Pre-configuration

Users must perform cloud pre-configuration such as authentication key creation and access control IP addition through the Samsung Cloud Platform Console to use the Config Inspection service.

Samsung Cloud Platform Console Settings

To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, set the following items.

Check Policies Linked to User Group

To check the policy of the user group you belong to, follow the procedure below.

1. Click All Services > Management > IAM menu. You will be redirected to the Service Home page of IAM.
2. Click User Groups menu on the Service Home page. You will be redirected to the User Group List page.
3. Click the user group you want to check on the User Group List page. You will be redirected to the User Group Details page.
4. Click Policies tab on the User Group Details page. You will be redirected to the Policies tab page.
5. Click the policy you want to check on the Policies tab page. You will be redirected to the Policy Details page.
6. Check the detailed information on the Policy Details page.
   • Check if the policy information in the table below is set. If necessary, contact the administrator to add the policy.

     Item	Policy Requirement 1	Policy Requirement 2
     Action	List, Read	Create, Delete, List, Read, Update
     Resource	All resources	Individual resource (Config Inspection)
     Auth Type	All authentication	Temporary key authentication, Console login
     Allowed IP	123.37.11.42, User-defined IP For diagnosis, you must add IP 123.37.11.42 and IP for user console access separately	User-defined IP

     Table. Policy setting details for diagnosing all clouds

Create Authentication Key

You can check and create authentication keys to use in the Config Inspection service.

To create an authentication key in Samsung Cloud Platform Console, follow the procedure below.

1. Click My Menu > My info. menu in the Console. You will be redirected to the My info. details page.
2. Click Authentication Key Management tab on the My info. details page. You will be redirected to the Authentication Key Management tab page.
3. Click Create Authentication Key button on the Authentication Key Management tab page. You will be redirected to the Create Authentication Key page.
   • You can check the authentication key list on the authentication key management page.
4. Enter the expiration period on the Create Authentication Key page and click OK button.
5. Check if the created authentication key is displayed in the authentication key list.

Add Access Allowed IP

You can add access allowed IPs in Samsung Cloud Platform Console.

To add access allowed IPs in the Console, follow the procedure below.

1. Click My Menu > My info. menu in the Console. You will be redirected to the My info. details page.
2. Click Authentication Key Management tab on the My info. details page. You will be redirected to the Authentication Key Management tab page.
3. Click Edit icon in Security Settings item on the Authentication Key Management tab page. The Edit Authentication Key Security Settings popup will open.
4. Enter the authentication method and access allowed IP in the Edit Authentication Key Security Settings popup.
   • Select Authentication Key for authentication method.
   • Set access allowed IP to Enable, enter the IP address, and click Add button.
5. When adding access allowed IP is complete, click OK button. Check if the information is modified to the entered information in the Security Settings item.

AWS Settings

To diagnose AWS (Amazon Web Services) cloud in the Config Inspection service, set the following items.

Add Permission Policy

You can add permission policies for users/user groups in AWS Console.

Add User Permission

To add user access permission policy in AWS Console, follow the procedure below.

1. Click IAM > Users in AWS Console.
2. Select the diagnostic user name from the user list.
3. Click Permissions tab on the user information page.
4. Select Add permissions in the permission policy.
   • Select ReadOnlyAccess, ViewOnlyAccess when adding permissions.

Add User Group Permission

To add user group access permission policy in AWS Console, follow the procedure below.

1. Click IAM > User groups in AWS Console.
2. Select the group the user belongs to from the user group list.
3. Click Permissions tab on the user group page.
4. Select Add permissions in the permission policy.
   • Select ReadOnlyAccess, ViewOnlyAccess when adding permissions.

Add Access Control IP

If using IP access control policy, you must add block exception IPs to that policy.

Add User Access Control IP

To add user access control IP in AWS Console, follow the procedure below.

1. Click IAM > Users in AWS Console.
2. Select the diagnostic user name from the user list.
3. Click Permissions tab on the user information page.
4. Click Edit in IP Access Control Policy in the permission policy item.
   • Add 123.37.24.82 to block exception IP.

Add User Group Access Control IP

To add user group access control IP in AWS Console, follow the procedure below.

