This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Config Inspection

1: Overview

1.1: Checklist

2: How-to guides

2.1: Check Dashboard
2.2: Manage Diagnosis Results
2.3: Pre-configuration

3: Release Note

1 - Overview

Service Overview

Config Inspection is a service that diagnoses the security level of Console settings for each service of the Samsung Cloud Platform. Provides a security checklist organized by areas such as IAM, Networking, Database, and Logging, and checks the current status via API calls to verify whether the recommended security settings for each diagnostic item are applied.

Users can create a diagnostic target by creating a service, then request a diagnosis, and view the diagnosis request results through a Report. The report provides the diagnostic request history and per-item diagnostic results, and for diagnostic items that require the user’s final confirmation or action, detailed results—including the resource information and action guide corresponding to each item—can be viewed.

Configuration diagram — Figure. Config Inspection configuration diagram

Provided Features

Config Inspection provides the following features.

Console Diagnostics: You can call the Console API using an authentication key method to assess the security level.
Diagnostic Target Management: Through service creation, you can create and manage a user’s Samsung Cloud Platform account as a diagnostic target.
Diagnostic Request: On the resource detail screen, you can request a diagnosis by clicking the Diagnostic Request button.
Diagnostic Result Management: In Report, you can view the list of diagnostic requests and detailed diagnostic results, and download them as an Excel file.

Components

Checklist

The checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the checklist currently provided by Config Inspection is as follows.

Refer to the 체크 리스트 for the detailed diagnostic items of the checklist provided by Samsung Cloud Platform.

Cloud	Checklist name	Number of items
Samsung Cloud Platform	Best Practice	27
	Samsung Security Index (SSI)	24

Table. Config Inspection checklist types

Reference

The SSI checklist can only be used in the Samsung region.

Report

In the Config Inspection Report, you can view the diagnostic results in the order of result list, result details, and item details.

Category	Detailed description
Diagnostic Result List	All diagnostic request history in the Account Completed: The diagnostic request has been successfully completed Click the instance to view detailed diagnostic results Error: The diagnostic request was not completed successfully If the diagnostic result is an error, detailed diagnostic results are not provided. The cause of the error can be found in the Config Inspection details
Detailed Diagnosis Results	Result of a successfully completed diagnostic request (diagnostic item list) PASS: No vulnerable resources exist in the diagnostic item. FAIL: Vulnerable resources exist in the diagnostic item. CHECK: User’s final confirmation is required regarding vulnerability. ERROR: There is an error with user/authentication key permissions or the API call. N/A: No resources correspond to the diagnostic item.
Diagnostic Item Details	Detailed results by diagnostic item

Preliminary Service

Config Inspection has no preceding service.

1.1 - Checklist

You can view the types of checklists provided by Config Inspection and the detailed diagnostic items for each checklist.

Checklist

A checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the types of checklists currently provided by Config Inspection are as follows.

Cloud	Checklist name	Number of items
Samsung Cloud Platform	Best Practice	27
	Samsung Security Index (SSI)	24

Table. Config Inspection checklist types

Reference

The SSI checklist can only be used in the Samsung region.

Best Practice

The detailed diagnostic items of the Best Practice checklist provided by Samsung Cloud Platform are as follows.

