Permissions Required for Azure Subscriptions
This section outlines the required and optional permissions for Azure Subscriptions necessary to fully leverage the capabilities of ACE. The table below details the permissions along with justifications for their necessity.
AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:
-
Cloud Network Security (CNS)
-
Cloud App Analyzer (CAA)
When ASMS is connected to ACE, permissions are required also for ASMS functionalities as marked.
(optional) For advanced policy change capabilities for Azure NSGs/Native Firewall, see Permissions for Changes to Azure Policies.
The permissions listed below are classified according to the following key:
| Read | READ permissions | |
| Read/Write | READ/WRITE permissions | |
| Write | WRITE permissions |
Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.
Note: If you decide to stop using ACE, some resources must be deleted. See Remove Azure Resources.
Required Azure Permissions for Cloud Network Security
These permissions are provided through the Reader, Network Contributor, and Storage Account Contributor roles. When ASMS is connected to ACE, permissions that are required also for ASMS data collection are marked.
| Type | Permission | Component | Justification | For ASMS Data Collection |
|---|---|---|---|---|
| Read | Microsoft.Compute/virtualMachines/read |
CNS | For ASMS network topology map: Permission to display information on VM instances | For ASMS Devices tree |
| Read | Microsoft.Compute/virtualMachineScaleSets/read |
CNS | For ASMS network topology map: Permission to list all VM Scale Sets in the subscription | |
| Read | Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read |
CNS | For ASMS network topology map: Permission to display all network interfaces in a virtual machine scale set | |
| Read | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read |
CNS | For ASMS network topology map: Permission to list of all virtual machines in a VM scale sets. | |
| Read | Microsoft.Insights/diagnosticSettings/read | CNS | For Network policy: Permission to read diagnostic settings to check if flow logs for Azure Native Firewall are enabled. | |
| Read | Microsoft.Network/applicationSecurityGroups/read |
CNS | For Overview of assets and security controls : Permission to list application security groups. | |
| Read | Microsoft.Network/connections/read |
CNS | For ASMS network topology map: Permission to display information on VPC peering connections. | For ASMSVPN support in network map, TSQ, and FireFlow |
| Read | Microsoft.Network/ipGroups/read | CNS | For Network policy, Changes and Risks: Permission to IP group. | |
| Read | Microsoft.Network/loadBalancers/read |
CNS | For Overview of assets and security controls: Permission to retrieve Load Balancer information. | |
| Read | Microsoft.Network/localnetworkgateways/read |
CNS | For ASMS network topology map : Permission to display information on Local Network Gateways. | For ASMS VPN support in network map, TSQ, and FireFlow |
| Read | Microsoft.Network/locations/serviceTags/read |
CNS | For Changes and Risks: Permission to retrieve service tags. | For ASMS Content of the network objects in the policy, TSQ, and AFF |
| Read | Microsoft.Network/locations/serviceTagDetails/read | - | - | For ASMS Content of the network objects in the policy, TSQ, and AFF |
| Read | Microsoft.Network/networkInterfaces/read |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Network Interface information | For ASMS Network map, TSQ, and Fire |
| Read | Microsoft.Network/networkSecurityGroups/read |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to list network security groups. | For ASMS Policy visibility, TSQ, and FireFlow |
| Read | Microsoft.Network/networkWatchers/flowLogs/read |
CNS | For Network policy: Permission of resource logs to flag unused rules of NSGs. | |
| Read | Microsoft.Network/networkWatchers/queryFlowLogStatus/action |
CNS | For Network policy: Permission of the query result of resource log status to flag unused rules of NSGs. | |
| Read | Microsoft.Network/networkWatchers/read |
CNS | For Network policy: Permission of network watchers to flag unused rules of NSGs. | |
| Read | Microsoft.Network/publicIPAddresses/read |
CNS | For Overview of assets and security controls : Permission to retrieve Public IP information. | For ASMS Topology, network map, TSQ, and FireFlow |
| Read | Microsoft.Network/routeTables/read |
CNS | For ASMS network topology map : Permission to display information on route table definition. | For ASMS TSQ and FireFlow |
| Read | Microsoft.Network/virtualHubs/effectiveRoutes/action |
CNS | For Overview of assets and security controls and Risks : Permission to network interfaces of a Virtual Machine Scale Set. | |
| Read | Microsoft.Network/virtualHubs/hubRouteTables/read |
CNS | For Overview of assets and security controls and Risks : Permission to list of VM Scale Sets in the subscription, regardless of the associated resource group. | |
| Read | Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read |
CNS | For Cloud Network Security Overview of assets and security controls and Risks require access to this permission to list of virtual machines in a VM scale sets. | |
| Read | Microsoft.Network/virtualHubs/read |
CNS | For Cloud Network Security Overview of assets and security controls, Network policy and Risks: Permission to list virtual hub. | |
| Read | Microsoft.Network/virtualNetworkGateways/read |
CNS | For ASMS network topology map: Permission to display information on virtual network gateway. | For ASMS VPN support in network map, TSQ, and FireFlow |
| Read | Microsoft.Network/virtualNetworks/read |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VNET information. | For ASMS Devices tree, network map, TSQ, and FireFlow |
| Read | Microsoft.Network/virtualWans/read |
CNS | For ASMS network topology map: Permission to list all the Virtual WANs in a subscription. | |
| Read | Microsoft.Network/vpnGateways/read |
CNS | For ASMS network topology map: Permission to display information on VPN gateway. | |
| Read | Microsoft.Network/vpnsites/read |
CNS | For Overview of assets and security controls and Risks: Permission to list the virtual machines in the specified subscription. | |
| Read | Microsoft.Resources/subscriptions/read |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve and authenticate subscription information. | |
