This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Config Inspection

1: Overview

2: How-to guides

2.1: Dashboard Check
2.2: Diagnostic Result Management
2.3: Pre-configuration

3: Release Note

1 - Overview

Service Overview

Config Inspection is a service that diagnoses the security level of console settings for each service of Samsung Cloud Platform. It provides a security checklist organized by areas such as IAM, Networking, Database, Logging, and checks the current status via API calls to see whether the recommended security settings for each diagnostic item are applied.

Users can create a diagnostic target through service creation and then request a diagnosis, and the diagnosis request results can be checked via the Report. The Report provides the diagnosis request history and item-specific diagnosis results, and for diagnostic items that require the user’s final confirmation or action, detailed results including the resource information corresponding to each item and a remedial guide can be viewed.

Provided Features

Config Inspection provides the following features.

Console Diagnosis: You can diagnose the security level by calling the Console API using the authentication key method.
Diagnosis Target Management: Through service creation, you can create and manage the user’s Samsung Cloud Platform account as a diagnosis target.
Diagnosis Request: In the resource detail screen, you can request a diagnosis by clicking the Diagnosis Request button.
Diagnostic Result Management: In Report, you can view the list of diagnosis requests and detailed diagnosis results, and download them as an Excel file.

Components

Checklist

The checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the checklist currently provided by Config Inspection is as follows.

Cloud	Checklist Name	Number of Items
Samsung Cloud Platform	Best Practice	18

Table. Config Inspection checklist

The detailed diagnostic items of the Best Practice checklist provided by Samsung Cloud Platform are as follows.

Area	Diagnostic Item
Networking	Private subnets that do not require internet access should not use a NAT Gateway. Network integration services must use a Firewall. Security Groups should register only the necessary rules per IP and port. Remote access ports for each protocol must allow connections by specifying the IPs that need access. The Firewall of network integration products should register only the necessary rules per IP/port.
Container	You must use private endpoint access control for the Kubernetes cluster and allow access only to authorized resources. You must use private endpoint access control for the Container Registry and allow access only to authorized resources. Enable automatic vulnerability scanning for Container Registry images. Do not use a vulnerability scan exclusion policy for Container Registry images. Restrict pulling of unscanned images from the Container Registry. Restrict pulling of vulnerable images from the Container Registry.
Database	SQL-level audit logs must be stored.
Logging	Activate the Trail service of Logging&Audit and set the scope to all regions/resource types/users. Set the log file verification of Logging&Audit Trail to enabled. Security Group must have logging enabled. Network integration products must enable Firewall logging. Enable NAT logging for the Internet Gateway. Enable control plane logging for the Kubernetes Engine cluster.

Table. Samsung Cloud Platform Best Practice checklist composition items

Report

In the Config Inspection Report, you can view the diagnostic results in the order of result list, result details, and item details.

Category	Detailed description
Diagnosis Result List	All diagnosis request history within Account Completed: Diagnosis request has been successfully completed Click the instance to view detailed diagnosis result Error: Diagnosis request was not successfully completed If the diagnosis result is an error, detailed diagnosis result is not provided. The cause of the error can be found in Config Inspection detailed information
Diagnosis Result Details	Result of a successfully completed diagnosis request (diagnosis item list) PASS: No vulnerable resources exist in the diagnosis item. FAIL: Vulnerable resources exist in the diagnosis item. CHECK: Final user confirmation is required regarding vulnerability. ERROR: There is an error with user/authentication key permissions or API call. N/A: No resources correspond to the diagnosis item.
Diagnostic Item Details	Detailed Results per Diagnostic Item

Preliminary Service

Config Inspection has no preceding service.

2 - How-to guides

The user can enter the required information for the Config Inspection service through the Samsung Cloud Platform Console, select detailed options, and create the service.

Create Certificate

To create and use the Config Inspection service on the Samsung Cloud Platform Console, a prior authentication key generation is required.

