AWP for Azure Environments

When you enable AWP, it adds permissions to the App Registration created during your environment onboarding to CloudGuard. These permissions allow AWP to manage necessary resources for the scan.

The data that the AWP scanner sends to CloudGuard are only CVEs and paths of the secrets.

All resources that AWP creates in your subscription have the Owner: CG.AWP tag.

Onboarding Workflow

To enable AWP on your Azure environment:

  1. In the CloudGuard portal, navigate to Assets > Environments.

  2. Click Enable in the AWP column for your AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. environment.

  3. Follow the instructions on the wizard page that opens.

    1. Select the scan mode: SaaS or In-Account. For more details, see Azure SaaS Mode and Azure In-Account Mode.

      1. For In-Account mode, select enabling AWP for an independent account or centralized configuration. For more details, see Independent Accounts.

      2. For centralized In-Account configuration, enable AWP separately for a centralized account and for each Sub-account. For more details, see Centralized Account and its Sub-Accounts.

    2. Click the link to open your account in Azure Cloud Shell or use AZ CLI in your terminal.

    3. Copy the script created by the AWP engine. You can download the script to review or edit it based on your needs.

    4. Run the script in the shell or terminal.

      AWP creates the required resources and roles in your Azure subscription to allow the AWP scanner to run.

    Important - Make sure you do not change the mode (SaaS/In-Account) during the onboarding. For successful onboarding, you must use the same mode that you select in Step 3a.

  4. In the CloudGuard wizard, click Enable AWP. CloudGuard completes the process to enable AWP scanning.

Caution - When you enable AWP, make sure there is no lock on your Azure subscription or on the AWP resource group. AWP cannot delete locked resources, which causes additional costs.

Azure SaaS Mode

In Azure SaaS mode, AWP copies customer disks to CloudGuard's snapshots and disks. They are connected to the scanner VMs that display the security issues found on the copied disks. During the workload scanning, no resources are created on the customer's side.

00:00: Welcome to the guide on how to enable AWP SaaS Mode for Azure subscriptions. 00:06: Open the Environments page from the Assets menu. 00:09: In the filter, select "Platform" and then select "Azure". 00:13: Azure subscriptions are displayed. For your subscription, in the AWP column, click "Enable". 00:19: The onboarding wizard has three onboarding options: SaaS mode, In-Account Mode, and In-Account for centralized subscriptions. 00:26: In step 1, click the "SaaS - Scan in CloudGuard account" option. 00:30: In step 2, review and copy the script. 00:33: Click a link to open the Azure Cloud Shell or Azure CLI. 00:37: It redirects you to the Azure console. Select "Bash" or "Power Shell". 00:41: The terminal window opens. 00:44: Paste the script that you copied from CloudGuard. 00:47: Let the script run and install all resources. 00:50: Back in the CloudGuard portal, click "Enable AWP". CloudGuard confirms that AWP is enabled successfully and redirects you to the Environments page. 01:00: AWP starts to show the first scan results within several minutes. Depending on the number of assets, the scanning can take up to a few hours. The scanned assets appear on the Protected Assets page of the CloudGuard portal.

Note - AWP does not support scanning of Function Apps in SaaS mode.

Resources and Permissions for Azure SaaS Mode

In this mode, all scan resources are created on the CloudGuard AWP side, including snapshots, disks, and scanner VMs. AWP creates a single custom role called CloudGuard AWP VM Data Share which includes actions to permit reading customer's disks.

AWP creates the AWP-Data-Share custom role with the permissions to:

  • describe the account VM configuration to get the disk IDs

  • read disk data and generate its snapshot

CloudGuard AWP VM Data Share role is assigned to a subscription that is onboarded.

Note - In Azure SaaS mode, AWP skips encrypted volumes with a customer-managed key.

Azure In-Account Mode

In the In-Account mode, all scan resources (snapshots, disks, VNets, and scanner VMs) are created on the customer's side, therefore the workload data always remains inside the customer tenant perimeter.

Independent Accounts

In the In-Account mode for independent accounts, AWP generates the scan resources inside the same subscriptions, whose workloads it scans.

To scan Function Apps, the scanner Virtual Machine launches in the customer subscription. To reach the Function App resource and download its content in runtime, it needs a User-Assigned Managed Identity. This resource belongs to a resource group. It can be granted with permissions in the same way as an App Registration (RBACClosed Role-Based Access Control - Manages authorization decisions, allowing admins to dynamically configure access policies through the Kubernetes API.).

Centralized Account and its Sub-Accounts

When you select to use the In-Account mode for independent accounts, AWP creates multiple resources on your subscription during its scanning. If you have many subscriptions, these multiple distributed resources can be impracticable for management and billing. In such cases, you can configure one of your onboarded Azure subscriptions as a Centralized account, where all AWP scans and resources are located. You can configure other Azure subscriptions on the same tenant as Sub-accounts to have their scanners and AWP resources located in the centralized account.

