Preconfigure

Users must perform pre‑cloud configuration, such as creating authentication keys and adding access‑control IPs, through the Samsung Cloud Platform Console to use the Config Inspection service.

Setting up Samsung Cloud Platform Console

To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, configure the items below.

Check policies attached to the user group

To check the policy of the user group to which the user belongs, follow the steps below.

1. All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of IAM.
2. On the Service Home page, click the User Group menu. 2. Navigate to the User Group List page.
3. On the User Group List page, click the user group you want to view. 3. Navigate to the User Group Details page.
4. On the User Group Details page, click the Policy tab. 4. Navigate to the Policy tab page.
5. Policy tab page, click the policy you want to view. 5. Navigate to the Policy Details page.
6. Policy Details page, view detailed information.
   • Verify that the policy information in the table below is set. * If necessary, contact the administrator to add a policy.

     Item	Policy Requirement 1	Policy Requirement 2
     action	List, Read	Create, Delete, List, Read, Update
     Applied resource	All resources	Individual Resource (Config Inspection)
     Authentication Type	All authentication	Temporary key authentication, Console login
     Applied IP	123.37.11.42, custom IP the IP 123.37.11.42 for diagnostics, and the IP for the user to access the console must each be added	Custom IP

     Table: Detailed policy setting items for all cloud diagnostics

Authentication key generation

You can view and generate the authentication key for the Config Inspection service.

To generate an authentication key in the Samsung Cloud Platform Console, follow these steps.

1. Click the My menu > My info. menu in the Console. 1. My info. Go to the detail page.
2. My info. Click the Authentication Key Management tab on the detail page. 2. Navigate to the Authentication Key Management tab page.
3. On the Authentication Key Management tab page, click the Create Authentication Key button. 3. Navigate to the Create Authentication Key page.
   • You can view the list of authentication keys on the authentication key management page.
4. On the Create Auth Key page, after entering the expiration period, click the Confirm button.
5. Verify that the generated authentication key is displayed in the authentication key list.

Add allowed IP

You can add allowed IP addresses in the Samsung Cloud Platform Console.

To add an allowed IP for the Console, follow these steps.

1. Click the My menu > My info. menu in the Console. 1. My info. Go to the detail page.
2. My info. On the detail page, click the Authentication Key Management tab. 2. Navigate to the Authentication Key Management tab page.
3. On the Authentication Key Management tab page, click the Edit icon of the Security Settings item. 3. Edit Authentication Key Security Settings The popup window opens.
4. Edit Authentication Key Security Settings Enter the authentication method and allowed IP addresses in the popup window.
   • Select the authentication method authentication key.
   • Set the allowed access IP to Use, enter the IP address, and click the Add button.
5. When the allowed IP addition is complete, click the Confirm button. 5. Check that the Security Settings item has been updated with the entered information.

Configure AWS

To diagnose the AWS (Amazone Web Services) cloud in the Config Inspection service, set the items below.

Add permission policy

You can add permission policies for users or user groups in the AWS Console.

Add user permission

To add a user access policy in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. On the user information page, click the Permissions tab.
4. Select Add Permission in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add user group permission

To add a user group access permission policy in the AWS Console, follow these steps.

1. Click IAM > User Groups in the AWS Console.
2. Select the group that the user belongs to from the list of user groups.
3. On the user group page, click the Permissions tab.
4. Select Add Permission in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add access control IP

When using an IP access control policy, you must add the exception IP for blocking to the policy.

Add user access control IP

To add a user access control IP in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. On the user information page, click the Permissions tab.
4. Click Edit for the IP Access Control Policy in the permission policy section.
   • Add 123.37.24.82 to the block exception IP.

Add user group access control IP

To add a user group access control IP in the AWS Console, follow these steps.

1. Click IAM > User Groups in the AWS Console.
2. Select the group that the user belongs to from the list of user groups.
3. On the user group page, click the Permissions tab.
4. In the permission policy item, click Edit of IP Access Control Policy.
   • Add 123.37.24.82 to the block exception IP.