Authentication key creation can be done from My Menu > My Info. > Authentication Key Management > Create Authentication Key. For more details, refer to Authentication Key Management.

Reference

The expiration period of the authentication key is up to 365 days.
To create an authentication key without an expiration date, you must create it permanently.

Config Inspection Create

You can create and use the Config Inspection service in the Samsung Cloud Platform Console.

Reference

The user must belong to the AdministratorGroup user group in order to use the services provided by the Config Inspection service properly.

To create a Config Inspection, follow these steps.

All Services > Security > Config Inspection Click the menu. Navigate to Config Inspection’s Service Home page.
On the Service Home page, click the Create Config Inspection button. You will be taken to the Create Config Inspection page.

Config Inspection creation On the page, enter the inputs required to create the service, and select detailed options.

Service Information Input Enter or select the required information in the area.

Category	Required or not	Detailed description
Diagnosis Type	-	Automatically set with Console
Cloud	Required	Select cloud to diagnose SCP: Samsung Cloud Platform AWS: Amazon Web Services Azure: Microsoft Azure Detailed input fields vary depending on the selected cloud type
Diagnosis Target > Diagnosis Name	Required	Name to distinguish the diagnosis target Use the entered value as the resource name Enter within 25 characters using English letters, numbers, and special characters(`-`, `_`)
Diagnostic Target > Diagnostic Account	Required	Console information for the diagnostic target Select the Account ID to diagnose from the list If the same Account ID is selected, duplicate application occurs and additional charges will be incurred If AWS is selected, enter the Account ID (12 digits) in the diagnostic account If Azure is selected, enter the Subscription ID (36 characters including letters, numbers, and special characters) in the diagnostic account
Diagnosis Schedule > Checklist	Required	Automatically set when Use Diagnosis Schedule is selected
Diagnosis Schedule > Diagnosis Cycle	Required	Select Diagnosis Cycle The diagnosis is executed on the selected date according to the specified cycle Monthly is selected, the diagnosis may not be performed on the selected date e.g., selecting the 31st of each month – February has no such date, so the diagnosis is not performed
Diagnosis Schedule > Start Time	Required	Select Diagnosis Start Time Set the hour and minute information to start the diagnosis
Authentication Key	Required	Select authentication key to use for Open API calls

Click the **Select** button and choose the appropriate authentication key from the list in the **Select Authentication Key** popup.

If there are no selectable authentication keys, click **Authentication Key Management** to create a new authentication key.

For detailed information about authentication keys, refer to [Manage Authentication Keys](/userguide/management/iam/how_to_guides/myinfo.md/#인증키-관리하기).

| Plan | Select | Select the plan to use

**Standard**: charge based on the number of diagnoses

**Monthly flat-rate**: charge a fixed amount each month regardless of the number of diagnoses (based on up to 30 diagnoses per month)

The plan cannot be changed after service application

Table. Config Inspection Service Information Input Items

Additional Information Input area, enter or select the required information.
Category
Required or not
Detailed description
Tag Select Add Tag
Up to 50 can be added per resource
After clicking the Add Tag button, enter or select Key, Value values
Table. Config Inspection Additional Information Input Items

Summary In the panel, check the detailed information and estimated billing amount you created, and click the Create button.

Category	Required or not	Detailed description
Tag	Select	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

When creation is complete, check the created resources on the Config Inspection List page.

Config Inspection Check detailed information

Config Inspection service allows you to view and edit the full resource list and detailed information. Config Inspection detailed page consists of Details, Tags, Work History tabs.

To view detailed information of the Config Inspection service, follow the steps below.

All Services > Security > Config Inspection Click the menu. Navigate to Config Inspection’s Service Home page.
Click the Config Inspection menu on the Service Home page. You will be taken to the Config Inspection list page.

On the Config Inspection List page, click the resource to view detailed information. You will be taken to the Config Inspection Details page.

