Configuring Cloud Scanner for Microsoft Azure
Cloud Scanner can be deployed using one of the following:
Cloud Scanner on Azure Container Instance
You need to configure Terraform with the appropriate resources and inputs for your particular scenario, and you will need to provide the IP address or DNS name for the ThreatStryker management console and an API key.
Copy and paste the following into a new file cloud-scanner.tf. Edit the fields: region, mgmt-console-url and deepfence-key.
Single Subscription
Monitor a single Azure subscription
provider "azurerm" {
features {}
# Subscription ID to deploy the Azure Container Service
subscription_id = "<SUBSCRIPTION_ID eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>"
}
module "cloud-scanner_example_single-subscription" {
source = "deepfence/cloud-scanner/azure//examples/single-subscription"
version = "0.6.0"
mgmt-console-url = "<Console URL> eg. XXX.XXX.XX.XXX"
mgmt-console-port = "443"
deepfence-key = "<Deepfence-key> eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
name = "deepfence-cloud-scanner"
image = "quay.io/deepfenceio/cloud_scanner:2.3.1"
# Location name https://gist.github.com/ausfestivus/04e55c7d80229069bf3bc75870630ec8#results
location = "eastus"
# Number of CPU cores (Default: 2 vCPU)
cpu = "2"
# Memory in GB (Default: 4 GB)
memory = "4"
tags = {
product = "deepfence-cloud-scanner"
}
}
Tenant subscriptions
Monitor multiple subscriptions in a Tenant
provider "azurerm" {
features {}
# Subscription ID to deploy the Azure Container Service
subscription_id = "<SUBSCRIPTION_ID eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>"
}
module "cloud-scanner_example_tenant-subscriptions" {
source = "deepfence/cloud-scanner/azure//examples/tenant-subscriptions"
version = "0.6.0"
mgmt-console-url = "<Console URL> eg. XXX.XXX.XX.XXX"
mgmt-console-port = "<Console port> eg. 443"
deepfence-key = "<Deepfence-key> eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
name = "deepfence-cloud-scanner"
image = "quay.io/deepfenceio/cloud_scanner:2.3.1"
# List of subscription ids to monitor
subscription_ids_access = ["XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"]
# Location name https://gist.github.com/ausfestivus/04e55c7d80229069bf3bc75870630ec8#results
location = "eastus"
# Number of CPU cores (Default: 4 vCPU)
cpu = "4"
# Memory in GB (Default: 8 GB)
memory = "8"
tags = {
product = "deepfence-cloud-scanner"
}
}
Ensure that the name parameter is set to some unique string to avoid collision with existing resource names in the subscription
Then run
terraform init
terraform plan
terraform apply
For full details, refer to the examples provided in the GitHub repository: https://github.com/deepfence/terraform-azure-cloud-scanner
Cloud Scanner on AKS cluster
Pre-requisite:
- AKS cluster is created, and you have access to the cluster
- azure cli is configured and is able to access the required project where cloud scanner will be deployed
Cloud Scanner is deployed as a pod within your AKS cluster
You need to configure Terraform with the appropriate resources and inputs for your particular scenario, and you will need to provide the IP address or DNS name for the ThreatStryker management console and an API key.
Copy and paste the following (single project or multiple projects) into a new file cloud-scanner.tf. Edit the fields: region, mgmt-console-url and deepfence-key.
Single Subscription Cloud Scanner on AKS Cluster
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>"
features {}
}
data "azurerm_subscription" "current" {}
data "azurerm_kubernetes_cluster" "default" {
name = "< AKS CLUSTER NAME >"
resource_group_name = "<AKS CLUSTER RESOURCE GROUP>"
}
module "cloud-scanner" {
source = "deepfence/cloud-scanner/azure//examples/aks"
version = "0.7.0"
name = "<name of the app>"
mgmt-console-url = "<Console URL> eg. XXX.XXX.XX.XXX"
deepfence-key = "<DEEPFENCE API KEY>"
# ThreatStryker
cloud_scanner_image = "quay.io/deepfenceio/cloud_scanner"
location = "< LOCATION >"
subscription_id = data.azurerm_subscription.current.subscription_id
aks_host = data.azurerm_kubernetes_cluster.default.kube_config.0.host
aks_client_key = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_key)
aks_client_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)
aks_cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
}
Multiple Subscription Cloud Scanner on AKS cluster
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>"
features {}
}
data "azurerm_subscription" "current" {}
data "azurerm_kubernetes_cluster" "default" {
name = "< AKS CLUSTER NAME >"
resource_group_name = "<AKS CLUSTER RESOURCE GROUP>"
}
module "test" {
source = "deepfence/cloud-scanner/azure//examples/aks"
version = "0.7.0"
name = "<name of the app>"
mgmt-console-url = "<Console URL> eg. XXX.XXX.XX.XXX"
deepfence-key = "<DEEPFENCE API KEY>"
# ThreatStryker
cloud_scanner_image = "quay.io/deepfenceio/cloud_scanner"
location = "< LOCATION >"
subscription_id = data.azurerm_subscription.current.subscription_id
aks_host = data.azurerm_kubernetes_cluster.default.kube_config.0.host
aks_client_key = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_key)
aks_client_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)
aks_cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
isOrganizationDeployment = true
deployedAccountID = data.azurerm_subscription.current.subscription_id
subscription_ids_access = [ <list of tenants subscription id's> ]
}
Cloud Scanner on Azure virtual machine
Pre-requisite:
- Install docker and docker compose on the Azure virtual machine (refer docker documentation for installation instructions)
- If an existing Azure virtual machine is used, check if docker and docker compose plugins are installed on the Azure virtual machine.
