Regenerating the Onboarding API Access Key

If the API Access Key used for cloud onboarding is compromised, you can regenerate it at any time. After regenerating the key, you must update your cloud configuration so AlgoSec can continue communicating with your cloud accounts.

This topic explains when key regeneration is required, what must be updated, and the steps needed for AWS, Azure, and Google Cloud.

When to Regenerate the API Access Key

You may need to regenerate the onboarding API Access Key when:

• The key credentials (Client ID and Secret) are suspected or confirmed to be compromised.
• Internal security rotation policies require issuing a new key.
• You want to invalidate old or unused onboarding credentials.

Regenerating the Key

Do the following:

1. Open ACE Cloud Network Security.
2. Navigate to Settings > Access Management > API Access Keys.
3. Select the key used for onboarding (typically named onboarding). Click on the vertical ellipsis to the right of the access key.
4. Click Regenerate. A new Client ID and Client Secret is generated.

5. Go to Updating AWS After Regenerating the Key or Updating Azure and Google Cloud for next steps.

Updating AWS After Regenerating the Key

When the onboarding key is regenerated, AWS deployments must be updated with the new Client ID and Client Secret.

Using the CloudFormation Wizard (recommended)

Do the following:

1. After regenerating the onboarding API Access Key, re-run the AWS Onboarding Wizard:

   1. In the ACE Settings area, click ONBOARDING.

   2. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account Wizard opens.

      

   3. Click the Amazon Web Services button and click Next. The AWS Onboarding Wizard Access Permissions step opens.

   4. Click Next. The Features Permissions step of the wizard opens.

   5. 

   6. Click Next. The Stack Deployment step of the wizard opens.

      

   7. Click Download File. The CloudFormation template file is downloaded to your machine. You will use it later in these steps.

2. Log in to the AWS Console Home.

3. In the AWS Console Home, click CloudFormation.

   

4. Create Update single or multiple accounts to sync with ACE.

   (missing or bad snippet)

5. Update or recreate the CloudFormation stack using the new template.

Updating the stack ensures that the new credentials are applied to all AWS components managed by AlgoSec.

Using Terraform or the API Onboarding Methods

For Terraform-based or API-based deployments, only If CD Mitigation is enabled:

Do the following:

1. Log in to the AWS Console Home.
2. Go to the Parameter Store, My Parameters tab.

3. Update the parameter values with the new Client ID and Client Secret;

   • /algosec/<algosec_tenant_id>/clientId

   • /algosec/<algosec_tenant_id>/clientSecret

Updating Azure and Google Cloud

Updating the onboarding API Access Key is only required when you use the Cloud Discovery Mitigation (CD Mitigation) feature in ACE Cloud App Analyzer.

• If CD Mitigation is not enabled for the account, no further action is required.

• If CD Mitigation is enabled, continue with one of the following as required:

  • Wizard Re-Onboarding
  • Manual Update

Using the Wizard

Do the following:

• Re-onboard the subscription or project using the wizard. See To onboard Azure resources | With script or To onboard Google Cloud resources | With script.

This automatically updates CD Mitigation credentials.

For Manual Update (No Script), Terraform and API Onboarding Methods

If your deployment did not use automation:

Do the following:

1. Open the CD Mitigation settings
• For an Azure subscription:
1. Go to the Azure Portal, and click the required subscription.
2. Click Resource Groups on the left hand menu.
3. Select the Resource Group from the list that appears.
4. Select the Key Vault and go to Secrets.
5. Update the new Client ID and Client Secret in the Prevasio Additionals secret.
• For a Google Cloud project:
  1. Go to the Google Cloud Console and click the required project.
  2. In the Search bar, search for Secret Manager and open it.
  3. Click the *-additionals item in the list.
  4. Delete the existing additional and create a new one with the new Client ID and Client Secret.