Permissions Required for Azure Subscriptions
AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:
-
Cloud Network Security (CNS) - (formerly CloudFlow)
-
Cloud App Analyzer (CAA) - (formerly Prevasio)
This section outlines the required and optional permissions for Azure Subscriptions necessary to fully leverage the capabilities of ACE. The table below details the permissions along with justifications for their necessity.
(optional) For advanced policy change capabilities for Azure NSGs/Firewall, see Permissions for Changes to Azure Policies.
The permissions listed below are classified according to the following key:
| Read | READ permissions | |
| R/W | READ/WRITE permissions | |
| Write | WRITE permissions |
Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.
Note: If you decide to stop using ACE, some resources must be deleted. See Remove Azure Resources.
Azure Permissions and Justifications
| Type | Permission | Component | Justification | |
|---|---|---|---|---|
| CNS | CAA | |||
| Read | Microsoft.Compute/virtualMachines/read |
✔ | For ASMS network topology map: Permission to display information on VM instances | |
| Read | Microsoft.Compute/virtualMachineScaleSets/read |
✔ | For ASMS network topology map: Permission to list all VM Scale Sets in the subscription | |
| Read | Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read |
✔ | For ASMS network topology map: Permission to display all network interfaces in a virtual machine scale set | |
| Read | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read |
✔ | For ASMS network topology map: Permission to list of all virtual machines in a VM scale sets. | |
| Read | Microsoft.Insights/diagnosticSettings/read | ✔ | For Network policy: Permission to read diagnostic settings to check if flow logs for Azure Firewall are enabled. | |
| Read | Microsoft.Network/applicationSecurityGroups/read |
✔ | For Overview of assets and security controls : Permission to list application security groups. | |
| Read | Microsoft.Network/azurefirewalls/read |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Azure Firewall information. | |
| Read | Microsoft.Network/connections/read |
✔ | For ASMS network topology map: Permission to display information on VPC peering connections. | |
| Read | Microsoft.Network/firewallPolicies/read |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Azure Firewall policies. | |
| Read | Microsoft.Network/firewallPolicies/ruleCollectionGroups/read |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission: Permission to list FirewallPolicyRuleCollectionGroups in Firewall policy. | |
| Read | Microsoft.Network/ipGroups/read | ✔ | For Network policy, Changes and Risks: Permission to IP group. | |
| Read | Microsoft.Network/loadBalancers/read |
✔ | For Overview of assets and security controls: Permission to retrieve Load Balancer information. | |
| Read | Microsoft.Network/localnetworkgateways/read |
✔ | For ASMS network topology map : Permission to display information on Local Network Gateways. | |
| Read | Microsoft.Network/locations/serviceTags/read |
✔ | For Changes and Risks: Permission to retrieve service tags. | |
| Read | Microsoft.Network/networkInterfaces/read |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Network Interface information | |
| Read | Microsoft.Network/networkSecurityGroups/read |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to list network security groups. | |
| Read | Microsoft.Network/networkWatchers/flowLogs/read |
✔ | For Network policy: Permission of flow logs to flag unused rules. | |
| Read | Microsoft.Network/networkWatchers/queryFlowLogStatus/action |
✔ | For Network policy: Permission of the query result of flow log status to flag unused rules. | |
| Read | Microsoft.Network/networkWatchers/read |
✔ | For Network policy: Permission of network watchers to flag unused rules. | |
| Read | Microsoft.Network/publicIPAddresses/read |
✔ | For Overview of assets and security controls : Permission to retrieve Public IP information. | |
| Read | Microsoft.Network/routeTables/read |
✔ | For ASMS network topology map : Permission to display information on route table definition. | |
| Read | Microsoft.Network/virtualHubs/effectiveRoutes/action |
✔ | For Overview of assets and security controls and Risks : Permission to network interfaces of a Virtual Machine Scale Set. | |
| Read | Microsoft.Network/virtualHubs/hubRouteTables/read |
✔ | For Overview of assets and security controls and Risks : Permission to list of VM Scale Sets in the subscription, regardless of the associated resource group. | |
| Read | Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read |
✔ | For Cloud Network Security Overview of assets and security controls and Risks require access to this permission to list of virtual machines in a VM scale sets. | |
| Read | Microsoft.Network/virtualHubs/read |
✔ | For Cloud Network Security Overview of assets and security controls, Network policy and Risks: Permission to list virtual hub. | |
| Read | Microsoft.Network/virtualNetworkGateways/read |
✔ | For ASMS network topology map: Permission to display information on virtual network gateway. | |
| Read | Microsoft.Network/virtualNetworks/read |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VNET information. | |
| Read | Microsoft.Network/virtualWans/read |
✔ | For ASMS network topology map: Permission to list all the Virtual WANs in a subscription. | |
| Read | Microsoft.Network/vpnGateways/read |
✔ | For ASMS network topology map: Permission to display information on VPN gateway. | |
| Read | Microsoft.Network/vpnsites/read |
✔ | For Overview of assets and security controls and Risks: Permission to list the virtual machines in the specified subscription. | |
| Read | Microsoft.Resources/subscriptions/read |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve and authenticate subscription information. | |
| Read | Microsoft.Storage/storageAccounts/read |
✔ | For Overview of assets and security controls: Permission to list all the storage accounts available under the subscription | |
| Read | Microsoft.Storage/storageAccounts/listKeys/action |
✔ |
For Network policy: Permission to list the access keys or Kerberos keys (if active directory enabled) for the specified storage account to flag unused rules. Permission not required when flow logs are disabled. |
|
| Read | ✔ | For ASMS network topology map : Permission to display information on App Service Environments for a subscription. Permission not required when flow logs are disabled. |
||
Permissions for Changes to Azure Policies
(optional) For advanced policy change capabilities for Azure NSGs/Firewall, the following permissions need are required for provisioning.