Config Inspection Detailed page displays status information and additional feature information, and consists of Detailed Information, Tags, Work History tabs.

Category	Detailed description
Status	Displays the status of Config Inspection Ready: When there is no diagnostic request after service creation (diagnostic request possible) In Progress: When a diagnostic request is in progress (diagnostic request/service termination not possible) Error: When an error occurs in the diagnostic request (diagnostic request possible) Completed: When the diagnostic request is completed successfully (diagnostic request possible)
Diagnosis Request	Button that can perform Console diagnosis
Service Cancellation	Button to cancel the service

Detailed Information

Config Inspection List page allows you to view detailed information of the selected resource and, if necessary, edit the information.

Category	Detailed description
Service	Service Name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource Name	Resource Name
Resource ID	Unique resource ID in the service
Creator	User who created the service
Creation date/time	Date/time the service was created
Editor	User who modified the service information
Modification Date/Time	Date/Time when service information was modified
Diagnosis Type	Diagnosis types provided by the service
Cloud	Diagnosis Target Types
Diagnosis Target	Console information of the diagnostic target Provides the diagnostic name and diagnostic account information of the diagnostic target If the diagnostic target is AWS or Azure, you can click the Edit icon to modify the diagnostic account
Plan	Selected plan type
Recent diagnosis date/time	Last executed diagnostic request date/time
Recent Diagnosis Result	Last executed diagnosis request result Completed: The diagnosis request has been completed successfully Error: The diagnosis request was not completed successfully UNAUTHORIZED: Key permission used for the diagnosis request needs to be verified INVALID_INPUT_VALUE: Input values such as diagnosis account need to be verified CONNECTION_FAIL: Console access control settings need to be verified ETC: Other errors such as diagnosis engine require inquiry through the service desk ※ Diagnosis results can be viewed in the Security > Config Insepction > Report menu
Authentication Key	User’s authentication key registered at service creation Access Key, user, status information provided Access Key information and edit icon are displayed only to the user who created the authentication key Click the Edit icon to change the authentication key If the authentication key is deleted, it is shown as `-` status; if expired, shown as Expired Authentication key information (Access Key, status) of resources created by other users is displayed as `-`
Diagnosis Schedule	Display selected diagnosis schedule information If the diagnosis target is SCP, you can click the Edit icon to change the diagnosis schedule.

Table. Config Inspection Detailed Information Tab Items

Category	Detailed description
Tag List	Tag List You can view the Key, Value information of tags Up to 50 tags can be added per resource When entering tags, search and select from the previously created Key and Value list

Work History

On the Config Inspection List page, you can view the operation history of the selected resource.

Category	Detailed description
Work History List	Resource Change History Work date and time, Resource ID, Resource name, Work details, Event topic, Work result, Check worker information

Table. Config Inspection Work History Tab Items

Config Inspection Resource Management

If you need to view the status of Config Inspection resources and request a diagnosis, you can perform the task on the Config Inspection List or Config Inspection Details page.

Edit Authentication Key

You can select the authentication key to use for diagnosis for each diagnosis target.

To modify the service’s authentication key, follow the steps below.

All Services > Security > Config Inspection Click the menu. Go to Config Inspection’s Service Home page.
Click the Config Inspection menu on the Service Home page. You will be taken to the Config Inspection list page.
Config Inspection List page, click the resource to edit the authentication key. You will be taken to the Config Inspection Details page.
Check the authentication key and click the Edit icon. The Edit Authentication Key popup window opens.

Edit Authentication Key Select the authentication key to use in the popup window and click the Confirm button.

Category	Detailed description
Authentication Key	Authentication Key Details
Creation Date/Time	Authentication Key Creation Date
Expiration Date and Time	Authentication Key Expiration Date
Status	Status of the authentication key Use: Usable state Expired: Expired usage period state

Table. Authentication Key Edit Popup Items

Reference

If the authentication key is deleted, it is displayed as - status.
The authentication key information (authentication key, status) of resources created by other users is displayed as -.

