For Alert Logic to protect assets in Microsoft Azure, you must create a user account with specific permissions. Role-Based Access Control (RBAC) enables fine-grained access management for Azure accounts. Assignment of a RBAC role to the user account you create grants only the amount of access required to allow Alert Logic to monitor your environments.
This procedure requires administrative permissions in Azure, and the installation of one of the following command line interfaces:
- Azure Command Line Interface (CLI) 2.0
- Azure PowerShell
To configure your RBAC role in Azure:
- Log in to the Azure portal.
- On the left menu, click Azure Active Directory.
- In the Azure Resource Menu, click Domain names, and then make note of the primary Active Directory domain name.
- In the Azure Resource Menu, click Overview.
- In the Azure Active Directory blade, under Quick tasks, click Add a user.
- Enter a Name (for example, AL Cloud Defender).
- Enter a User name. The user name should be in the form of an email address based on the Active Directory (for example, ALCloudDefender@alazurealertlogic.onmicrosoft.com).
- Select the Show Password check box and make note of the password.
- Click Create. Profile and Properties can be set if needed.
- Back on the Azure Active Directory blade, click Users and groups.
- Click All users, and ensure the new user name appears in alphabetical order in the list.
- Open a new browser window.
- Log in to the Azure portal as the new user.
- At the prompt, change the password for the user.
RBAC roles enable fine-grained access management for Azure. After you create a user account, you must assign an RBAC role to the user. The Alert Logic RBAC role grants only the amount of access required to monitor your environments.
To create a custom RBAC role:
- Create a new text file and copy the Alert Logic RBAC role into it.
- Make the following changes to the file:
- In the Name field, change the entry to the user name for the user account you just created.
- In the AssignableScopes field, change the <subscription ID> value to the Subscription ID value found on your Azure portal Subscriptions blade.
- Save the text file as a .JSON file.
- Open either Azure CLI or Azure PowerShell and log in to your Azure account and specify the default subscription.
az account set -s [your subscription name or id]
Get-AzureRmSubscription –SubscriptionName [your subscription name] | Select-AzureRmSubscription
- Create your custom role in Azure.
az role definition create --role-definition [path to the permissions file]
New-AzureRmRoleDefinition -InputFile [path to the permissions file]
- In the Azure portal, verify that the new role appears in the Roles tab in Subscriptions > Access Control (IAM).
Once the RBAC role is created, it must be assigned to the user account. In Azure, roles are assigned in the Access Control portion of the Subscriptions blade.
- In the Azure Navigation Menu, click Subscriptions.
- In the Subscriptions blade, select the subscription you want Alert Logic to protect and then click Access Control (IAM).
- Above the list of users, click +Add.
- In the Add access blade, select the created RBAC role from those listed.
- In the Add users blade, enter the user account name in the search field and select the user account name from the list.
- Click Select.
- Click OK.