Run Scans on Cloud Platforms in BeyondInsight

You can run scans on the following cloud types: Amazon EC2, VMware vCenter, Rackspace, IBM SmartCloud, Microsoft Azure, Microsoft Hyper-V, and Google Cloud.

Before you create a cloud connector, ensure the following requirements are in place.

Amazon EC2 Requirements

To use the Amazon EC2 connector, you must adhere to the following recommendation from Amazon:

  • User accounts must have minimal permissions assigned (for example, describe instances).

The following minimum permissions are required to successfully enumerate a list of targets and run a scan:

  • elasticloadbalancing:DescribeLoadBalancers
  • ec2:DescribeInstances
  • ec2:DescribeRegions
  • ec2:DescribeInstanceStatus
  • ec2:DescribeImages

Azure Requirements

The Azure connector extracts virtual machines and load balancers from Resource Manager. You must create an Azure Active Directory application.

You can either use the premade Reader role, or set up a new Virtual Machine Contributor role to the Azure Resource Group. You must choose where in the Azure hierarchy you are giving access — either as high as the subscription, or for a specific Resource Group. If you choose to set up a new role, the minimum permissions that must be granted are:

  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachines/instanceView/read
  • Microsoft.Network/loadBalancers/read
  • Microsoft.Network/loadBalancers/frontendIPConfigurations/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkInterfaces/loadBalancers/read
  • Microsoft.Network/publicIPAddresses/read

For detailed instructions, please see Create an Azure Active Directory Application.

Google Cloud Requirements

  • Key file: You must download a key file from the Google cloud instance. The key file is uploaded when you create the connector in BeyondInsight.

The key file is not required if your BeyondInsight server is hosted on your Google cloud instance.

  • Compute Engine Network Viewer Role: The BeyondInsight service account that you create in the Google cloud instance requires the Compute Engine Network Viewer role.

For more information, please see Compute Engine IAM Roles.

Hyper-V Requirements

The steps required for successful authentication vary depending on your environment. These instructions are to connect a Hyper-Vi virtual machine on the CIMV2 namespace off root (not connecting to a Hyper-V server).

Set Firewall

  1. Open Windows Firewall (Start > Control Panel > Security > Windows Firewall).
  2. Select Allow a program or feature through Windows Firewall.
  3. Check the Windows Management Instrumentation (WMI) box, and then check the Public box.
  4. At this point you can send requests but receive unauthorized exceptions, whereas previously the host would not be found.

Add WMI user to COM Security

  1. Start Component Services (using the Run command, enter dcomcnfg.exe).
  2. Expand Component Services > Computers.
  3. Right-click My Computer, and then select Properties.
  4. Select the COM Security tab, and then in Access Permissions, click Edit Limits.
  5. Add the username you are using for WMI, and then select Local Access and Remote Access.
  6. Click OK.
  7. In Launch and Activation Permissions, click Edit Limits.
  8. Add the WMI user, and then select Remote Launch and Remote Activation.

Change WMI Permissions

  1. Start the Computer Management snap-in by using the Run command, and entering compmgmt.msc.
  2. Expand Services and Applications.
  3. Right-click WMI Control, and then select Properties.
  4. Click the Security tab.
  5. Select Root\CIMV2, and then click Security.
  6. Add the user, and then click Advanced.
  7. Double-click the user, and then check the following boxes: Enable Account, Remote Enable, and Read Security.
  8. From the Apply to list, select This namespace and subnamespaces.
  9. Restart the WMI service.

Test Connection

Use WBEMTest on the local machine (not your Hyper-V server) to test your connection.

  1. Run wbemtest.exe from the command prompt.
  2. Click Connect.
  3. Enter the namespace in the format \\HOST\root\CIMV2, where HOST is a computer name on a domain or an IP address.
  4. Enter a username and password.
  5. Click Connect.

VMware vCenter Requirements

You can scan VMware virtual machines. Ensure the following requirements are in place before you configure the VMware connector in BeyondInsight.

  • Discovery Scanner 5.17 or later
  • BeyondInsight 3.5 or later
  • VMware Tools must be installed on the targets that you want to scan.
  • Log in to the VMware website and download the Virtual Disk Development Kit (VDDK):
  • Discovery Scanner supports only version 5.1 of the VDDK. Ensure you copy the following file: VMware-vix-disklib-5.1.0-774844.i386.exe.
  • Run the VDDK installer on the scanner computer using local administrator credentials.
  • BeyondInsight needs access to https://<VMware server>/sdk through port 443.