Request Diagnosis

You can request a console diagnosis based on the configured checklist.

To request a console diagnosis, follow the steps below.

All Services > Security > Config Inspection Click the menu. Go to Config Inspection’s Service Home page.
Click the Config Inspection menu on the Service Home page. You will be taken to the Config Inspection list page.
Config Inspection list page, click the resource to request a diagnosis. Config Inspection details page will be opened.
Click the Diagnostic Request button on the Config Inspection Details page. The Diagnostic Request popup will open.

Diagnosis Request Enter the information required for diagnosis in the popup window and click the Confirm button.

Diagnosis Request The items in the popup window vary depending on the selected Console.

Category	Detailed description
Console Access Method	Fixed to authentication key method as the way to access the Console
Checklist	Fix as Best Practice when selecting SCP
Authentication Key	If SCP is selected, choose the pre-generated authentication key
Access Key	Enter Access Key if AWS is selected
Secret Key	Enter Secret Key if AWS is selected
Client ID	Enter Client ID if Azure is selected
Client Secret	Enter Client Secret if Azure is selected
Tenant ID	Enter Tenant ID if Azure is selected

Table. Diagnosis Request Popup Items

On the Config Inspection List page, check the Status value.
- When the diagnostic request is completed, the status value is displayed as Completed or Error.
- Completed: You can view the diagnosis request results in the diagnosis results menu. For more details, see Report Management.

Reference

For detailed information on the prerequisite settings required to run diagnostics per console, refer to Set Up Prerequisites.

Config Inspection Cancel

You can cancel the unused Config Inspection service. However, if you cancel Config Inspection, all stored diagnostic data will be deleted.

Caution

If you cancel the resource, all diagnostic data will be deleted, and you will not be able to view the diagnostic results in the Report.
Config Inspection service cannot be terminated if its status is In Progress.

To cancel Config Inspection, follow the steps below.

Click the All Services > Security > Config Inspection menu. Go to Config Inspection’s Service Home page.
Click the Config Inspection menu on the Service Home page. Navigate to the Config Inspection List page.
On the Config Inspection List page, click the resource to be terminated. Navigate to the Config Inspection Details page.
Click the Service Termination button on the Config Inspection Details page.
When termination is complete, check on the Config Inspection List page whether the resource has been terminated.

2.1 - Dashboard Check

Users can view the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.

Check Dashboard

On the dashboard page, you can view the status of Config Inspection’s diagnostic targets and diagnostic history, etc.

To check the dashboard, follow the steps below.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
Click the Dashboard menu on the Service Home page. Navigate to the Dashboard page.

Dashboard Check the summary of diagnostic results on the page.

Dashboard You can view the dashboard information at the top of the page based on period or diagnosis name.
- Period: Based on the current month, you can set a period within 6 months to view summary information of the diagnosis results.
- Diagnosis Name: If you select All, you can view a summary of the entire diagnostic history results, and if you select a diagnostic account, you can view the detailed information of that diagnostic result.

Download button can be clicked to download the information displayed on the dashboard page as a PDF file.

Category	Detailed description
Security Level (Overall)	Display average of latest diagnostic results for all diagnostic targets Recent diagnostic results are displayed in the list Diagnostic score calculation formula = Total – (Fail + Error + Check)) / Total x 100
Periodic Diagnosis Status	Display diagnosis status by target during search period Diagnosis Completed: Show recent completed diagnosis details Diagnosis Error: Show recent diagnosis error details, when selecting diagnosis name go to detailed result page
Summary of Diagnosis Results by Period (All)	Display summary of diagnosis results (All) during the search period If you select a diagnosis name from the list, you will be taken to the detailed diagnosis result page

Category	Detailed description
Security Level	Display the last diagnostic result score of the selected diagnostic account Recent diagnostic results are displayed in the list
Period-wise diagnostic result summary	Show summary of diagnostic results for the last diagnostic account within the search period
Vulnerability Status by Period	Display the vulnerability diagnosis results of the diagnostic account during the search period as a graph When a graph is selected, display detailed information of the vulnerable items in the diagnosis results

2.2 - Diagnostic Result Management

You can view the Config Inspection diagnostic request results on the diagnostic results page and change the diagnostic results.