area	Diagnostic Items
IAM	The authority to manage Account users should be granted only to users who need to manage IAM Users, in accordance with the principle of least privilege. There must be no long‑term inactive users. A policy that allows access only from authorized IPs for all users must be applied. Permissions must be granted according to the principle of least privilege, taking into account job duties and usage purposes.
Networking	A NAT Gateway must not be created in a Private Subnet that does not require Internet access. Network integration products must use a firewall. Unnecessary local subnets must not exist, and only the Virtual Server (VM) or Bare Metal Server (BM) required for operation may be connected within the created local subnet. Remote access ports for each protocol must have Internet access blocked, and connections should be allowed only for specified IPs that require access. Security Groups should register only the necessary rules on an IP/Port basis. The firewall of network integration products should register only the necessary rules on an IP/Port basis.
Compute	When using a Cloud Functions function URL, you must apply access control.
Container	The control plane of the Kubernetes cluster must not use public endpoints. Only authorized resources should be allowed to access the private endpoints of the Kubernetes cluster. Restrict access to the Container Registry so that only authorized IP resources can connect. Enable vulnerability scanning for Container Registry images and remediate any discovered vulnerabilities. Prevent the use of vulnerable images in the Container Registry.
Database	DB must be deployed in a Private Subnet and have internet access blocked. KMS Keys must grant the minimum necessary permissions only to entities that require access. KMS Keys must be rotated periodically (within 90 days) using the automatic rotation feature.
Logging	Enable the Trail service of Logging&Audit and set the scope to all regions/resource types/users. Set the log file verification of Logging&Audit Trail to enabled. The Trail logs of Logging&Audit must be retained for at least one year. Security Group must have logging enabled. Enable NAT logging for Internet Gateway. Enable control plane logging for Kubernetes Engine clusters. Network integration products must have Firewall logging enabled. DB audit logs must be stored.

Table. Samsung Cloud Platform Best Practice checklist items

Samsung Security Index (SSI)

The detailed diagnostic items of the Samsung Security Index (SSI) checklist provided by Samsung Cloud Platform are as follows.

area	Diagnostic Items
IAM	Have you granted the authority to manage Account users to the minimum personnel? Are there any unused accounts? Do you enforce access control for all Samsung Cloud Platform users? Are you minimizing user permissions according to job duties and usage purposes?
Networking	Is a Private Subnet that does not require external system access for business prohibited from connecting to a NAT Gateway? Does the network integration product use a firewall? Is the local subnet connected only to the resources that are needed? Have only the necessary rules at the IP/Port level been registered in all Security Groups? Has the firewall of the network integration product been configured with only the necessary rules at the IP/Port level?
Container	Are you enforcing access control on Cloud Functions? Have you set the Kubernetes Engine API Server endpoint to private? Are you restricting access to the Kubernetes Engine API Server endpoint? Are you enforcing access control on Container Registry? Have you completed vulnerability scanning and remediation for Container Registry images? Are you restricting pulls of vulnerable images?
Database	Is the DB configured within a dedicated private subnet and its internet access blocked? Have you granted only the entities that require access to the KMS key the minimal necessary permissions? Is the KMS key automatically rotated on a regular basis?
Logging	Have you enabled the Trail service of Logging&Audit and set its scope to all? Have you configured integrity verification for log files? Are you storing the Trail logs of Logging&Audit? Have you enabled Security Group logging? Have you enabled Firewall logging for network‑integrated products? (If using DBaaS) Have you enabled DB Audit?

Table. Samsung Cloud Platform SSI checklist items

2 - How-to guides

Users can create the service by entering the required information for the Config Inspection service and selecting detailed options through the Samsung Cloud Platform Console.

Create Certificate

To create and use the Config Inspection service in the Samsung Cloud Platform Console, you need to generate an authentication key in advance.

Authentication key creation can be done from My menu > My Info. > Authentication Key Management > Create Authentication Key. For more details, refer to Manage Authentication Keys.

Reference

The expiration period of the authentication key is up to 365 days.
To generate an authentication key with no expiration date, you must create it permanently.

Create Config Inspection

You can create and use the Config Inspection service in the Samsung Cloud Platform Console.

Reference

Users must belong to the AdministratorGroup user group in order to properly use the services provided by the Config Inspection service.

To create a Config Inspection, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Create Config Inspection button. You will be taken to the Create Config Inspection page.

Config Inspection Creation On the page, input what is required to create a service, and select detailed options.

Enter or select the required information in the Service Information Input area.

