The page has been translated by Gen AI.
Setting up the Cloud
To use the Config Inspection service through the Samsung Cloud Platform Console, users must set up cloud prerequisites, such as generating authentication keys and adding access control IPs.
Note
The settings to be configured vary depending on the type of cloud to be used. Refer to the relevant chapter to set up the necessary items for each cloud.
Setting up the Samsung Cloud Platform Console
To diagnose the Samsung Cloud Platform and external clouds using the Config Inspection service, configure the following items.
Checking policies connected to user groups
Guide
- Config Inspection can diagnose the Samsung Cloud Platform or external clouds. Depending on the diagnosis target, you can use the service by granting the necessary policy requirements to the user group.
- Make sure that the user group policy that matches the desired diagnosis target is set up.
- If policy creation is required, contact the Account administrator.
To check the policies of the user group you belong to, follow these steps:
- Click All Services > Management > IAM. You will be taken to the Service Home page of IAM.
- On the Service Home page, click User Group. You will be taken to the User Group List page.
- On the User Group List page, click the user group you want to check. You will be taken to the User Group Details page.
- On the User Group Details page, click the Policy tab. You will be taken to the Policy tab page.
- On the Policy tab page, click the policy you want to check. You will be taken to the Policy Details page.
- On the Policy Details page, check the detailed information.
Generating authentication keys
You can check and generate authentication keys to be used for the Config Inspection service.
Guide
- You can create up to two authentication keys.
- After creating a new authentication key, you must apply the changed API authentication key to the service you are using.
To generate an authentication key in the Samsung Cloud Platform Console, follow these steps:
- Click My Menu > My Info. You will be taken to the My Info. details page.
- On the My Info. details page, click the Authentication Key Management tab. You will be taken to the Authentication Key Management tab page.
- On the Authentication Key Management tab page, click the Create Authentication Key button. You will be taken to the Create Authentication Key page.
- On the authentication key management page, you can check the list of authentication keys.
- On the Create Authentication Key page, enter the expiration period and click the Confirm button.
- Check if the created authentication key is displayed in the authentication key list.
Adding Allowed Access IP
You can add an allowed access IP in the Samsung Cloud Platform Console.
To add an allowed access IP in the Console, follow these steps:
- Click the My menu > My info. menu in the Console. You will be moved to the My info. detail page.
- Click the Authentication key management tab on the My info. detail page. You will be moved to the Authentication key management tab page.
- On the Authentication key management tab page, click the Modify icon in the Security settings section. The Modify authentication key security settings popup window will open.
- In the Modify authentication key security settings popup window, enter the authentication method and allowed access IP.
- Select Authentication key as the authentication method.
- Set the allowed access IP to Use and enter the IP address, then click the Add button.
- Once the allowed access IP is added, click the Confirm button. Verify that the information entered in the Security settings section has been modified.
Setting up AWS
To diagnose the AWS (Amazon Web Services) cloud in the Config Inspection service, set up the following items.
Adding Permission Policy
You can add a permission policy for a user or user group in the AWS Console.
Adding User Permissions
To add a user access permission policy in the AWS Console, follow these steps:
- Click IAM > Users in the AWS Console.
- Select the diagnostic user name from the user list.
- Click the Permissions tab on the user information page.
- Select Add permissions in the permission policy.
- When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.
Adding User Group Permissions
To add a user group access permission policy in the AWS Console, follow these steps:
- Click IAM > User groups in the AWS Console.
- Select the user group that the user belongs to from the user group list.
- Click the Permissions tab on the user group page.
- Select Add permissions in the permission policy.
- When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.
Adding Access Control IP
If you are using an IP access control policy, you must add an exception IP to the policy.
Adding IP Access Control for Users
To add IP access control for users in the AWS Console, follow these steps:
- Click IAM > Users in the AWS Console.
- Select the diagnostic user name from the user list.
- Click the Permissions tab on the user information page.
- Click Edit on the IP Access Control Policy in the permissions policy item.
- Add 123.37.24.82 to the exception IP for blocking.
Adding IP Access Control for User Groups
To add IP access control for user groups in the AWS Console, follow these steps:
- Click IAM > User Groups in the AWS Console.
- Select the user group that the user belongs to from the user group list.
- Click the Permissions tab on the user group page.
- Click Edit on the IP Access Control Policy in the permissions policy item.