Reference

The diagnostic result is generated when a diagnostic request is made in the Config Inspection service, and it is deleted when the service is terminated.

Please refer to Config Inspection Diagnosis Request and Config Inspection Cancel.

Check diagnosis results

On the diagnosis results page, you can view the diagnosis request results.

Check diagnosis result list

To view the list of diagnostic results, follow the steps below.

All Services > Security > Config Inspection Click the menu. Navigate to the Service Home page of Config Inspection.
Click the Diagnostic Results menu on the Service Home page. You will be taken to the Diagnostic Results List page.

Diagnostic Result List Check the summary information of diagnostic results on the page.

Category	Detailed description
Diagnosis name	Resource name
Diagnostic Account	Console information to be diagnosed
Checklist	Collection of diagnostic items that serve as the basis for diagnostic results
PASS	Number of items in the checklist with diagnosis result PASS (normal)
FAIL	Number of items in the checklist with diagnosis result FAIL (vulnerable)
CHECK	Number of items in the checklist whose diagnosis result is CHECK (verification needed)
ERROR	Number of items in the checklist whose diagnosis result is ERROR (diagnosis not possible)
N/A	Number of items in the checklist where the diagnosis result is N/A (not applicable)
All	Total number of checklist items
Diagnosis Result	Diagnosis Request Result Completed: The diagnosis request has been successfully completed, clicking Completed moves to the detail page Error: The diagnosis request was not successfully completed, error status items cannot view detailed content
Diagnosis time	Diagnosis request time

Table. Diagnosis Result List Items

Check detailed diagnostic result information

To view detailed information of the diagnosis results, follow the steps below.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
Click the Diagnostic Results menu on the Service Home page. It navigates to the Diagnostic Results List page.

You can search by entering the diagnosis name in the search area of the Diagnosis Result List page or by clicking the Detailed Search button.

Click on an item with a Completed diagnosis result on the Diagnosis Result List page. You will be taken to the diagnosis result detail page.
- Items whose diagnostic result is in error state do not display detailed information.

Detailed Diagnosis Results page, check the detailed diagnosis results.

Category	Detailed description
Excel Download	Download detailed list of diagnosis results as an Excel file
More > Diagnosis Result Management	Go to Diagnosis Result Management page
Checklist	Collection of diagnostic items that serve as the basis for diagnostic results
Area	Diagnosis scope (services of Samsung Cloud Platform)
Diagnostic Items	Security standards recommended for service-specific settings
Result	Result of diagnostic item criteria check

Table. Detailed Diagnosis Result Items

Click the diagnostic item to view detailed information. Diagnostic Item Details popup window opens.

Diagnosis Item Details In the popup window, you can view the following information.

Category	Detailed description
Area	Diagnosis Scope (Samsung Cloud Platform’s services)
Diagnostic Items	Security standards recommended for service-specific settings
Result	Diagnosis item criteria check result
Diagnosis Criteria	Result Judgment Criteria
Diagnostic Method	Current Settings Check Method
Action Guide	Configuration method that meets security standards
Detailed Result	Resource information and settings corresponding to the diagnostic item
Diagnosis Result Change	Button to change diagnosis result If the diagnosis result is changed, the Check Result button is displayed, and clicking the Delete button allows deletion of the changed result

Table. Config Inspection Diagnosis Item Details

Manage Diagnosis Results

On the diagnosis result page, you can change the results of items whose diagnosis result is in CHECK status.

Change Diagnosis Result

To change the diagnosis result, follow the steps below.