Category	Required status	Detailed description
Diagnosis Type	-	Automatic configuration via Console
Cloud	Required	Select cloud for diagnosis SCP: Samsung Cloud Platform AWS: Amazon Web Services Azure: Microsoft Azure Detailed input fields vary depending on the selected cloud type
Diagnostic Target > Diagnosis Name	Required	Name to distinguish the diagnostic target Use the entered value as the resource name Enter within 25 characters using English letters, numbers, and special characters (`-`, `_`)
Diagnostic target > Diagnostic account	Required	Console information to be diagnosed Select the Account ID to diagnose from the list Selecting the same Account ID will result in duplicate requests and incur additional charges If AWS is selected, enter the Account ID (12 digits) for the diagnostic account If Azure is selected, enter the Subscription ID (36 characters, including letters, numbers, and special characters) for the diagnostic account
Diagnosis Schedule > Checklist	Required	Automatically set when Use is selected for diagnostic schedule
Diagnostic Schedule > Diagnostic Cycle	Required	Select Diagnosis Interval The diagnosis runs on the selected date according to the specified interval. If Monthly is selected, the diagnosis may not be performed on the selected date. Example) Selecting the 31st of each month – February has no such date, so the diagnosis is not performed.
Diagnostic Schedule > Start Time	Required	Select diagnostic start time Set the hour and minute information for starting the diagnostic
authentication key	Required	Select the authentication key to use for Open API calls Select button, click to choose the appropriate authentication key from the list in the Authentication Key Selection popup If no selectable authentication key is available, click Authentication Key Management to create a new authentication key For detailed information about authentication keys, refer to Manage Authentication Keys
Pricing plan	Select	Select a plan to use Standard: Charged based on the number of diagnoses Monthly subscription: Charged a fixed amount each month regardless of the number of diagnoses (up to 30 diagnoses per month) The plan cannot be changed after the service is requested

Table. Config Inspection Service Information Input Items

In the Additional Information Input area, enter or select the required information.
Category
Required status
Detailed description
tag Select Add Tag
Up to 50 per resource can be added
After clicking the Add Tag button, enter or select Key and Value values
Table. Config Inspection additional information input fields

Summary Check the detailed information and estimated billing amount generated in the panel, and click the Create button.
- When creation is complete, check the created resources on the Config Inspection List page.

Category	Required status	Detailed description
tag	Select	Add Tag Up to 50 per resource can be added After clicking the Add Tag button, enter or select Key and Value values

Check detailed information of Config Inspection

Config Inspection service allows you to view and edit the full resource list and detailed information. The Config Inspection Details page consists of Details, Tags, Activity History tabs.

To view detailed information of the Config Inspection service, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.

Config Inspection List page, click the resource to view detailed information. You will be taken to the Config Inspection Details page.

Config Inspection Details page displays status information and additional feature information, and is composed of Details, Tags, Work History tabs.

Category	Detailed description
status	Displays the status of Config Inspection Ready: When there is no diagnostic request after the service is created (diagnostic request possible) In Progress: When a diagnostic request is being executed (diagnostic request/service termination not allowed) Error: When an error occurs in the diagnostic request (diagnostic request possible) Completed: When the diagnostic request completes successfully (diagnostic request possible)
Diagnostic request	Button to perform console diagnostics
Service termination	Button to cancel the service

Detailed Information

Config Inspection List page lets you view detailed information of the selected resource and modify the information if necessary.

Category	Detailed description
Service	Service name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource name	Resource Name
Resource ID	Unique resource ID in the service
Constructor	User who created the service
Creation date and time	Service creation timestamp
Editor	User who edited the service information
Modification date	Date and time the service information was modified
Diagnosis Type	Diagnostic types offered by the service
Cloud	Diagnosis target types
diagnostic target	Console information for the diagnostic target Provides the diagnostic target’s diagnostic name and diagnostic account information If the diagnostic target is AWS or Azure, you can click the Edit icon to modify the diagnostic account
Pricing plan	Selected plan type
Recent diagnosis date/time	Timestamp of the last executed diagnostic request
Recent diagnostic results	Result of the most recent diagnostic request COMPLETED: The diagnostic request completed successfully ERROR: The diagnostic request did not complete successfully UNAUTHORIZED: Key permissions used for the diagnostic request need to be verified INVALID_INPUT_VALUE: Input values such as the diagnostic account need to be verified CONNECTION_FAIL: Console access control settings need to be verified ETC: Other errors such as diagnostic engine issues require contacting the service desk ※ Diagnostic results can be viewed in the Security > Config Insepction > Report menu
authentication key	The authentication key of the user registered when creating the service Access Key, user, status information provided Access Key information and the edit icon are displayed only to the user who created the corresponding authentication key Click the edit icon to modify the authentication key If the authentication key is deleted, it is shown with a `-` status; if it is expired, it is shown as expired Authentication key information (Access Key, status) for resources created by other users is displayed as `-`
Diagnostic Schedule	Display selected diagnostic schedule information If the diagnostic target is SCP, you can click the Edit icon to change the diagnostic schedule