- Add 123.37.24.82 to the exception IP for blocking.
Creating Access Keys
To create access keys in the AWS Console, follow these steps:
- Click IAM > Users in the AWS Console.
- Select the diagnostic user name from the user list.
- Click the Security Credentials tab on the user information page.
- Click Access Keys on the Security Credentials page.
- Create an access key for third-party services on the Create Access Key page.
- Be sure to save the created access key information.
Note
Secret Key can only be downloaded as a CSV file or recorded separately.
- Secret key information can only be checked during access key creation and cannot be recovered later.
Setting up Azure
To diagnose Azure cloud in the Config Inspection service, set up the following items.
Registering Entra ID Application
To register Entra ID Application in the Azure Console, follow these steps:
- Click Microsoft Entra ID > App Registration in the Azure Console.
- Click New Registration on the App Registration page.
- Register the application (client) ID.
- After completing the app registration, check the App Name, Application (Client) ID, Directory (Tenant) ID on the overview page.
Adding API Permissions
Reference
To use the Config Inspection service, you must pre-set it with an account that has the Global Administrator role in Azure AD.
To add API permissions in the Azure Console, follow these steps:
- Click Microsoft Entra ID > App Registration (App registrations) > Entra ID Application Registration and select the created App Name > API Permissions (App permissions) > Add a permission.
- Select Microsoft Graph from the API Permissions list.
- Click Application Permissions on the API Permission Request page.
- Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
- Click Grant admin consent for account name after adding permissions on the App API Permission Registration page.
- Check if the status has changed to Granted for account name.
Creating Client Secret
To create a client secret in the Azure Console, follow these steps:
- Click Microsoft Entra ID > App Registration (App registrations) > Entra ID Application Registration and select the created App Name > Certificates & Secrets.
- Click New Client Secret on the Certificates & Secrets list.
- Check the Value item of the client secret in the list after creating the client secret.
- Be sure to save the client secret value.
Note
The client secret value (Value) can only be checked during creation. Be sure to record or save it separately.
Adding Subscription Access Permissions in Azure Console
Subscription access permissions in the Azure Console can be added to the tenant root group or individual subscriptions. Choose the desired method to add subscription access permissions.
Adding Permissions to the Tenant Root Group
To add Azure Console subscription access permissions to the Tenant Root Group, follow these steps:
- Click on Management groups > Overview in the Azure Console.
- Click on Tenant Root Group > IAM.
- If you cannot access the Tenant Root Group menu, change the following settings:
- Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
- After adding permissions, be sure to change it back to No.
- If you cannot access the Tenant Root Group menu, change the following settings:
- On the Access Control page, click on Add > Add role assignment.
- On the Add role assignment page, enter the details and click on Save (Review+assign).
- When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.
| Category | Permission | |---------|---------| |Reader|User, group, or service principal| |Key Vault Reader|User, group, or service principal| |Reader and Data Access|User, group, or service principal| <div class="figure-caption"> Table. Additional permission items when entering role assignment information </div>
- When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.
Adding Permissions to an Individual Subscription
To add Azure Console subscription access permissions to an individual subscription, follow these steps:
- Click on Subscription > Overview in the Azure Console.
- Check the Subscription ID in the basic information on the overview page.
- Click on Subscription > IAM.
- On the Access Control page, click on Add > Add role assignment.
- On the Add role assignment page, enter the details and click on Save (Review+assign).
- When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.
| Category | Permission | |---------|---------| |Reader|User, group, or service principal| |Key Vault Reader|User, group, or service principal| |Reader and Data Access|User, group, or service principal| <div class="figure-caption"> Table. Additional permission items when entering role assignment information </div>
- When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.
Adding Access Permissions using PowerShell
To add Azure Console subscription access permissions using PowerShell, follow these steps:
- In the Azure Console, run the following command in Cloud shell > PowerShell:
New-AzRoleAssignment -ObjectId “Object ID of the App confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’- If the command does not work, change the following settings:
- Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
- After adding permissions, be sure to change it back to No.
- Run the following command to check if the settings are complete:
Get-AzRoleAssignment –ObjectId “Object ID of the App confirmed in Enterprise Application” –Scope “/providers/Microsoft.aadiam”- If you need to delete permissions, run the following command:
Remove-AzRoleAssignment -ObjectId “Object ID of the App confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’