All Services > Security > Config Inspection Click the menu. Navigate to the Service Home page of Config Inspection.
Click the Diagnostic Results menu on the Service Home page. It navigates to the Diagnostic Results List page.
Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.
- Items with a diagnostic result in error state do not display detailed information.
Click the More > Diagnosis Result Management button at the top of the Diagnosis Result Details page. You will be taken to the Diagnosis Result Management page.
Click the Result Change button for the item whose diagnostic result you want to modify on the Diagnostic Result Management page. The Result Change popup window will open.

Result Change In the popup window, select or enter the information required to change the result.

Category	Required?	Detailed description
Registrant	-	Diagnosis result change registrant email
Validity Period	Required	Set the validity period of the diagnostic result
Change Result	Required	Select the diagnostic result to change among Pass, Check, Fail
Detailed Reason	Required	Enter the detailed reason for changing the result
Attachment File	Select	Upload files required for confirming result changes Attach File button to upload files, up to 5 can be registered
Inspection Result	-	Detailed inspection result display

Table. Detailed Items of Diagnosis Result Change

Check the entered information and click the Register button. Verify whether the diagnostic results have changed in the Diagnostic Result Management list.

Delete diagnosis result change history

To delete the diagnostic result change history, follow the steps below.

All Services > Security > Config Inspection Click the menu. Navigate to Config Inspection’s Service Home page.
Click the Diagnostic Results menu on the Service Home page. Navigate to the Diagnostic Results List page.
Click an item with a completed diagnosis result on the Diagnosis Result List page. It moves to the Diagnosis Result Details page.
- Items whose diagnostic result is in error state do not display detailed information.
Click the Diagnosis Result Details page’s top Diagnosis Result Management button. It navigates to the Diagnosis Result Management page.
Diagnosis Result Management page, click the Check Result button for the item whose diagnosis result you want to change. The Check Result popup window opens.
Check Results in the popup window, click the Delete button.

2.3 - Pre-configuration

Users must perform cloud pre-configuration such as authentication key creation and access control IP addition through the Samsung Cloud Platform Console to use the Config Inspection service.

Note

Items to set vary depending on the type of cloud you use. Refer to the corresponding chapter and set the required items for each cloud.

Samsung Cloud Platform Console Settings

To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, set the following items.

Check Policies Linked to User Group

Notice

Config Inspection can diagnose Samsung Cloud Platform or external clouds. You can use it by granting appropriate policy requirements to the user group according to the diagnosis target.
- Check if the user group policy matching your desired diagnosis target is set.
- If policy creation is required, contact the Account administrator.

To check the policy of the user group you belong to, follow the procedure below.

Click All Services > Management > IAM menu. You will be redirected to the Service Home page of IAM.
Click User Groups menu on the Service Home page. You will be redirected to the User Group List page.
Click the user group you want to check on the User Group List page. You will be redirected to the User Group Details page.
Click Policies tab on the User Group Details page. You will be redirected to the Policies tab page.
Click the policy you want to check on the Policies tab page. You will be redirected to the Policy Details page.

Check the detailed information on the Policy Details page.

Check if the policy information in the table below is set. If necessary, contact the administrator to add the policy.

Item	Policy Requirement 1	Policy Requirement 2
Action	List, Read	Create, Delete, List, Read, Update
Resource	All resources	Individual resource (Config Inspection)
Auth Type	All authentication	Temporary key authentication, Console login
Allowed IP	123.37.11.42, User-defined IP For diagnosis, you must add IP 123.37.11.42 and IP for user console access separately	User-defined IP

Table. Policy setting details for diagnosing all clouds

Create Authentication Key

You can check and create authentication keys to use in the Config Inspection service.

Notice

You can create only up to 2 authentication keys.
After creating a new authentication key, you must apply the changed API authentication key to the service you are using.

To create an authentication key in Samsung Cloud Platform Console, follow the procedure below.