Table. Config Inspection Detailed Information Tab Items

Category	Detailed description
Tag list	Tag list You can view the Key, Value information of the tag Up to 50 tags can be added per resource When entering a tag, you can search and select from the list of previously created Keys and Values

Job History

On the Config Inspection List page, you can view the operation history of the selected resource.

Category	Detailed description
Task History List	Resource Change History Operation Time, Resource ID, Resource Name, Operation Details, Event Topic, Operation Result, Check operator information

Table. Config Inspection work history tab items

Config Inspection Resource Management

If you need to view the status of a Config Inspection resource or request a diagnosis, you can perform the task on the Config Inspection List or Config Inspection Details page.

Modify authentication key

You can select the authentication key to use for diagnosis for each diagnostic target.

To modify the service’s authentication key, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
On the Config Inspection List page, click the resource whose authentication key you want to edit. Then go to the Config Inspection Detail page.
Check the authentication key and click the Edit icon. The Edit Authentication Key popup window opens.

Edit Authentication Key Select the authentication key to use in the popup window and click the Confirm button.

Category	Detailed description
authentication key	Authentication Key Detailed Information
Creation date and time	Authentication key creation date
Expiration date and time	Authentication key expiration date
status	Authentication key status Active: Usable Expired: Usage period expired

Table. Authentication key edit popup items

Reference

If the authentication key is deleted, it is displayed in the - state.
The authentication key information (authentication key, status) of resources created by other users is displayed as -.

Request Diagnosis

You can request a diagnosis from the Console based on the configured checklist.

To request a console diagnosis, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
On the Config Inspection List page, click the resource you want to request a diagnosis for. You will be taken to the Config Inspection Details page.
On the Config Inspection Details page, click the Diagnostic Request button. The Diagnostic Request popup opens.

In the Diagnosis Request popup, enter the information required for the diagnosis and click the Confirm button.

Diagnostic Request The items in the popup window vary depending on the selected Console.

Category	Detailed description
Console access method	Fix the authentication key method as the console access method.
Checklist	Set to Best Practice when selecting SCP
authentication key	If you select SCP, choose the pre-generated authentication key.
Access Key	If AWS is selected, enter the Access Key.
Secret Key	If AWS is selected, enter Secret Key
Client ID	Enter Client ID when Azure is selected
Client Secret	If Azure is selected, enter Client Secret
Tenant ID	If Azure is selected, enter Tenant ID

Table. Diagnosis request popup items

Check the status value on the Config Inspection list page.
- When the diagnostic request is completed, the status value is displayed as Completed or Error.
- In the case of Completed, you can view the diagnostic request results in the diagnostic results menu. For more details, refer to Report Management.

Reference

For detailed information on the prerequisite settings required to run diagnostics for each console, see Set up prerequisites.

Terminate Config Inspection

You can cancel the Config Inspection service you are not using. However, canceling Config Inspection will delete all stored diagnostic data.

Caution

If you terminate the resource, all diagnostic data will be deleted, and you will not be able to view diagnostic results in the Report.
If the status of the Config Inspection service is In Progress, the service cannot be terminated.

To disable Config Inspection, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
On the Config Inspection List page, click the resource to be terminated. You will be taken to the Config Inspection Details page.
Config Inspection Details on the page, click the Cancel Service button.
After the termination is complete, check on the Config Inspection List page whether the resource has been terminated.

2.1 - Check Dashboard

Users can view the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.

Check Dashboard

On the dashboard page, you can view the status of Config Inspection diagnostic targets, diagnostic history, and more.

To view the dashboard, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Dashboard menu. You will be taken to the Dashboard page.

Check the summary of diagnostic results on the Dashboard page.