You will need the following WRITE permissions, if you want to enable:
-
Changes to Azure NSG/Firewall policies in Cloud Network Security.
-
ActiveChange for Azure NSGs/Firewalls in FireFlow when using unified onboarding with Azure. (Note that Unified onboarding is currently in an Early Availability phase. For more information see Simultaneously onboard Azure subscriptions into ACE and ASMS.)
Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.
|
Type |
Permission |
Component |
Justification |
|
|---|---|---|---|---|
|
CNS |
CAA |
|||
|
Write |
Microsoft.Network/azurefirewalls/write (optional - for Changes to Azure Firewall policies ) |
✔ |
|
For Network policy: Permission for advanced policy change capabilities. |
|
Write |
Microsoft.Network/networkSecurityGroups/write |
✔ |
|
For Network policy: Permission for advanced policy change capabilities . |
For the list of permissions in JSON format for reference, click here:
following optional permissions
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
"Microsoft.Network/applicationSecurityGroups/read",
"Microsoft.Network/azurefirewalls/read",
"Microsoft.Network/connections/read",
"Microsoft.Network/firewallPolicies/read",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
"Microsoft.Network/ipGroups/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/localnetworkgateways/read",
"Microsoft.Network/locations/serviceTags/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkWatchers/flowLogs/read",
"Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
"Microsoft.Network/networkWatchers/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/virtualHubs/effectiveRoutes/action",
"Microsoft.Network/virtualHubs/hubRouteTables/read",
"Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Network/virtualNetworkGateways/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualWans/read",
"Microsoft.Network/vpnGateways/read",
"Microsoft.Network/vpnsites/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Web/hostingEnvironments/Read",
"Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Network/azurefirewalls/write", // Optional for advanced policy change capabilities
"Microsoft.Network/networkSecurityGroups/write" //// Optional for advanced policy change capabilities
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}Roles that are Assigned by Cloud App Analyzer
During onboarding, Cloud App Analyzer asks the user to specify an onboarding target. If the user onboards a single subscription, that subscription's ID will be the target. If the user onboards multiple subscriptions, the selected target will be a management group or a root management group (Tenant root group).
By adding roles to the selected target, AlgoSec Cloud's multi-tenant application will get the permissions, required to perform a cloud security assessment of each subscription under the target.
Once the target is specified, Cloud App Analyzer assigns the following roles to the selected onboarding target:
| Type | Role Definition name | Component | Justification | |
|---|---|---|---|---|
| CNS | CAA | |||
| Read | ✔ |
Includes permissions to view the configuration of Azure diagnostics on all Azure resources |
||
| Read | ✔ |
Includes permissions to pull and scan container images from the Azure container registry |
||
| Read | ✔ |
Includes permissions to read metadata of key vaults, certificates, keys, and secrets* |
||
| R/W | Azure Kubernetes Service Cluster User Role | ✔ |
Includes permissions to perform KSPM scan on Kubernetes clusters Note: If the KSPM scan feature is not required, this role should be manually removed. |
|
| Write | AcrPush | ✔ |
Includes permissions to set container image metadata property with name "canRead" to false (required to block pulling of the image as part of ACR CD Security) Note: If the CD Mitigation scan feature is not required, this role should be manually removed. |
|
