Create Cloud Connector

To start using Cloud Privilege Broker, you must add connectors for the cloud accounts. Additional connectors can be added at any time.

  1. Click Menu at the top of the left navigation bar, and click Cloud Connectors.
  2. Click Create New Cloud Connector +. The Create New Cloud Connector panel opens.
  3. Select the appropriate Cloud Service from the dropdown list.
  1. Follow the steps below for the selected cloud service.

Cloud Privilege Broker supports connections to Amazon Web Services (AWS) and Microsoft Azure. Connections to other cloud services are planned for future releases.

AWS Cloud Service

Enter the required information and follow the instructions in the Create New Cloud Connector panel.

  1. Enter a name for the cloud connector. This name displays in the list of cloud connectors.
  2. Enter the AWS Account ID.
  3. Download the Cloud Formation Template. The template contains folders for onboarding and offboarding AWS Accounts. Each folder contains a YAML script and a readme file providing the steps to execute the scripts.
    • To add new accounts, open the onboarding folder and refer to the readme file. An example of the file contents is shown here.
    • If adding multiple accounts in one session, it is only necessary to download the Cloud Formation Template once. However, the template should be downloaded again if adding accounts after the initial onboarding session, to ensure you have the latest version.
Onboarding script execution steps in the readme file.
  1. Log in to the AWS console.
  2. Select the region where the CloudFormation stack needs to be deployed.
  3. Click to open the CloudFormation console using this link: https://console.aws.amazon.com/cloudformation/.
  4. Click on Create Stack.
  5. Select Upload a template file and upload cpbonboarding.yaml.
  6. Click Next. Enter relevant Stack name.
  7. If a CloudTrail bucket exists for the account, enter the bucket name in the parameter, else leave it blank. If left blank, Cloud Privilege Broker sets up a new trail.
  8. Click Next twice and then click Create Stack.
  1. Use the script to create a stack and run it as a user with the appropriate permissions. The panel includes a link for more information on creating a stack.
  2. After your stack has been successfully created, find the user cpb + AWS Account ID (for example, cpb123456789012) in the AWS IAM service and create a new access key.
  3. Copy and paste the access key ID into the Access Key ID field.
  4. Copy and paste the secret access key ID into the Secret Access Key ID field. By default, the entry is hidden. Click the eye icon to view the entry.
  5. If desired, enter the location of an existing S3 bucket to store CloudTrail logs. This is recommended, as, if there is an existing pre-configured CloudTrail log that meets system requirements, recommendations can be made sooner, without waiting 90 days to collect data.
  6. Click Test Cloud Connector. The test validates data on the form, and then tests the connector.
    • If the test fails due to invalid data on the form, such as an incorrect number of characters in a field or a missing required entry, the field is outlined in red with an error message. Ensure all fields have the required data and try again.
    • If the test fails because a connection could not be established, a red error message appears at the bottom of the screen. Review all entered data and try again.
    • If the test is successful, a green confirmation appears at the bottom of the screen. Click Create Cloud Connector.

Azure Cloud Service

Enter the required information and follow the instructions in the Create New Cloud Connector panel.

  1. Enter a name for the cloud connector. This name displays in the list of cloud connectors.
  2. Download the Azure onboarding script. The file contains folders for onboarding and offboarding Azure Accounts. Each folder contains a shell script, JSON files, and a readme file providing the steps to execute the scripts.
    • To add new accounts, open the onboarding folder and refer to the readme file. The readme file contains instructions for two scenarios. Examples of those instructions are shown here. The steps in the readme file might duplicate some steps shown on the panel.
    • If adding multiple accounts in one session, it is only necessary to download the Azure onboarding script once. However, the script should be downloaded again if adding accounts after the initial onboarding session, to ensure you have the latest version.
Case 1: Onboard a New Subscription when an existing Log Analytics workspace is not provided.

In this case, Cloud Privilege Broker sets up a fresh Log Analytics workspace and related configurations within this subscription.