Dashboard page at the top allows you to view dashboard information based on the period or diagnosis name.
- Period: You can set a period within six months from the current month to view a summary of the diagnostic results.
- Diagnosis Name: If you select All, you can view a summary of the entire diagnostic results, and if you select a diagnostic account, you can view the detailed information of that specific diagnostic result.

Click the Download button to download the information displayed on the dashboard page as a PDF file.

Category	Detailed description
Security level (overall)	Display the average of the latest diagnostic results for all subjects Recent diagnostic results are displayed in the list Diagnostic score calculation formula = Total – (Fail + Error + Check)) / Total x 100
Diagnosis status by period	Display diagnostic status by target during the search period Diagnosis Completed: Show recent completed diagnosis records Diagnosis Error: Show recent diagnosis error records, navigate to the detailed diagnosis result page when a diagnosis name is selected
Summary of diagnostic results by period (overall)	Display summary of diagnostic results (overall) during the search period Selecting a diagnosis name from the list navigates to the detailed diagnostic result page

Category	Detailed description
Security level	Display the latest diagnostic result score for the selected diagnostic account Recent diagnostic results are displayed in the list
Summary of diagnostic results by period	Display summary of the diagnostic results for the last diagnostic account within the search period
Vulnerability status by period	Display the vulnerability assessment results of the diagnostic account as a graph during the search period When a graph is selected, display detailed information of the vulnerable items in the assessment results

2.2 - Manage Diagnosis Results

Config Inspection You can view the diagnostic request results on the diagnostic results page and modify the diagnostic results.

Reference

The diagnostic results are generated when a diagnostic request is made in the Config Inspection service, and they are deleted when the service is terminated.

Refer to Config Inspection Request and Cancel Config Inspection.

Check diagnosis results

On the diagnosis results page, you can view the results of the diagnosis request.

Check diagnostic result list

To view the list of diagnostic results, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.

View the summary information of diagnostic results on the Diagnostic Results List page.

Category	Detailed description
Diagnosis name	Resource name
diagnostic account	Console information subject to diagnosis
Checklist	Collection of diagnostic items that serve as the basis for diagnostic results
PASS	Number of checklist items with a diagnosis result of PASS (normal)
FAIL	Number of checklist items with a diagnosis result of FAIL (vulnerable)
CHECK	Number of items in the checklist with a diagnosis result of CHECK (verification required)
ERROR	Number of items in the checklist whose diagnosis result is ERROR (diagnosis not possible)
N/A	Number of items in the checklist where the diagnosis result is N/A (not applicable)
All	Total number of checklist items
diagnostic result	Diagnosis request result Completed: The diagnosis request has been successfully completed; clicking Completed navigates to the detail page Error: The diagnosis request was not completed successfully; error items cannot view detailed information
Diagnosis date and time	Diagnosis request date and time

Table. Diagnosis result list items

View detailed diagnostic result information

To view detailed information of the diagnostic results, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.
- On the Diagnosis Result List page, you can enter a diagnosis name in the search area or click the Detailed Search button to perform a search.
Diagnostic Results List page, click the item whose diagnostic result is Completed. You will be taken to the diagnostic result detail page.
- Items with a diagnostic result in error status do not display detailed information.

On the Detailed Diagnosis Results page, view the detailed diagnosis results.

Category	Detailed description
Excel download	Download the detailed diagnosis results list as an Excel file
More > Diagnosis Result Management	Go to the diagnostic results management page
Checklist	Collection of diagnostic items that serve as the basis for diagnostic results
Area	Diagnostic Scope (services of Samsung Cloud Platform)
Diagnostic items	Recommended security standards for each service configuration
Result	Diagnostic Item Criteria Inspection Results

Table. Detailed diagnosis result items

Click the diagnostic item to view detailed information. Diagnostic Item Details popup will open.

Diagnostic Item Details In the popup window, you can view the following information.

Category	Detailed description
Area	Diagnostic Scope (services of Samsung Cloud Platform)
Diagnostic items	Recommended security standards for each service configuration
Result	Diagnostic Item Criteria Inspection Results
Diagnostic criteria	Result Evaluation Criteria
Diagnostic method	How to check the current settings
Action Guide	Configuration method that meets security standards
Detailed results	Resource information and settings for the diagnostic item
Change diagnosis result	Button to modify the diagnosis result When the diagnosis result is modified, the Check Result button is displayed, and clicking the Delete button removes the modified result

Table. Config Inspection diagnostic item details

Manage Diagnostic Results

On the diagnosis results page, you can modify the results of items whose diagnosis status is CHECK.