| Read | Microsoft.Storage/storageAccounts/read |
CNS | For Overview of assets and security controls: Permission to list all the storage accounts available under the subscription | |
| Read | Microsoft.Storage/storageAccounts/listKeys/action |
CNS |
For Network policy: Permission to list the access keys or Kerberos keys (if active directory enabled) for the specified storage account to flag unused rules. Permission not required when resource / flow logs are disabled for NSG and Azure Native Firewall. |
|
| Read | CNS | For ASMS network topology map: Permission to display information on App Service Environments for a subscription. Permission not required when resource / flow logs are disabled for NSG and Azure Native Firewall. |
For ASMS Devices tree | |
| Read | Microsoft.Network/expressRouteCircuits/read | CNS | For ASMS network topology map: Permission to display information on Azure ExpressRoute. | |
| Read | Microsoft.Network/expressRouteCircuits/peerings/read | CNS | For ASMS network topology map: Permission to display information on ExpressRoute. |
Permissions for Azure Native Firewall for Cloud Network Security
Azure Native Firewalls provide an extra level of protection, complementing the protection already enforced through AWS security groups. To enable it in ACE, add the following permissions:
| Type | Permission | Component | Justification |
|---|---|---|---|
| Read | Microsoft.Network/azurefirewalls/read |
CNS | For Network policy and Risks: Permission to retrieve Azure Native Firewall information. |
| Read | Microsoft.Network/firewallPolicies/read |
CNS | For Network policy and Risks: Permission to retrieve Azure Native Firewall policies. |
| Read | Microsoft.Network/firewallPolicies/ruleCollectionGroups/read |
CNS | For Network policy and Risks: Permission: Permission to list FirewallPolicyRuleCollectionGroups in Firewall policy. |
Optional Feature Permissions for Cloud Network Security
While the core functionalities of AlgoSec Cloud Enterprise operate seamlessly with the required permissions above, certain advanced features and specialized functionalities necessitate additional permissions. These permissions are not essential for the fundamental operations of the platform but are required to leverage enhanced capabilities tailored to specific use cases or integrations. The sections below outline these optional permissions along with their justifications, detailing how they support specialized functionalities within AlgoSec Cloud Enterprise.
Permissions for Changes to Azure Policies
For advanced policy change capabilities for Azure NSGs/Native Firewall, These additional Azure permissions—along with those already mentioned—are included in the Contributor role.
You will need the following WRITE permissions, if you want to enable:
-
Changes to Azure NSG/Native Firewall policies in Cloud Network Security.
-
ActiveChange for Azure NSGs/Firewalls in FireFlow when using unified onboarding with Azure. (Note that Unified onboarding is currently in an Early Availability phase. For more information see Simultaneously onboard Azure subscriptions into ACE and ASMS.)
Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.
|
Type |
Permission |
Component |
Justification |
For ASMS Data Collection |
|---|---|---|---|---|
|
Write |
Microsoft.Network/azurefirewalls/write (optional - for Changes to Azure Native Firewall policies ) |
CNS |
For Network policy: Permission for advanced policy change capabilities for Azure Native Firewall. |
|
|
Write |
Microsoft.Network/networkSecurityGroups/write
|
CNS |
For Network policy: Permission for advanced policy change capabilities for Azure NSG. |
For ASMS Creates or updates a network security group in the specified resource group |
For the list of permissions in JSON format for reference, click here:
following optional permissions
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
"Microsoft.Network/applicationSecurityGroups/read",
"Microsoft.Network/azurefirewalls/read",
"Microsoft.Network/connections/read",
"Microsoft.Network/firewallPolicies/read",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
"Microsoft.Network/ipGroups/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/localnetworkgateways/read",
"Microsoft.Network/locations/serviceTags/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkWatchers/flowLogs/read",
"Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
"Microsoft.Network/networkWatchers/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/virtualHubs/effectiveRoutes/action",
"Microsoft.Network/virtualHubs/hubRouteTables/read",
"Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Network/virtualNetworkGateways/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualWans/read",
"Microsoft.Network/vpnGateways/read",
"Microsoft.Network/vpnsites/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Web/hostingEnvironments/Read",
"Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Network/azurefirewalls/write", // Optional for advanced policy change capabilities
"Microsoft.Network/networkSecurityGroups/write" //// Optional for advanced policy change capabilities
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}Required Roles for Cloud App Analyzer
The following roles are required for the CAA::
| Type | Role Definition name | Component | Justification |
|---|---|---|---|
| Read | CAA |
Includes permissions to view the configuration of Azure diagnostics on all Azure resources |
|
| Read | CAA |
Includes permissions to pull and scan container images from the Azure container registry |
|
| Read | CAA |
Includes permissions to read metadata of key vaults, certificates, keys, and secrets* |
Additional Roles for Optional Features for Cloud App Analyzer
| Type | Role Definition name | Component | Justification |
|---|---|---|---|
| Read/Write | Azure Kubernetes Service Cluster User Role | CAA |
Includes permissions to perform Kubernetes Services scan on Kubernetes clusters Note: When onboarding using the script method, if the Kubernetes Services scan feature is not required, this role should be manually removed. |
| Write | AcrPush | CAA |
Includes permissions to set container image metadata property with name "canRead" to false (required to block pulling of the image as part of ACR CD Security) Note: When onboarding using the script method, if the CD Mitigation scan feature is not required, this role should be manually removed. |
