Permissions Required for Azure Subscriptions

AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:

  • Cloud Network Security (CNS) - (formerly CloudFlow)

  • Cloud App Analyzer (CAA) - (formerly Prevasio)

This section outlines the required and optional permissions for AWS accounts necessary to fully leverage the capabilities of ACE. The table below details the permissions requested by each specified role, along with justifications for their necessity.

You can find all these permissions in the CloudFormation template.

The permissions listed below are classified according to the following key:

    READ permissions
    READ/WRITE permissions
    WRITE permissions

Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.

Note: If you decide to stop using ACE, some resources must be deleted. See Remove Azure Resources.

Azure permissions and justifications

Type   Permission   Role Component   Justification
CNS CAA
 
Microsoft.Compute/virtualMachines/read
    For ASMS network topology map: Permission to display information on VM instances
 
Microsoft.Compute/virtualMachineScaleSets/read
    For ASMS network topology map: Permission to list all VM Scale Sets in the subscription
 
Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read
    For ASMS network topology map: Permission to display all network interfaces in a virtual machine scale set
 
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    For ASMS network topology map: Permission to list of all virtual machines in a VM scale sets.
  Microsoft.Insights/diagnosticSettings     For Network policy: Permission to read diagnostic settings to check if flow logs for Azure Firewall are enabled.
 
Microsoft.Network/applicationSecurityGroups/read
    For Overview of assets and security controls : Permission to list application security groups.
 
Microsoft.Network/azurefirewalls/read
    For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Azure Firewall information.
 
Microsoft.Network/connections/read
    For ASMS network topology map: Permission to display information on VPC peering connections.
 
Microsoft.Network/firewallPolicies/read
    For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Azure Firewall policies.
 
Microsoft.Network/firewallPolicies/ruleCollectionGroups/read
    For Overview of assets and security controls, Network policy and Risks: Permission: Permission to list FirewallPolicyRuleCollectionGroups in Firewall policy.
  Microsoft.Network/ipGroups/read     For Network policy, Changes and Risks: Permission to IP group.
 
Microsoft.Network/loadBalancers/read
    For Overview of assets and security controls: Permission to retrieve Load Balancer information.
 
Microsoft.Network/localnetworkgateways/read
    For ASMS network topology map : Permission to display information on Local Network Gateways.
 
Microsoft.Network/locations/serviceTags/read
    For Changes and Risks: Permission to retrieve service tags.
 
Microsoft.Network/networkInterfaces/read
    For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Network Interface information
 
Microsoft.Network/networkSecurityGroups/read
    For Overview of assets and security controls, Network policy and Risks: Permission to list network security groups.
 
Microsoft.Network/networkWatchers/flowLogs/read
    For Network policy: Permission of flow logs to flag unused rules.
 
Microsoft.Network/networkWatchers/queryFlowLogStatus/action
    For Network policy: Permission of the query result of flow log status to flag unused rules.
 
Microsoft.Network/networkWatchers/read
    For Network policy: Permission of network watchers to flag unused rules.
 
Microsoft.Network/publicIPAddresses/read
    For Overview of assets and security controls : Permission to retrieve Public IP information.
 
Microsoft.Network/routeTables/read
    For ASMS network topology map : Permission to display information on route table definition.
 
Microsoft.Network/virtualHubs/effectiveRoutes/action
    For Overview of assets and security controls and Risks : Permission to network interfaces of a Virtual Machine Scale Set.
 
Microsoft.Network/virtualHubs/hubRouteTables/read
    For Overview of assets and security controls and Risks : Permission to list of VM Scale Sets in the subscription, regardless of the associated resource group.
 
Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read
    For Cloud Network Security Overview of assets and security controls and Risks require access to this permission to list of virtual machines in a VM scale sets.
 
Microsoft.Network/virtualHubs/read
    For Cloud Network Security Overview of assets and security controls, Network policy and Risks: Permission to list virtual hub.
 
Microsoft.Network/virtualNetworkGateways/read
    For ASMS network topology map: Permission to display information on virtual network gateway.
 
Microsoft.Network/virtualNetworks/read
    For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VNET information.
 
Microsoft.Network/virtualWans/read
    For ASMS network topology map: Permission to list all the Virtual WANs in a subscription.
 
Microsoft.Network/vpnGateways/read
    For ASMS network topology map: Permission to display information on VPN gateway.
 
Microsoft.Network/vpnsites/read
    For Overview of assets and security controls and Risks: Permission to list the virtual machines in the specified subscription.
 
Microsoft.Resources/subscriptions/read
    For Overview of assets and security controls, Network policy and Risks: Permission to retrieve and authenticate subscription information.
 
Microsoft.Storage/storageAccounts/read
    For Overview of assets and security controls: Permission to list all the storage accounts available under the subscription
 
Microsoft.Storage/storageAccounts/listKeys/action
   

For Network policy: Permission to list the access keys or Kerberos keys (if active directory enabled) for the specified storage account to flag unused rules.

Permission not required when flow logs are disabled.

 

Microsoft.Web/hostingEnvironments/read

    For ASMS network topology map : Permission to display information on App Service Environments for a subscription.

Permission not required when flow logs are disabled.

Roles that are assigned by Cloud App Analyzer

During onboarding, Cloud App Analyzerasks the user to specify an onboarding target. If the user onboards a single subscription, that subscription's ID will be the target. If the user onboards multiple subscriptions, the selected target will be a management group or a root management group (Tenant root group).

By adding roles to the selected target, AlgoSec Cloud's multi-tenant application will get the permissions, required to perform a cloud security assessment of each subscription under the target.

Once the target is specified, Cloud App Analyzerassigns the following roles to the selected onboarding target:

Type   Role Definition name Component   Justification
CNS CAA
 

Log Analytics Reader

 

Includes permissions to view the configuration of Azure diagnostics on all Azure resources

 

AcrPull

 

Includes permissions to pull and scan container images from the Azure container registry

 

Key Vault Reader

 

Includes permissions to read metadata of key vaults, certificates, keys, and secrets*

  Azure Kubernetes Service Cluster User Role  

Includes permissions to perform KSPM scan on Kubernetes clusters

Note: If the KSPM scan feature is not required, this role should be manually removed.

  AcrPush  

Includes permissions to set container image metadata property with name "canRead" to false (required to block pulling of the image as part of ACR CD Security)

Note: If the CD Mitigation scan feature is not required, this role should be manually removed.