Change Diagnosis Result

To change the diagnostic result, follow the steps below.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.
On the Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.
- Items with a diagnostic result in error status do not display detailed information.
On the Diagnosis Result Details page, click the More > Diagnosis Result Management button at the top. You will be taken to the Diagnosis Result Management page.
On the Diagnosis Result Management page, click the Change Result button for the item whose diagnosis result you want to modify. The Change Result popup window will open.

Result Change In the popup window, select or enter the information required to change the result.

Category	Required	Detailed description
Registrant	-	Diagnostic result change registrant email
Validity period	Required	Set the diagnostic result validity period
Result change	Required	Select the diagnostic result to change among Pass, Check, Fail
Detailed reason	Required	Enter the detailed reason for changing the result.
Attached file	Select	Upload the files required to verify result changes Click the Attach File button to upload files, up to 5 can be registered
Inspection Result	-	Display detailed inspection results

Table. Detailed items of diagnostic result changes

Review the entered information and click the Register button. Verify whether the diagnostic results have changed in the Diagnostic Result Management list.

Delete diagnostic result change history

To delete the diagnostic result change log, follow these steps.

Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.
On the Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.
- Items with a diagnostic result in error status do not display detailed information.
Diagnosis Result Details page, click the Diagnosis Result Management button at the top. You will be taken to the Diagnosis Result Management page.
On the Diagnosis Result Management page, click the Check Result button for the item whose diagnosis result you want to change. The Check Result popup will open.
Check Result in the popup window, click the Delete button.

2.3 - Pre-configuration

Users must perform pre‑cloud configuration such as generating authentication keys and adding access‑control IPs through the Samsung Cloud Platform Console to use the Config Inspection service.

Reference

The configuration items vary depending on the cloud type you use. Refer to the appropriate chapter and configure the required items for each cloud.

Configuring Samsung Cloud Platform Console

To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, set the items below.

Check policies attached to user groups

guide

Config Inspection can diagnose the Samsung Cloud Platform or external clouds. Depending on the diagnostic target, you can assign appropriate policy requirements to user groups for use.
- Verify that a user group policy matching the desired diagnostic target is configured.
- If policy creation is required, please contact the Account administrator.

To check the policy of the user group to which the user belongs, follow the steps below.

Click the All Services > Management > IAM menu. Go to the Service Home page of IAM.
On the Service Home page, click the User Group menu. You will be taken to the User Group List page.
On the User Group List page, click the user group you want to view. You will be taken to the User Group Details page.
User Group Details page, click the Policy tab. You will be taken to the Policy tab page.
Click the policy you want to view on the Policy tab page. You will be taken to the Policy Details page.

Check the detailed information on the Policy Details page.

Verify that the policy information in the table below is configured. If necessary, contact the administrator to add the policy.

Item	Policy Requirement 1	Policy Requirement 2
action	List, Read	Create, Delete, List, Read, Update
Applied resource	All resources	Individual Resource (Config Inspection)
Authentication Type	All authentication	Temporary key authentication, Console login
Applied IP	Custom IP The IP for diagnostics is 123.37.11.42, and the IP for the user to access the console must be added separately	Custom IP

Table. Detailed policy setting items for all cloud diagnostics

Generate authentication key

You can view and generate the authentication key used for the Config Inspection service.

guide

You can create a maximum of two authentication keys.
After generating a new authentication key, you must apply the updated API authentication key to the services you are using.

To create an authentication key in the Samsung Cloud Platform Console, follow these steps.

Click the My menu > My info. menu in the Console. You will be taken to the My info. detail page.
My info. Click the API Key Management tab on the detail page. Navigating to the API Key Management tab page.
On the Key Management tab page, click the Create Key button. You will be taken to the Create Key page.
- You can view the list of authentication keys on the authentication key management page.
On the Create Authentication Key page, after entering the expiration period, click the Confirm button.
Verify that the generated authentication key is displayed in the authentication key list.

