Cloud scans
Cyberwatch provides a dedicated assistant that simplifies the setup of scans on cloud infrastructures such as Amazon Web Services, Google Cloud Platform, Microsoft 365, Microsoft Azure, and Active Directory. In particular, CIS benchmarks for these platforms are partially supported for compliance checks.
The goal of these scans is to ensure that the configuration follows some best practices, for example by ensuring that sensitive resources are not publicly accessible.
Prerequisites
AWS compliance
| Attribute | Permission |
|---|---|
| AWS user with the policy | IAMReadOnlyAccess |
| AWS user with the policy | AmazonEC2ReadOnlyAccess |
Google Cloud Platform compliance
| Attribute | Permission |
|---|---|
| Role | Security Reviewer |
| Role | Viewer |
| Cloud Resource Manager API | Enabled on each project |
Azure compliance
| Attribute | Permission |
|---|---|
| Role | Virtual Machine Contributor |
| Role | Managed Application Contributor |
| Role | Reader |
| Role | Key Vault Reader |
| Role | Storage Account Contributor |
| Role | Web Plan Contributor |
| Application permission on Microsoft Graph | Policy.Read.All |
Microsoft 365 compliance
| Attribute | Permission |
|---|---|
| Microsoft Graph application permission | Device.Read.All |
| Microsoft Graph application permission | DeviceManagementManagedDevices.Read.All |
| Microsoft Graph application permission | User.ReadBasic.All |
| Microsoft Graph application permission | RoleManagement.Read.Directory |
| Microsoft Graph application permission | SharePointTenantSettings.Read.All |
| Office 365 Exchange Online application permission | Exchange.ManageAsApp |
| Microsoft Entra role | Global Reader |
Active Directory compliance
| Attribute | Permission |
|---|---|
| Permission | Read-only |
Add a project
- Go to the menu Assets management > Cloud
- Click on Add
- Choose a platform: AWS, GCP, Azure, Microsoft 365, or Active Directory
- Enter an access key or API identifier directly into the form, or select an already stored credential, then click Browse
- Define the name and choose one or both of the following options based on your needs:
- Save discovery:
A discovery will be created using the defined name, listing all discovered machines. This discovery will be available from the Discoveries page.
- Check project compliance:
This option will create a cloud asset using the defined name and return the result of the compliance scan.
- Click Save to launch the automatic setup of the selected elements.
You will then be able to view the compliance scan results in the Compliance inventory, or by clicking the asset’s name from the Assets management > Cloud menu, as well as the discovery results on the Discoveries page.