Cloud scans

Cyberwatch provides a dedicated assistant that simplifies the setup of scans on cloud infrastructures such as Amazon Web Services, Google Cloud Platform, Microsoft 365, Microsoft Azure, and Active Directory. In particular, CIS benchmarks for these platforms are partially supported for compliance checks.

The goal of these scans is to ensure that the configuration follows some best practices, for example by ensuring that sensitive resources are not publicly accessible.

Prerequisites

AWS compliance
AttributePermission
AWS user with the policyIAMReadOnlyAccess
AWS user with the policyAmazonEC2ReadOnlyAccess
Google Cloud Platform compliance
AttributePermission
RoleSecurity Reviewer
RoleViewer
Cloud Resource Manager APIEnabled on each project
Azure compliance
AttributePermission
RoleVirtual Machine Contributor
RoleManaged Application Contributor
RoleReader
RoleKey Vault Reader
RoleStorage Account Contributor
RoleWeb Plan Contributor
Application permission on Microsoft GraphPolicy.Read.All
Microsoft 365 compliance
AttributePermission
Microsoft Graph application permissionDevice.Read.All
Microsoft Graph application permissionDeviceManagementManagedDevices.Read.All
Microsoft Graph application permissionUser.ReadBasic.All
Microsoft Graph application permissionRoleManagement.Read.Directory
Microsoft Graph application permissionSharePointTenantSettings.Read.All
Office 365 Exchange Online application permissionExchange.ManageAsApp
Microsoft Entra roleGlobal Reader
Active Directory compliance
AttributePermission
PermissionRead-only

Add a project

  1. Go to the menu Assets management > Cloud
  2. Click on Add
  3. Choose a platform: AWS, GCP, Azure, Microsoft 365, or Active Directory
  4. Enter an access key or API identifier directly into the form, or select an already stored credential, then click Browse
  5. Define the name and choose one or both of the following options based on your needs:
  • Save discovery:

A discovery will be created using the defined name, listing all discovered machines. This discovery will be available from the Discoveries page.

  • Check project compliance:

This option will create a cloud asset using the defined name and return the result of the compliance scan.

  1. Click Save to launch the automatic setup of the selected elements.

You will then be able to view the compliance scan results in the Compliance inventory, or by clicking the asset’s name from the Assets management > Cloud menu, as well as the discovery results on the Discoveries page.


Back to top