Pre-configuration

Users must perform pre‑cloud configuration such as generating authentication keys and adding access‑control IPs through the Samsung Cloud Platform Console to use the Config Inspection service.

Configuring Samsung Cloud Platform Console

To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, set the items below.

Check policies attached to user groups

To check the policy of the user group to which the user belongs, follow the steps below.

1. Click the All Services > Management > IAM menu. Go to the Service Home page of IAM.
2. On the Service Home page, click the User Group menu. You will be taken to the User Group List page.
3. On the User Group List page, click the user group you want to view. You will be taken to the User Group Details page.
4. User Group Details page, click the Policy tab. You will be taken to the Policy tab page.
5. Click the policy you want to view on the Policy tab page. You will be taken to the Policy Details page.
6. Check the detailed information on the Policy Details page.
   • Verify that the policy information in the table below is configured. If necessary, contact the administrator to add the policy.

     Item	Policy Requirement 1	Policy Requirement 2
     action	List, Read	Create, Delete, List, Read, Update
     Applied resource	All resources	Individual Resource (Config Inspection)
     Authentication Type	All authentication	Temporary key authentication, Console login
     Applied IP	Custom IP The IP for diagnostics is 123.37.11.42, and the IP for the user to access the console must be added separately	Custom IP

     Table. Detailed policy setting items for all cloud diagnostics

Generate authentication key

You can view and generate the authentication key used for the Config Inspection service.

To create an authentication key in the Samsung Cloud Platform Console, follow these steps.

1. Click the My menu > My info. menu in the Console. You will be taken to the My info. detail page.
2. My info. Click the API Key Management tab on the detail page. Navigating to the API Key Management tab page.
3. On the Key Management tab page, click the Create Key button. You will be taken to the Create Key page.
   • You can view the list of authentication keys on the authentication key management page.
4. On the Create Authentication Key page, after entering the expiration period, click the Confirm button.
5. Verify that the generated authentication key is displayed in the authentication key list.

Add allowed IP

You can add allowed IP addresses in the Samsung Cloud Platform Console.

To add an allowed IP for the Console, follow these steps.

1. Click the My menu > My info. menu in the Console. Go to the My info. detail page.
2. My info. Click the API Key Management tab on the detail page. You will be taken to the API Key Management tab page.
3. Authentication Key Management tab page, click the Edit icon of the Security Settings item. Edit Authentication Key Security Settings popup opens.
4. Edit Authentication Key Security Settings In the popup window, enter the authentication method and allowed IP address.
   • Select the authentication method authentication key.
   • Set the allowed access IP to Use, enter the IP address, and click the Add button.
5. When the allowed IP addition is complete, click the Confirm button. Verify that the Security Settings item has been updated with the entered information.

Configure AWS

To diagnose the AWS (Amazone Web Services) cloud in the Config Inspection service, set the items below.

Add permission policy

You can add permission policies for users or user groups in the AWS Console.

Add user permission

To add a user access policy in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Permissions tab on the user information page.
4. Select Add Permission in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add user group permissions

To add a user group access permission policy in the AWS Console, follow these steps.

1. Click IAM > User Groups in the AWS Console.
2. Select the group that the user belongs to from the user group list.
3. Click the Permissions tab on the user group page.
4. Select Add Permission in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add access control IP

If you are using an IP access control policy, you need to add an exception IP to the policy.

Add user access control IP

To add a user access control IP in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Permissions tab on the user information page.
4. In the permission policy item, click Edit of the IP Access Control Policy.
   • Add 123.37.24.82 to the block exception IP list.

Add IP to user group access control

To add a user group access control IP in the AWS Console, follow these steps.

1. Click IAM > User Groups in the AWS Console.
2. Select the group that the user belongs to from the list of user groups.
3. Click the Permissions tab on the user group page.
4. In the permission policy item, click Edit of the IP Access Control Policy.
   • Add 123.37.24.82 to the block exception IP.

Access Key creation

To create an Access Key in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Security Credentials tab on the user information page.
4. On the Security Credentials page, click Access Keys.
5. Create Access Key page, generate an access key for third‑party services.
   • Be sure to save the generated access key information.

Configure Azure

To diagnose Azure cloud in the Config Inspection service, set the items below.

Entra ID Application registration

To register an Entra ID Application in the Azure Console, follow these steps.

1. Click Microsoft Entra ID > App registrations in the Azure Console.
2. On the App Registration page, click New Registration.
3. Register the application (client) ID.
4. After the app registration is complete, check the app name, application (client) ID, directory (tenant) ID on the overview page.

Add API permission

To add API permissions in the Azure Console, follow these steps.

1. In the Azure Console’s Microsoft Entra ID > App registration (App registrations) > Entra ID Application registration, click App name > API permissions (App permissions) > Add permission (Add a permission).
2. From the API permissions list, select Microsoft Graph to add permissions.
3. On the API Permission Request page, click Application Permissions.
   • Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
4. After adding permissions in App API permission registration, click Grant admin consent (Grant admin consent for account name).
   • Check whether the status for the account name has been changed to Allowed (Granted for account name).

Create Client Secret

To create a Client Secret in the Azure Console, follow these steps.

1. In the Azure Console, click App name > Certificates & secrets(Certificates & secrets) under Microsoft Entra ID > App registrations(App registrations) > Entra ID Application registration.
2. Click New Client Password in the Certificates and Passwords list.
3. When the client secret is generated, check the Client Secret in the Value(Value) field of the list.
   • Be sure to save the Client Secret value.

Add subscription access permission in Azure Console

You can add subscription access permissions in the Azure Console from the tenant root group or an individual Subscription. Choose the method you prefer to add Subscription access permissions.

Add permission in Tenant Root Group

To add subscription access permissions in the Azure Console from the Tenant Root Group, follow the steps below.

1. Click Management groups > Overview in the Azure Console.
2. Click Tenant Root Group > Access Control (IAM).
   • If you cannot access the Tenant Root Group menu, change the settings below.
     • Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes (yes) change to
   • After adding the permission, you must change it to No.
3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
4. On the Add Role Assignment page, after entering the details, click Save (Review+assign).
   • When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. You must add all three of the following permissions.

     Category	Permission
     Reader(Reader)	User, group, or service principal(Users, group, or service principal)
     Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
     Reader and Data Access	User, group, or service principal(Users, group, or service principal)

     Table. Additional permission items when entering role assignment information

Add permission in individual Subscription

To add subscription access permissions in the Azure Console for an individual subscription, follow these steps.

1. Click Subscription(Subscription) > Overview(Overview) in the Azure Console.
   • Check the Subscription ID(Subscription ID) in the basic information on the Overview page.
2. Click Subscription(Subscription) > Access Control(IAM).
3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
4. On the Add Role Assignment page, after entering the details, click Save (Review+assign).
   • When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. You must add all three of the following permissions.

     Category	Permission
     Reader(Reader)	User, group, or service principal(Users, group, or service principal)
     Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
     Reader and Data Access	User, group, or service principal(Users, group, or service principal)

     Table. Additional permission items when entering role assignment information

Add access permissions via PowerShell

To add subscription access permissions in the Azure Console using PowerShell, follow these steps.

1. Run the following command in Cloud shell > PowerShell of the Azure Console.
   • New-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
   • If the command does not execute, change the settings below.
     • Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > yes change to
     • After adding the permission, you must change it to No (no).
2. Run the command below to verify whether the configuration is complete.
   • Get-AzRoleAssignment –ObjectId ＂the App’s Object ID found in Enterprise Application＂ –Scope ＂/providers/Microsoft.aadiam＂
   • If permission deletion is required, run the command below.
     • Remove-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’