Create A New Connector

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Reports under Compliance.

  2. Click Connectors.

  3. Click the New Connector button.

    1. The New Connector form will slide into view from the right side of the screen. 

  4. Click the icon of the appropriate Cloud provider.

    1. Amazon Web Services

    2. Google

    3. Microsoft Azure

  5. Complete the form by providing the required information.

    1. The New Connector form is dynamic. Form fields will change relative to the Cloud provider chosen. See below for specifics on how to configure the connection in the relevant provider. 

  6. Click the Add Connector button.

Create a Connection in AWS, GCP, or Azure

 Amazon Web Services
  1. Log in to Amazon Web Services (AWS) Console.

  2. Go to the IAM service.

  3. Go to Roles and click Create Role.

  4. Under “Select type of trusted entity” choose Another AWS account. Then:

    1. Paste in the AWS Account ID (from connector details).

    2. Select Require external ID and paste in the External ID (from connector details).

    3. Click Next: Permissions.

  5. Find the policy titled “SecurityAudit” and select the check boxes next to it. Click Next: Tags.

  6. Click Next: Review.

  7. Enter a role name and click Create role.

  8. Click on the new role to view details. Copy the Role ARN value and paste it into the connector details page in AMP.

 Google Cloud Platform

Part 1: Enable access to some API's in API library

  1. Log on to Google Cloud Platform (GCP) console.

  2. Select the organization.

  3. Select a project or create a new project. Ensure the correct project is selected.

  4. In the left sidebar, navigate to APIs and Services > Library.

  5. In API Library, click the following APIs and enable them. For help finding the API, use the search field.

    • Compute Engine API

    • Cloud Resource Manager API

    • Kubernetes Engine API

    • Cloud SQL Admin API

    • BigQuery API

    • Cloud Functions API

    • Cloud DNS API

    • Cloud Key Management Service (KMS) API

    • Cloud Logging API

    • Stackdriver Monitoring API

Part 2: Create service account and download configuration file

  1. Login to the GCP console and select a project.

  2. From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE SERVICE ACCOUNT. Provide a name and description (optional) for the service account and click CREATE.

  3. Choose Viewer and Security Reviewer role to assign at least reader permissions to the service account and click CONTINUE.

  4. Click CREATE KEY.  Select JSON as Key type and click CREATE. A message saying “Private key saved to your computer” is displayed and the JSON file is downloaded to your computer. Click CLOSE and then click DONE.

Part 3: Upload the configuration (JSON) file in AMP on the new connector page for GCP connector and click on Add Connector.

 Microsoft Azure

Part 1: Create application in Azure Active Directory

  1. Log on to the Microsoft Azure console. Go to Azure Active Directory in the left navigation pane, then App Registrations.

  2. Click New registration and provide these details:

    1. Name: A name for the application (e.g. My_Azure_Connector)

    2. Supported account types: Select Accounts in any organizational directory

  3. Click Register. The newly created is displayed with its properties. Copy the Application (client)ID and Directory (tenant)ID and paste it into the connector details on the New Connector page in AMP.

Part 2: Provide permission to the new application to access the Windows Azure Service Management API

  1. Select the application that you created and go to API permissions > Add a permission.

  2. Select Azure Service Management API in Microsoft APIs for Request API permissions.

  3. Select user impersonation permission and click Add permissions.

  4. Click Add a permission.

  5. Select Microsoft Graph in Microsoft APIs for Request API permissions.

  6. Select Application permissions and expand User permissions and select User.Read.All permission and click Add permissions.A confirmation notification “Permissions have changed. Users and/or admins will have to consent even if they have already done so previously.” is displayed on success.

Part 3: Create a secret key

  1. Select the application that you created and go to Certificates and Secrets > New client secret.

  2. Add a description and expiry duration for the key (recommended: Never) and click Add.

  3. The value of the key appears in the Value field. Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value into the Authentication Key field in AMP on the New Connector page.

Part 4: Grant permission for the application to access subscription that you want to configure. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.

  1. On the Azure portal, navigate to Subscriptions.

  2. Select the subscription for which you want to grant permission to the application and note the subscription ID.

  3. Assign two roles (Reader role and a custom role to the application).Assign Reader Role

    1. To grant permission to the application you created, choose Access Control (IAM).

    2. Go to Add > Add a role assignment. Pick the role as Reader. A Reader can view everything but cannot make any changes to the resources of a subscription.

    3. Select Azure AD user, group, or service principal in Assign Access to dropdown.

    4. Type the application name in Select drop-down and select the application you created.

    5. Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

    Assign Custom Role

    Before you assign the custom role, create the custom role (QRole). Learn more

    1. Go to Add > Add a role assignment. Pick the custom role you created (QRole). The custom role can view but cannot make any changes to the resources of a subscription

    2. Select Azure AD user, group, or service principal in Assign Access to dropdown.

    3. Type the application name in Select drop-down and select the application you created.

    4. Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

  4. Copy the subscription ID you noted and paste it into the connector details in AMP on the New Connector page and click Add Connector.



Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 0 rates