Configure a Cloud Connector

  1. In the BeyondInsight Console, go to Configuration > General > Connectors.
  2. In the Connectors pane, click Create New Connector.
  3. Provide a name for the connector, and then select a Connector Type from the list:
    • AWS Scan Target Collector
    • Azure Scan Target Collector
    • Google Cloud Scan Target Collector
    • Hyper-V Scan Target Collector
    • Rackspace Scan Target Collector
    • VMware vCenter Scan Target Collector
  4. Enter the connector information:
    • For AWS cloud connections, required fields are: Provider, Region, Access Key ID, and Secret Access Key.

      Instances associated with the region are displayed in the Connection Test Results section.

    • For Azure, required fields are: Region, Client ID, Client Information, Tenant ID, and Subscription Information.
    • For Google Cloud, required fields are Server (the region), Project Name (the project ID), and the Key File. Upload the key that you downloaded from the Google Cloud.
    • Hyper-V server, required fields are: Server (IP address) and logon credentials.
    • For Rackspace, required fields are Account Type, Username, and API Key.
    • For VMware, required fields are Server (https://[server]/sdk), Username, and Password.
  5. After you configure the connector, click Test Connector to ensure the connector works.
  6. Click Create Connector.

After you create a cloud connector, you can run a scan and review the results to determine what cloud assets were discovered..

Scan Paused or Offline VMware Images

By default, paused or offline VMs are turned on during a scan. After the scan runs, the VMs are reverted to the paused or offline state.

If you suspect that a VM is at risk, you can turn on the VM in another secure network where other VMs will not be under potential threat. The scan runs as usual, and then the VM is reverted to the paused or offline state.

VMware vCenter Server Advanced Options

When creating the connector, click the Advanced button. You can configure each host that is a member of the vCenter instance.

The option that you select applies to all VMs on the host.

The advanced options dialog box varies depending on your vCenter configuration. The list of available options includes all other networks configured for your vCenter instance or on your ESX server.


Scan VMDK Files

Advanced Options :: Do not power on offline images option checked

You can scan a VMDK file rather than turning on a VM. Make sure you check the option Do NOT power on offline images - scan VMDK file instead.

Scan times are faster when VMs remain powered off. However, scan results might differ from scan results for VMs powered on (for example, open ports and running processes might not be detected for VMs powered off).


Cloud Connector Smart Groups

You can create Smart Groups based on the cloud connectors that you are using.

  1. Select Assets from the menu.
  2. Click the Manage Smart Rules link.
  3. Click Create Smart Rule.
  4. Select a category, and then enter a name and description.
  5. Under Selection Criteria, select Cloud Assets, and then select the cloud connector type to filter on (Amazon, Azure, Hyper-V).
  6. For the Amazon AWS, Azure, and Google Smart Groups, check the Use Private IP Address box to scan internal IP addresses.
  7. Under Actions, select Show asset as Smart Group.
  8. Click Create Smart Rule.
  9. Run a Discovery Scan on the Smart Group to see the cloud assets in reports.
  10. On the Assets page, select the cloud connector, and then click the more options icon to review the details.

Configure BeyondInsight AWS Connector

This section provides information on setting up an Amazon AWS connector, including details on the AWS configuration.

Set up a Policy

  1. Log in to the AWS Management Console.
  2. Select Identity & Access Management.
  3. Select Policies from the Details menu.
  4. Select Create Policy.
  5. Select Create Your Own Policy.
  6. Enter a policy name and description.
  7. Paste the following JSON into Policy Document:
"Version": "2012-10-17",
"Statement": [
        "Effect": "Allow",
        "Action": [
        "Resource": "*"

For "Resource": "*", you must determine what JSON is required for your current needs. You might also need a condition with this, such as if you want only the dev group to have access to certain instances.

Grant Access to a Third Party (Optional)

The ARN and External Name fields are for granting access to a third party. For more information, please see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.

After you configure the AWS settings, you can create the connector and Smart Groups in the BeyondInsight Console.