displayed in the Connection Test Results section.

   • For Azure, required fields are: Region, Client ID, Client Server, Tenant ID, and Subscription ID.
   • For Google Cloud, required fields are Server (the region), Project Name (the project ID), and the Key File. Upload the key that you downloaded from the Google Cloud.
   • Hyper-V server, required fields are: Server (IP address), Username, and Password.
   • For Rackspace, required fields are Account Type, Username, and API Key.
6. After you configure the connector, click Test Connector to ensure the connector works.
7. Click Create Connector.

After you create a cloud connector, you can run a scan and review the results to determine what cloud assets were discovered..

Cloud Connector Smart Groups

You can create Smart Groups based on the cloud connectors that you are using.

1. From the left menu, click Smart Rules.
2. Click Create Smart Rule.
3. Select a category, and then enter a name and description.
4. Under Selection Criteria, select Cloud Assets, and then select the cloud connector type to filter on (AWS, Azure, Hyper-V).
5. For AWS, click Select AWS Instance Types to pick specific instance types.
6. For AWS, Azure, and Google, check the Use Private IP Address box to scan internal IP addresses.
7. Under Actions, select Show asset as Smart Group.
8. Click Create Smart Rule.
9. Run a discovery scan on the smart group to see the cloud assets in reports.
10. On the Assets page, select the cloud connector, and then click the vertical ellipsis button to review the details.

Configure BeyondInsight AWS Connector

This section provides information on setting up an Amazon AWS connector, including details on the AWS configuration.

Set up a Policy

1. Log in to the AWS Management Console.
2. Select Identity & Access Management.
3. Select Policies from the Details menu.
4. Select Create Policy.
5. Select Create Your Own Policy.
6. Enter a policy name and description.
7. Paste the following JSON into Policy Document:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "elasticloadbalancing:DescribeLoadBalancers",
            "ec2:DescribeInstances",
            "ec2:DescribeRegions",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeImages"
        ],
        "Resource": "*"
    }
]
}

For "Resource": "*", you must determine what JSON is required for your current needs. You may also need a condition with this, such as if you want only the dev group to have access to certain instances.

Grant Access to a Third Party (Optional)

The ARN and External Name fields are for granting access to a third party. For more information, please see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.

After you configure the AWS settings, you can create the AWS Scan Target Collector connector and Smart Group in the BeyondInsight console.

When creating, editing, or viewing the connector, the Cloud Scan Targets grid only shows results immediately after a test is completed. The targets are not automatically loaded into the BeyondInsight UI each time the connector is viewed or edited.