Add allowed IP

You can add allowed IP addresses in the Samsung Cloud Platform Console.

To add an allowed IP for the Console, follow these steps.

Click the My menu > My info. menu in the Console. Go to the My info. detail page.
My info. Click the API Key Management tab on the detail page. You will be taken to the API Key Management tab page.
Authentication Key Management tab page, click the Edit icon of the Security Settings item. Edit Authentication Key Security Settings popup opens.
Edit Authentication Key Security Settings In the popup window, enter the authentication method and allowed IP address.
- Select the authentication method authentication key.
- Set the allowed access IP to Use, enter the IP address, and click the Add button.
When the allowed IP addition is complete, click the Confirm button. Verify that the Security Settings item has been updated with the entered information.

Configure AWS

To diagnose the AWS (Amazone Web Services) cloud in the Config Inspection service, set the items below.

Add permission policy

You can add permission policies for users or user groups in the AWS Console.

Add user permission

To add a user access policy in the AWS Console, follow these steps.

Click IAM > Users in the AWS Console.
Select the diagnostic user name from the user list.
Click the Permissions tab on the user information page.
Select Add Permission in the permission policy.
- When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add user group permissions

To add a user group access permission policy in the AWS Console, follow these steps.

Click IAM > User Groups in the AWS Console.
Select the group that the user belongs to from the user group list.
Click the Permissions tab on the user group page.
Select Add Permission in the permission policy.
- When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add access control IP

If you are using an IP access control policy, you need to add an exception IP to the policy.

Add user access control IP

To add a user access control IP in the AWS Console, follow these steps.

Click IAM > Users in the AWS Console.
Select the diagnostic user name from the user list.
Click the Permissions tab on the user information page.
In the permission policy item, click Edit of the IP Access Control Policy.
- Add 123.37.24.82 to the block exception IP list.

Add IP to user group access control

To add a user group access control IP in the AWS Console, follow these steps.

Click IAM > User Groups in the AWS Console.
Select the group that the user belongs to from the list of user groups.
Click the Permissions tab on the user group page.
In the permission policy item, click Edit of the IP Access Control Policy.
- Add 123.37.24.82 to the block exception IP.

Access Key creation

To create an Access Key in the AWS Console, follow these steps.

Click IAM > Users in the AWS Console.
Select the diagnostic user name from the user list.
Click the Security Credentials tab on the user information page.
On the Security Credentials page, click Access Keys.
Create Access Key page, generate an access key for third‑party services.
- Be sure to save the generated access key information.

Caution

Secret Key can be downloaded as a CSV file or recorded separately.

Secret key information can only be viewed when creating the access key and cannot be recovered later.

Configure Azure

To diagnose Azure cloud in the Config Inspection service, set the items below.

Entra ID Application registration

To register an Entra ID Application in the Azure Console, follow these steps.

Click Microsoft Entra ID > App registrations in the Azure Console.
On the App Registration page, click New Registration.
Register the application (client) ID.
After the app registration is complete, check the app name, application (client) ID, directory (tenant) ID on the overview page.

Add API permission

Reference

To use the Config Inspection service, you must preconfigure it from an account that has the Global Administrator role among Azure AD roles.

To add API permissions in the Azure Console, follow these steps.

In the Azure Console’s Microsoft Entra ID > App registration (App registrations) > Entra ID Application registration, click App name > API permissions (App permissions) > Add permission (Add a permission).
From the API permissions list, select Microsoft Graph to add permissions.
On the API Permission Request page, click Application Permissions.
- Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
After adding permissions in App API permission registration, click Grant admin consent (Grant admin consent for account name).
- Check whether the status for the account name has been changed to Allowed (Granted for account name).

Create Client Secret

To create a Client Secret in the Azure Console, follow these steps.

In the Azure Console, click App name > Certificates & secrets(Certificates & secrets) under Microsoft Entra ID > App registrations(App registrations) > Entra ID Application registration.
Click New Client Password in the Certificates and Passwords list.
When the client secret is generated, check the Client Secret in the Value(Value) field of the list.
- Be sure to save the Client Secret value.