1. Click IAM > User groups in AWS Console.
2. Select the group the user belongs to from the user group list.
3. Click Permissions tab on the user group page.
4. Click Edit in IP Access Control Policy in the permission policy item.
   • Add 123.37.24.82 to block exception IP.

Generate Access Key

To generate Access Key in AWS Console, follow the procedure below.

1. Click IAM > Users in AWS Console.
2. Select the diagnostic user name from the user list.
3. Click Security credentials tab on the user information page.
4. Click Access keys on the Security credentials page.
5. Create access keys for third-party services on the Create access key page.
   • Make sure to save the created access key information.

Azure Settings

To diagnose Azure cloud in the Config Inspection service, set the following items.

Register Entra ID Application

To register Entra ID Application in Azure Console, follow the procedure below.

1. Click Microsoft Entra ID > App registrations in Azure Console.
2. Click New registration on the App registrations page.
3. Register application (client) ID.
4. When app registration is complete, check App name, Application (client) ID, Directory (tenant) ID on the overview page.

Add API Permission

To add API permission in Azure Console, follow the procedure below.

1. Click Microsoft Entra ID > App registrations > Entra ID Application registration > created App name > API permissions > Add a permission in Azure Console.
2. Select Microsoft Graph to add permissions from the API permissions list.
3. Click Application permissions on the Request API permissions page.
   • Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
4. After adding permissions in App API permission registration, click Grant admin consent for account name.
   • Check if it changes to Granted for account name status for the account name.

Create Client Secret

To create Client Secret in Azure Console, follow the procedure below.

1. Click Microsoft Entra ID > App registrations > Entra ID Application registration > created App name > Certificates & secrets in Azure Console.
2. Click New client secret from the Certificates & secrets list.
3. When client secret is created, check the Client Secret in the Value item from the list.
   • Make sure to save the Client Secret value.

Add Subscription Access Permission in Azure Console

You can add subscription access permissions in Azure Console from Tenant Root Group or individual Subscription. Choose your preferred method to add subscription access permissions.

Add Permission from Tenant Root Group

To add subscription access permission in Azure Console from Tenant Root Group, follow the procedure below.

1. Click Management groups > Overview in Azure Console.
2. Click Tenant Root Group > Access control (IAM).
   • If you cannot enter the Tenant Root Group menu, change the setting below.
     • Change Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
   • After adding permissions, you must change it to No.
3. Click Add > Add role assignment on the Access control page.
4. Enter detailed information on the Add role assignment page and click Review+assign.
   • When entering role assignment information, select the information below from the Role and Member tabs to add the App created in Entra ID Application registration. You must add all three permissions below.

     Category	Permission
     Reader	Users, group, or service principal
     Key Vault Reader	Users, group, or service principal
     Reader and Data Access	Users, group, or service principal

     Table. Additional permission items when entering role assignment information

Add Permission from Individual Subscription

To add subscription access permission in Azure Console from individual Subscription, follow the procedure below.

1. Click Subscription > Overview in Azure Console.
   • Check Subscription ID from the basic information on the overview page.
2. Click Subscription > Access control (IAM).
3. Click Add > Add role assignment on the Access control page.
4. Enter detailed information on the Add role assignment page and click Review+assign.
   • When entering role assignment information, select the information below from the Role and Member tabs to add the App created in Entra ID Application registration. You must add all three permissions below.

     Category	Permission
     Reader	Users, group, or service principal
     Key Vault Reader	Users, group, or service principal
     Reader and Data Access	Users, group, or service principal

     Table. Additional permission items when entering role assignment information

Add Access Permission via PowerShell

To add subscription access permission in Azure Console using PowerShell, follow the procedure below.

1. Run the following command in Cloud shell > PowerShell in Azure Console.
   • New-AzRoleAssignment -ObjectId “App’s Object ID confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
   • If the command does not run, change the setting below.
     • Change Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
     • After adding permissions, you must change it to No
2. Run the following command to check if the setting is complete.
   • Get-AzRoleAssignment –ObjectId ＂App’s Object ID confirmed in Enterprise Application＂ –Scope ＂/providers/Microsoft.aadiam＂
   • If you need to delete permissions, run the following command.
     • Remove-AzRoleAssignment -ObjectId “App’s Object ID confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’