- azure cli is configured and is able to access the required project where cloud scanner will be deployed
-
Copy and paste the following (single tenant or multiple tenant) into a new file cloud-scanner.tf. Edit the fields: SUBSCRIPTION_ID and subscription_ids_access if required.
-
Single Subscription Cloud Scanner on Azure virtual machine
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID>"
features {}
}
data "azurerm_subscription" "current" {}
module "infrastructure_cloud-scanner-app" {
source = "deepfence/cloud-scanner/azure//modules/infrastructure/cloud-scanner-app"
version = "0.7.0"
name = "deepfence-cloud-scanner"
subscription_ids_access = [data.azurerm_subscription.current.subscription_id]
}
output "tenant_id" {
value = module.infrastructure_cloud-scanner-app.tenant_id
}
output "client_id" {
value = module.infrastructure_cloud-scanner-app.client_id
}
output "client_secret" {
value = module.infrastructure_cloud-scanner-app.client_secret
sensitive = true
} -
Multiple Subscription Cloud Scanner on Azure virtual machine
provider "azurerm" {
subscription_id = "<SUBSCRIPTION_ID>"
features {}
}
data "azurerm_subscription" "current" {}
module "infrastructure_cloud-scanner-app" {
source = "deepfence/cloud-scanner/azure//modules/infrastructure/cloud-scanner-app"
version = "0.7.0"
name = "deepfence-cloud-scanner"
subscription_ids_access = [list of tenant subscriptions ids]
}
output "tenant_id" {
value = module.infrastructure_cloud-scanner-app.tenant_id
}
output "client_id" {
value = module.infrastructure_cloud-scanner-app.client_id
}
output "client_secret" {
value = module.infrastructure_cloud-scanner-app.client_secret
sensitive = true
}
-
-
Apply the terraform script and note the output
tenant_id,client_idandclient_secret. Please run this command to retrieveclient_secretfrom terraform output.terraform output client_secret -
Create a directory deepfence-cloud-scanner and download docker-compose.yaml from the url
https://raw.githubusercontent.com/deepfence/cloud-scanner/refs/heads/release-2.3/docker-compose.yamlmkdir deepfence-cloud-scanner && cd deepfence-cloud-scanner
wget https://raw.githubusercontent.com/deepfence/cloud-scanner/refs/heads/release-2.3/docker-compose.yaml -
Update the environment vars account details and console details in the docker-compose.yaml, if deploying for multi tenants cloud scanner set
ORGANIZATION_DEPLOYMENT: trueimage: quay.io/deepfenceio/cloud_scanner:2.3.1
environment:
MGMT_CONSOLE_URL: "<CONSOLE_URL>"
MGMT_CONSOLE_PORT: <CONSOLE_PORT>
DEEPFENCE_KEY: "<DEEPFENCE_KEY>"
CLOUD_PROVIDER: "azure"
CLOUD_REGION: "<LOCATION>"
CLOUD_ACCOUNT_ID: "<SUBSCRIPTION_ID>"
DEPLOYED_ACCOUNT_ID: "<SUBSCRIPTION_ID>"
CLOUD_ACCOUNT_NAME: ""
ORGANIZATION_DEPLOYMENT: false
CLOUD_ORGANIZATION_ID: "<TENANT_ID>"
ROLE_NAME: ""
CLOUD_AUDIT_LOG_IDS: ""
HTTP_SERVER_REQUIRED: "false"
SUCCESS_SIGNAL_URL: ""
DF_LOG_LEVEL: info
SCAN_INACTIVE_THRESHOLD: "21600"
CLOUD_SCANNER_POLICY: ""
AZURE_TENANT_ID: "<TENANT_ID>"
AZURE_REGION: "<LOCATION>"
AZURE_CLIENT_ID: "<CLIENT_ID>"
AZURE_CLIENT_SECRET: "<CLIENT_SECRET>"
AZURE_SUBSCRIPTION_ID: "<SUBSCRIPTION_ID>" -
Start the cloud scanner using docker compose
docker compose up -d
What Compliance Scans are Performed?
ThreatStryker builds on a large library of controls - these are specific requirements and matching tests. For example, you will find controls that correspond to best-practice configurations of access to assets, such as enabling TLS access and blocking plain-text HTTP.
Controls are grouped into benchmarks. Where multiple benchmarks are available, controls may be used by several benchmarks.
When you run a compliance scan, you can select which benchmarks you wish to measure against, and ThreatStryker will then evaluate the appropriate controls and present the results, by benchmark, once the scan has completed.
For full information, refer to Operations: Compliance Scanning.
For maximum coverage, you can use both Cloud Scanner and local Sensor Agent compliance scans together. You could scan your Azure infrastructure using Cloud Scanner, and scan selected VMs deployed within Azure using the Sensor Agent.