Click My Menu > My info. menu in the Console. You will be redirected to the My info. details page.
Click Authentication Key Management tab on the My info. details page. You will be redirected to the Authentication Key Management tab page.
Click Create Authentication Key button on the Authentication Key Management tab page. You will be redirected to the Create Authentication Key page.
- You can check the authentication key list on the authentication key management page.
Enter the expiration period on the Create Authentication Key page and click OK button.
Check if the created authentication key is displayed in the authentication key list.

Add Access Allowed IP

You can add access allowed IPs in Samsung Cloud Platform Console.

To add access allowed IPs in the Console, follow the procedure below.

Click My Menu > My info. menu in the Console. You will be redirected to the My info. details page.
Click Authentication Key Management tab on the My info. details page. You will be redirected to the Authentication Key Management tab page.
Click Edit icon in Security Settings item on the Authentication Key Management tab page. The Edit Authentication Key Security Settings popup will open.
Enter the authentication method and access allowed IP in the Edit Authentication Key Security Settings popup.
- Select Authentication Key for authentication method.
- Set access allowed IP to Enable, enter the IP address, and click Add button.
When adding access allowed IP is complete, click OK button. Check if the information is modified to the entered information in the Security Settings item.

AWS Settings

To diagnose AWS (Amazon Web Services) cloud in the Config Inspection service, set the following items.

Add Permission Policy

You can add permission policies for users/user groups in AWS Console.

Add User Permission

To add user access permission policy in AWS Console, follow the procedure below.

Click IAM > Users in AWS Console.
Select the diagnostic user name from the user list.
Click Permissions tab on the user information page.
Select Add permissions in the permission policy.
- Select ReadOnlyAccess, ViewOnlyAccess when adding permissions.

Add User Group Permission

To add user group access permission policy in AWS Console, follow the procedure below.

Click IAM > User groups in AWS Console.
Select the group the user belongs to from the user group list.
Click Permissions tab on the user group page.
Select Add permissions in the permission policy.
- Select ReadOnlyAccess, ViewOnlyAccess when adding permissions.

Add Access Control IP

If using IP access control policy, you must add block exception IPs to that policy.

Add User Access Control IP

To add user access control IP in AWS Console, follow the procedure below.

Click IAM > Users in AWS Console.
Select the diagnostic user name from the user list.
Click Permissions tab on the user information page.
Click Edit in IP Access Control Policy in the permission policy item.
- Add 123.37.24.82 to block exception IP.

Add User Group Access Control IP

To add user group access control IP in AWS Console, follow the procedure below.

Click IAM > User groups in AWS Console.
Select the group the user belongs to from the user group list.
Click Permissions tab on the user group page.
Click Edit in IP Access Control Policy in the permission policy item.
- Add 123.37.24.82 to block exception IP.

Generate Access Key

To generate Access Key in AWS Console, follow the procedure below.

Click IAM > Users in AWS Console.
Select the diagnostic user name from the user list.
Click Security credentials tab on the user information page.
Click Access keys on the Security credentials page.
Create access keys for third-party services on the Create access key page.
- Make sure to save the created access key information.

Caution

Download the Secret Key as a csv file or record it separately.

Secret key information can only be checked when creating the access key and cannot be recovered later.

Azure Settings

To diagnose Azure cloud in the Config Inspection service, set the following items.

Register Entra ID Application

To register Entra ID Application in Azure Console, follow the procedure below.

Click Microsoft Entra ID > App registrations in Azure Console.
Click New registration on the App registrations page.
Register application (client) ID.
When app registration is complete, check App name, Application (client) ID, Directory (tenant) ID on the overview page.

Add API Permission

Note

To use Config Inspection service, you must pre-configure with an account granted the Global Administrator role among Azure AD roles.

To add API permission in Azure Console, follow the procedure below.

Click Microsoft Entra ID > App registrations > Entra ID Application registration > created App name > API permissions > Add a permission in Azure Console.
Select Microsoft Graph to add permissions from the API permissions list.
Click Application permissions on the Request API permissions page.
- Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
After adding permissions in App API permission registration, click Grant admin consent for account name.
- Check if it changes to Granted for account name status for the account name.