  1. Log in to the Azure Bash Cloud Shell having a privileged account.
  2. Download and unzip the Azure onboarding script.
  3. Run ./cpbonboarding.sh --subscription_id <ValidSubscriptionId> in the path where the ZIP file should be downloaded.
  4. Copy the Client ID, Client Secret, Directory ID, Subscription ID, and Log Analytics Workspace ID from the script output and store them in a local editor.
  5. In the Microsoft Azure Portal, find and select the application in the following format: cpb-sp- + Subscription ID (for example, cpb-sp-291bba3f-e0a5-47bc-a099-3bdcb2a50a05) under App registrations in the Azure Active Directory service.
  6. Click API Permissions in the left side panel.
  7. Under API Permissions for the selected application registration, check the Grant admin consent option for the API / Permissions. Select Grant Admin Consent and click Yes. Under Azure Active Directory Graph, ensure that the Directory.Read.All permission is granted.
  8. The fields Client ID, Client Secret, Directory ID, Subscription ID, and Log Analytics Workspace ID saved in the local editor can now be used in the respective fields in the Add New Connector onboarding screen of Cloud Privilege Broker.

It can take some time to create the resources in Azure. Wait for 15 minutes after the script has successfully run and then add details in the Cloud Privilege Broker Add New Connector section to onboard a new connector.

Case 2: Onboard a new subscription when an existing Log Analytics workspace is provided.

In this case, Cloud Privilege Broker sets up a fresh Log Analytics workspace and related configurations within this subscription.

Prerequisites for onboarding an existing Log Analytics workspace:

  • The workspace should exist within the subscription that is being onboarded.
  • Diagnostic is set up to ensure that audit log information is forwarded into this workspace.

 

  1. Login into the Azure bash cloud shell having a privileged account.
  2. Download and unzip the Azure onboarding script.
  3. Run "`./cpbonboarding.sh --subscription_id <ValidSubscriptionId> --workspace_id <ValidWorkspaceId>`" in the path where the ZIP file should be downloaded.
  4. Copy the Client ID, Client Secret, Directory ID, Subscription ID, and Log Analytics Workspace ID from the script output and store it in a local editor.
  5. In the Microsoft Azure Portal, find and select the application in the following format: cpb-sp- + Subscription ID (for example, cpb-sp-291bba3f-e0a5-47bc-a099-3bdcb2a50a05) under App registrations in the Azure Active Directory service.
  6. Click API Permissions in the left side panel.
  7. Select Grant Admin Consent and click Yes. Under Azure Active Directory Graph ensure that the Directory.Read.All permission is granted.
  8. The fields Client ID, Client Secret, Directory ID, Subscription ID, and Log Analytics Workspace ID saved in the local editor can now be used in the respective fields in the Add New Connector onboarding screen of Cloud Privilege Broker.

It can take some time to create the resources in Azure. Wait for 15 minutes after the script has successfully run and then add details in the Cloud Privilege Broker Add New Connector section to onboard a new connector.

  1. Run the cpbonboarding.sh file with appropriate permissions in the Azure Cloud Shell. The Subscription ID is required as an input parameter for the script. The panel includes a link for more information on running a script in the Azure Cloud Shell.
  2. Copy the Client ID, Client Secret, Directory ID, Subscription ID, and Log Analytics Workspace ID from the script output. The Client Secret is shown briefly.
  3. In the Microsoft Azure Portal, find and select the application named cpb-sp- + Subscription ID (for example, cpb_sp_291bba3f-e0a5-47bc-a099-3bdcb2a50a05) in App registrations in the Azure Active Directory service.
  4. Under API permissions for the selected application registration, check the Grant admin consent option for the API / Permissions name.
  5. Paste the Client Secret, Client ID, Directory ID, Subscription ID, and Log Analytics Workspace ID into the respective fields below.
  6. Click Test Cloud Connector. The test validates data on the form, then tests the connector.
    • If the test fails due to invalid data on the form, such as an incorrect number of characters in a field, the field is outlined in red with an error message. Ensure all fields have the required data and try again.
    • If the test fails because a connection could not be established, a red error message appears at the bottom of the screen. Review all entered data and try again.
    • If the test is successful, a green confirmation appears at the bottom of the screen. Click Create Cloud Connector.