Create Access Key

To create an Access Key in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. On the user information page, click the Security Credentials tab.
4. On the Security credentials page, click Access keys.
5. On the Create Access Key page, generate an access key for third‑party services.
   • Be sure to save the generated access key information.

Configure Azure

To diagnose Azure cloud in the Config Inspection service, set the items below.

Entra ID Application registration

To register an Entra ID application in the Azure Console, follow these steps.

1. Click Microsoft Entra ID > App registrations in the Azure Console.
2. On the App Registration page, click New Registration.
3. Register the application (client) ID.
4. After the app registration is complete, check the app name, application (client) ID, directory (tenant) ID on the overview page.

Add API usage permission

To add API permissions in Azure Console, follow these steps.

1. In the Azure Console, click Microsoft Entra ID > App registrations(App registrations) > Entra ID Application registration > App name > API permissions(App permissions) > Add a permission(Add a permission).
2. API permissions From the list, select the Microsoft Graph to which you want to add permissions.
3. On the API Permission Request page, click Application Permissions.
   • Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
4. In App API permission registration, after adding a permission, click Grant admin consent (Grant admin consent for account name).
   • Check whether it has been changed to the Allowed (Granted for account name) status for the account name.

Create Client Secret

To create a Client Secret in the Azure Console, follow these steps.

1. Click the App name > Certificates & secrets that you created in the Azure Console’s Microsoft Entra ID > App registrations > Entra ID Application registration.
2. Click New client password in the Certificates and passwords list.
3. When the client secret is generated, check the Client Secret in the Value column of the list.
   • Be sure to store the Client Secret value.

Add subscription access permission in Azure Console

Subscription access permissions in the Azure Console can be added from the tenant root group or an individual subscription. Select the desired method to add subscription access permissions.

Add permissions in Tenant Root Group

To add subscription access permissions in the Azure Console from the Tenant Root Group, follow these steps.

1. Click Management groups (Management groups) > Overview (Overview) in the Azure Console.
2. Tenant Root Group > Access Control (IAM) Click.
   • If you cannot access the Tenant Root Group menu, change the settings below.
     • Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. * Change to yes(yes)**
   • After adding the permission, you must change it to No.
3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
4. On the Add role assignment page, after entering the detailed information, click Save (Review+assign).
   • When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. * All three permissions below must be added.

     Category	Permission
     Reader(Reader)	User, group, or service principal(Users, group, or service principal)
     Key Vault read permission (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
     Reader and Data Access (Reader and Data Access)	User, group, or service principal(Users, group, or service principal)

     Table. Additional permission items when entering role assignment information

Add permission in individual Subscription

To add subscription access permissions in the Azure Console for an individual subscription, follow these steps.

1. Click Subscription > Overview in the Azure Console.
   • Check the Subscription ID (Subscription ID) in the basic information on the Overview page.
2. Click Subscription (Subscription) > Access Control (IAM).
3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
4. On the Add Role Assignment page, after entering the details, click Save (Review+assign).
   • When entering role assignment information, select the information below in the Role and Member tabs to add the App created in Entra ID Application registration. * All three permissions below must be added.

     Category	Permission
     Reader(Reader)	User, group, or service principal(Users, group, or service principal)
     Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
     Reader and Data Access (Reader and Data Access)	User, group, or service principal(Users, group, or service principal)

     Table. Additional permission items when entering role assignment information

Adding access permissions via PowerShell

To add subscription access permissions in the Azure Console using PowerShell, follow these steps.

1. Run the following command in Cloud shell > PowerShell of Azure Console.
   • New-AzRoleAssignment -ObjectId “App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
   • If the command does not execute, change the settings below.
     • Microsoft Entra ID > Properties > ‘account name’ can manage access to all Azure subscriptions and management groups in this tenant. * > Change to yes
     • After adding the permission, you must change it to No (no).
2. Execute the following command to verify whether the configuration is complete.
   • Get-AzRoleAssignment –ObjectId ＂App Object ID found in Enterprise Application＂ –Scope ＂/providers/Microsoft.aadiam＂
   • If you need to delete permissions, run the command below.
     • Remove-AzRoleAssignment -ObjectId “App’s Object ID found in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’