Add cloud devices

Relevant for: AFA Administrators

This topic describes how to add an AWS account or an Azure subscription to AFA, to be managed and analyzed similarly to on-premises devices. ASMS supports GCP Project policy visibility and risks for GCP firewalls added in AlgoSec Cloud.

AWS (Amazon Web Service) accounts in AFA

Add an AWS account to AFA to analyze data using the AWS access key ID you provide.

Tip: You can also add an AWS account, using the Assume-Role method. For more details, see AWS account fields and options using the assume-role method.

Analyzed data includes all of the security groups protecting EC2 instances and application load balancers (ALBs), from all AWS regions related to the configured access key. AFA separates these instances into groups called security sets. Each AWS security set is a group of instances or ALBs with the same security group and network ACLs, as well as network policies.

For details, see:

Network connection

The following diagram shows an ASMS Central Manager connecting to an AWS account via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to AWS via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a proxy server .

Permissions required for AWS

ASMS requires the following permissions for your AWS accounts:

Add an AWS account to AFA

You can add an AWS account to ASMS in two ways:

  • Using the standard method: Add an account by providing regular credentials - Access Key ID, Secret Access Key

  • Using the assume-role method: By using the assumed role method, you can leverage the same authentication credentials for multiple accounts. To implement this, add target AWS accounts to ASMS and configure them to assume the role of an existing AWS base account. During each target account setup, provide the base account's Access Key ID and Secret Access Key and enter the target account's Role ARN.

    Note: The setup of target accounts is a sequential process and does not involve simultaneous onboarding of multiple accounts.

    Note: The base account does not have to be onboarded to ASMS.

Do the following:

  1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

  2. Click New > Devices.

  3. In the vendor and device selection page, select Amazon > Web Services (AWS) EC2.

  4. Configure the fields and options as needed:

  5. Click Finish. The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the subscription is added.

In the device tree, AWS subscriptions are shown in three levels: the user account, region/VPC, and security set.

For example:

Tip: In the onboarding stage, communication may be temporarily directed to the public services of the AWS firewall when using a third party proxy. Wait 10-15 minutes to sync the proxy settings inside the ASMS services.

To verify that proxy setting have been synced to all nodes, on the Central Manager run the following code:

/bin/algosec_conf --verify-proxy-configuration

Bulk Update of AWS Account Credentials

An API facilitates access/key password updating, which some customers require to do periodically for their AWS accounts, without reloading the accounts, which can be very time-consuming. See Bulk update keys of AWS cloud accounts

Enable AlgoSec Cloud to perform AWS data collection and feed the ASMS network map

By default AlgoSec Cloud performs AWS data collection and feeds the ASMS network map using a designated AlgoSec Cloud-ASMS integration. To enable the advantages of this functionality, do the following:

  1. Integrate AlgoSec Cloud and ASMS. See ASMS Integration.

  2. Setup the subject AWS account in both Firewall Analyzer AND AlgoSec Cloud.

    Notes: 
    (1) There MAY be a need to set the 'AWS_Network_Elements_Parse_From_AFA' parameter. Refer to the Algopedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above).
    (2) The AlgoPedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above) explains the advantages of this workflow, how to continue working in the previous manner if required and how to bring the advantages of this workflow to earlier ASMS versions.
    (3) When the ASMS-AlgoSec Cloud integration is configured to fetch Routing Data from AlgoSec Cloud, ASMS still connects to AWS to collect the Security Data [Rules, Security Groups, etc.].

Microsoft Azure subscriptions in AFA

When you add an Azure subscription to AFA, all VMs related to your subscription are represented in the device tree.

AFA separates the instances into groups called security sets. Each Azure security set is a group of VMs with the same security group and subnet security groups, as well as network policies. VMs with no security groups are assigned to a security set called Unprotected VMs. To enable accurate traffic simulation, AFA automatically creates a rule to allow all traffic for these VMs.

For more details, see:

Network connection

The following diagram shows an ASMS Central Manager connecting to an Azure subscription via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to Azure via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a proxy server .

Permissions required for Azure

ASMS requires the following permissions for your Azure subscriptions:

Add a Microsoft Azure subscription to AFA

Do the following:

  1. In your Azure subscription, configure an Active Directory Application to use to connect to AFA.

    For details, see How to configure a Microsoft Azure Active Directory application in AlgoPedia .

  2. In AFA, access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  3. In the vendor and device selection page, select Microsoft > Azure.

  4. Configure the fields and options as needed.

  5. Click Finish.

    The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the account is added.

Tip: In the onboarding stage, communication may be temporarily directed to the public services of the Azure Cloud firewall when using a third party proxy. Wait 10-15 minutes to sync the proxy settings inside the ASMS services.

To verify that proxy setting have been synced to all nodes, on the Central Manager run the following code:

/bin/algosec_conf --verify-proxy-configuration

Device tree display of attached NSGs

In the device tree, Azure has a three-tier hierarchy:

  1. Subscription (customer-given name for the subscription when onboarded to AFA)

  2. Region/VNet

  3. Security set (a container for one or two NSGs assigned to one or more instances)

For example:

Note; When two NSGs exist ion the security set, they are both shown separate by a /(For example, WindowsVM-nsg/DT3019).

Unattached NSGs in the Azure Device Tree

Unattached Network Security Groups include unassigned NSGs or NSGs assigned to services that are not supported.

Unattached NSGs in the device tree are shown with the same three-tier hierarchy as attached NSGs except that the second tier is shown as region/Unattached_Network_Security_Groups.

For example:

Note: Network Map/TSQ/Routing Query are not relevant for unattached NSGs.

GCP (Google Cloud Platform) projects in AFA

ASMS supports GCP Project policy visibility and risks for Google Cloud added in AlgoSec Cloud.

Note: To enable this feature, you must first:

  1. Integrate ASMS with AlgoSec Cloud, see ASMS integration to SaaS services.

  2. Onboard your GCP Project, see Onboard GCP Project.

To open the GCP Risk Report in AlgoSec Cloud from ASMS.

Do the following:

  1. In the ASMS device tree, select the GCP Project.

  2. Click the link to GCP Risk Report to open the report in AlgoSec Cloud.