Caution

The Client Secret value can only be viewed at the time of creation. Be sure to record or store it separately.

Add subscription access permission in Azure Console

You can add subscription access permissions in the Azure Console from the tenant root group or an individual Subscription. Choose the method you prefer to add Subscription access permissions.

Add permission in Tenant Root Group

To add subscription access permissions in the Azure Console from the Tenant Root Group, follow the steps below.

Click Management groups > Overview in the Azure Console.
Click Tenant Root Group > Access Control (IAM).
- If you cannot access the Tenant Root Group menu, change the settings below.
  - Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes (yes) change to
- After adding the permission, you must change it to No.
On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).

On the Add Role Assignment page, after entering the details, click Save (Review+assign).

When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. You must add all three of the following permissions.

Category	Permission
Reader(Reader)	User, group, or service principal(Users, group, or service principal)
Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
Reader and Data Access	User, group, or service principal(Users, group, or service principal)

Table. Additional permission items when entering role assignment information

Add permission in individual Subscription

To add subscription access permissions in the Azure Console for an individual subscription, follow these steps.

Click Subscription(Subscription) > Overview(Overview) in the Azure Console.
- Check the Subscription ID(Subscription ID) in the basic information on the Overview page.
Click Subscription(Subscription) > Access Control(IAM).
On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).

On the Add Role Assignment page, after entering the details, click Save (Review+assign).

Category	Permission
Reader(Reader)	User, group, or service principal(Users, group, or service principal)
Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
Reader and Data Access	User, group, or service principal(Users, group, or service principal)

Table. Additional permission items when entering role assignment information

Add access permissions via PowerShell

To add subscription access permissions in the Azure Console using PowerShell, follow these steps.

Run the following command in Cloud shell > PowerShell of the Azure Console.
- New-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
- If the command does not execute, change the settings below.
  - Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > yes change to
  - After adding the permission, you must change it to No (no).
Run the command below to verify whether the configuration is complete.
- Get-AzRoleAssignment –ObjectId ＂the App’s Object ID found in Enterprise Application＂ –Scope ＂/providers/Microsoft.aadiam＂
- If permission deletion is required, run the command below.
  - Remove-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’

3 - Release Note

Config Inspection

2025.07.01

FEATURE Expanding service offering

We have launched the Config Inspection product, which enables integrated diagnosis and management of customers’ multi‑cloud console security vulnerabilities.
- You can register the Account (or other cloud account) to be diagnosed, enabling continuous diagnostics, and view the dashboard and detailed results in the Report.

2025.02.27

FEATURE Common feature change

Samsung Cloud Platform Common Feature Changes
- Account, IAM, Service Home, tags, and other common CX changes have been applied.

2024.12.23

NEW Beta version release

You can manage Samsung Cloud Platform Console configuration vulnerabilities through console diagnostics.
Provides a report that allows you to view security diagnostic results.

Config Inspection

1 - Overview

Service Overview

Provided Features

Components

Checklist

Report

Preliminary Service

1.1 - Checklist

Checklist

Best Practice

Samsung Security Index (SSI)

2 - How-to guides

Create Certificate

Create Config Inspection

Check detailed information of Config Inspection

Detailed Information

tag

Job History

Config Inspection Resource Management

Modify authentication key

Request Diagnosis

Terminate Config Inspection

2.1 - Check Dashboard

Check Dashboard

2.2 - Manage Diagnosis Results

Check diagnosis results

Check diagnostic result list

View detailed diagnostic result information

Manage Diagnostic Results

Change Diagnosis Result

Delete diagnostic result change history

2.3 - Pre-configuration

Configuring Samsung Cloud Platform Console

Check policies attached to user groups

Generate authentication key

Add allowed IP

Configure AWS

Add permission policy

Add user permission

Add user group permissions

Add access control IP

Add user access control IP

Add IP to user group access control

Access Key creation

Configure Azure

Entra ID Application registration

Add API permission

Create Client Secret

Add subscription access permission in Azure Console

Add permission in Tenant Root Group

Add permission in individual Subscription

Add access permissions via PowerShell

3 - Release Note

Config Inspection