Create Client Secret

To create Client Secret in Azure Console, follow the procedure below.

Click Microsoft Entra ID > App registrations > Entra ID Application registration > created App name > Certificates & secrets in Azure Console.
Click New client secret from the Certificates & secrets list.
When client secret is created, check the Client Secret in the Value item from the list.
- Make sure to save the Client Secret value.

Caution

Client Secret value (Value) can only be checked at creation time. Make sure to record or save it separately.

Add Subscription Access Permission in Azure Console

You can add subscription access permissions in Azure Console from Tenant Root Group or individual Subscription. Choose your preferred method to add subscription access permissions.

Add Permission from Tenant Root Group

To add subscription access permission in Azure Console from Tenant Root Group, follow the procedure below.

Click Management groups > Overview in Azure Console.
Click Tenant Root Group > Access control (IAM).
- If you cannot enter the Tenant Root Group menu, change the setting below.
  - Change Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
- After adding permissions, you must change it to No.
Click Add > Add role assignment on the Access control page.
Enter detailed information on the Add role assignment page and click Review+assign.
- When entering role assignment information, select the information below from the Role and Member tabs to add the App created in Entra ID Application registration. You must add all three permissions below.
  Category Permission
  Reader Users, group, or service principal
  Key Vault Reader Users, group, or service principal
  Reader and Data Access Users, group, or service principal
  Table. Additional permission items when entering role assignment information

Category	Permission
Reader	Users, group, or service principal
Key Vault Reader	Users, group, or service principal
Reader and Data Access	Users, group, or service principal

Add Permission from Individual Subscription

To add subscription access permission in Azure Console from individual Subscription, follow the procedure below.

Click Subscription > Overview in Azure Console.
- Check Subscription ID from the basic information on the overview page.
Click Subscription > Access control (IAM).
Click Add > Add role assignment on the Access control page.
Enter detailed information on the Add role assignment page and click Review+assign.
- When entering role assignment information, select the information below from the Role and Member tabs to add the App created in Entra ID Application registration. You must add all three permissions below.
  Category Permission
  Reader Users, group, or service principal
  Key Vault Reader Users, group, or service principal
  Reader and Data Access Users, group, or service principal
  Table. Additional permission items when entering role assignment information

Category	Permission
Reader	Users, group, or service principal
Key Vault Reader	Users, group, or service principal
Reader and Data Access	Users, group, or service principal

Add Access Permission via PowerShell

To add subscription access permission in Azure Console using PowerShell, follow the procedure below.

Run the following command in Cloud shell > PowerShell in Azure Console.
- New-AzRoleAssignment -ObjectId “App’s Object ID confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
- If the command does not run, change the setting below.
  - Change Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
  - After adding permissions, you must change it to No
Run the following command to check if the setting is complete.
- Get-AzRoleAssignment –ObjectId ＂App’s Object ID confirmed in Enterprise Application＂ –Scope ＂/providers/Microsoft.aadiam＂
- If you need to delete permissions, run the following command.
  - Remove-AzRoleAssignment -ObjectId “App’s Object ID confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’

3 - Release Note

Config Inspection

2025.07.01

FEATURE Service Offering Expansion

We have launched the Config Inspection product, which can comprehensively diagnose and manage security vulnerabilities in the customer’s multi-cloud console.
- The account (or other cloud account) to be diagnosed is registered, allowing for continuous diagnosis, and the dashboard and detailed results can be checked in the report.

2025.02.27

FEATURE Common Feature Changes

Samsung Cloud Platform common feature changes
- Account, IAM and Service Home, tags, etc. reflected common CX changes.

2024.12.23

NEW Beta version release

You can manage Samsung Cloud Platform Console setting vulnerabilities through console diagnostics.
It provides a Report that can view the security diagnosis results.