Prerequisites

  • For the centralized account, you can select every Azure subscription onboarded to CloudGuard but not onboarded to AWP.

  • For a sub-account, make sure it has the required permissions to create resources on the centralized account - see Resources and Permissions for Azure In-Account Mode.

Resources and Permissions for Azure In-Account Mode

Virtual Machines

AWP creates two primary custom roles in the customer Azure tenant and assigns them based on the scan mode selected during the subscription onboarding. These roles are:

  1. CloudGuard AWP VM Scan Operator role is assigned to a subscription that hosts the scans, for example, in the Standard In-Account or Centralized Account modes. It provides permissions to:

    1. Read, Create or Delete Snapshots

    2. Read, Create or Delete Disks

    3. Create network components such as VNets and Security Groups

    4. Create and Delete Scanner VMs

  2. CloudGuard AWP VM Data Share role is assigned to a subscription whose workloads are to be scanned, for example, in the Standard In-Account or Sub-Account modes. It provides permission to read customer disks.

For Standard In-Account mode:

  1. Create an AWP dedicated resource group.

  2. Assign the Scan-Operator and Data-Share custom roles.

For Centralized Account:

  1. Create an AWP dedicated resource group for common resources, such as VNet, to be in use for various Sub-Accounts' scans.

  2. Assign the Scan-Operator custom role.

For Sub Account:

  1. Create an AWP dedicated resource group for the subscription in the Centralized account subscription, where all scan resources for the sub-account workloads are located.

  2. Assign the Data-Share custom role with the scope of the sub-account subscription.

Function Apps

AWP uses a user-assigned managed identity attached to the Function App scanner. This identity is the most safe way to launch a scanner capable of obtaining a Function-App source code, because it does not need transferring secrets or credentials.

When you click Enable AWP, CloudGuard onboarding script creates its resources and custom roles for a specific task of Function App scanning:

  • Resources

    • CloudGuardAWPScannerManagedIdentity – A user-assigned managed identity that enables the Function App scanner to download the Function App source code.

  • Custom Roles

    • CloudGuardAWPFunctionAppScanOperator - A role assigned to the CloudGuard-Connect app registration that allows to launch Function App scanner attached to the managed identity.

    • CloudGuardAWPFunctionAppScanner - A role assigned to the managed identity to enable the Function App scanner to access the Function App source code.

The diagram below shows an In-Account deployment that enables the Function-App scanning.

The diagram below shows a Centralized-Sub-Account deployment that enables the Function-App scanning in a Centralized account.

Scanning Workflow

To prepare your VM for AWP scanning:

  1. With the App Registration, AWP gathers information about your VM disks.

  2. With the App Registration, AWP remotely creates snapshots from the VM disks.

  3. When all disks have their equivalent snapshots created, a scanner machine launches with the disks created from snapshots and performs the scanning.

    For In-Account mode, this VM runs in the same region as the original VM, in a custom VNet that AWP creates for this task.

    • The scanner outbound traffic is restricted by a security group rule that limits access exclusively to:

      • Azure AppService

      • Azure ManagementAPI

      • AzureStorage

      • Azure ResourceManager

    • No inbound rules are configured.

    To ensure that network traffic remains within the Azure backbone, the VNet utilizes Microsoft.Storage and Microsoft.Web service endpoints.

  4. When the scan is complete, AWP sends a request to delete all the resources created for the scan.

To prepare your Function App for AWP scanning:

The AWP scanner downloads code.

Ignoring a VM Scan

If you need to deliberately skip scanning a VM, set a tag for the VM in the Azure portal.

To set a tag for the AWP scanner to ignore a Virtual Machine:

  1. In the Azure portal, open your Virtual Machine.

  2. Navigate to Tags and add a new tag with the name CG_AWP_SKIP_SCAN and the value ANY.

Offboarding AWP

To remove AWP from your Azure subscription, you must complete these two major steps:

  1. Running a script that deletes all the resources that AWP created in your Azure account.

  2. Deleting your account from the AWP database.

Before you remove AWP from a centralized account, make sure to remove it from all connected sub-accounts.

Use the CloudGuard API to generate the offboarding script.

  1. Generate the script with the Get Azure Offboarding Data API call. For more details, see the API Reference Guide

  2. Open your account in Azure Cloud Shell or use AZ CLI in your terminal.

  3. Paste the script created by the API engine. You can download the script to review or edit it based on your needs.

  4. Run the script in the shell or terminal.

Use the CloudGuard API to remove AWP. In the case of deleting AWP from a sub-account, this also deletes the resources associated with it in the centralized account.

  1. Remove the account with the Disable Azure Account API call. For more details, see the API Reference Guide

Note - Deleting your Azure account from CloudGuard removes the account from AWP, which does not scan it anymore.

More Links