Cloud Intelligence

Cloud Intelligence is part of the LeanIX Cloud Native Suite. It discovers Cloud Components from AWS, Azure and GCP automatically and imports these into a LeanIX workspace to help customers increase agility, manage cloud-specific security and governance, and create transparency about cloud spend, especially for multi-cloud environments. The data from the Cloud Intelligence workspace can be aggregated and automatically synchronized into a LeanIX Enterprise Architecture workspace.

Why is there a separate workspace?

The scanned data is typically too granular for Enterprise Architecture use cases. Cloud Intelligence will discover every single Cloud Component, e.g. every single AWS EC2 instance, S3 bucket or Lambda function. This is helpful for use cases like Cloud Security or Cloud Cost Management but irritating for business users who want to understand the high-level architecture. Using two separate but integrated workspaces allows users to access information on the right level.

How does it work?

LeanIX uses Cloudockit as a strategic partner to scan information from the hyperscalers. The following diagram depicts the high-level architecture which heavily depends on the LeanIX Integration API.

How do I connect my Cloud Environment?

Cloudockit programmatically collects information about the cloud environment using the cloud provider's API, hence the privileges for the account need to be set up accordingly. If access is lacking to certain resources - e.g. to the Trusted Advisor - this information will not be included in the collected cloud information and hence in the Cloud Intelligence workspace, but the other data will still be load.

For productive usage, we can support two different modes:

  • Cloudockit service hosted by LeanIX. In this case, no action on customer side is required, but credentials with appropriate roles (e.g. AWS SecurityAudit policy) needs to be configured on LeanIX side as documented below)
  • For larger setups (>20 accounts or subscriptions), LeanIX would provide a Cloudockit Scan Agent as VM. The customer runs the VM, e.g. in EC2, and can efficiently access his accounts without managing credentials for every single environment. Detailed information can be made available on demand.

Enter your credentials

First, navigate to the administration settings, then navigate to the "Cloud Native" section of the administration menu:

Settings Located on the Top Right of LeanIX

Settings Located on the Top Right of LeanIX

Third, add the credentials for each account as outlined below.

Once you're done, save the configuration with the button "Overwrite all configurations".

Configuration Properties

The details of the JSON properties are listed below.

Cloud Vendor
Property
Example Value
Details

All

id

12345

Please use the account/subscription/project id (see below under data.SubscriptionId) as the id for the entry, this makes it easier to reference specific configurations

All

name

aws.somename

This is an arbitrary name for the configuration. It is meant to identify different accounts easily, and could e.g. contain the name of the component and or team

All

type

aws | azure | gcp

For AWS accounts, this should be set to “aws”.

AWS

data.AWSAccessKeyId

abc123

This is the Access Key Id for the AWS User

AWS

data.AWSSecretAccessKey

password123

This is the Secret Access Key for the AWS User

Azure

AppClientIdForAutomation

abc123

This is the id of the AAD application

Azure

AppClientKeyForAutomation

abc123

This is the key of the AAD application

Azure

TenantId

abc123

This is the tenant of the AAD application (see https://www.cloudockit.com/whichtenanttouse/)

All

data.SubscriptionID

12345

For AWS, this is the AWS Account Id to scan.

For Azure, this is the subscription Id to scan.

For GCP, this is the GCP Project Id to scan.

Hidden Secret Keys

Please note that there will be no visible access to the keys once the button "Overwrite all configurations" has been consumed. In case of active key management, the key can be replaced, however the replacement will also not be seen after the configurations are overwritten.

AWS - User Setup

The setup is described here: https://www.cloudockit.com/knowledge-base/aws-role-and-keys-access-guide/ and https://www.cloudockit.com/documentation/aws-create-user-for-cloudockit/

As listed there, you need to enable access to the Billing information for the user. This is done by creating a new policy using the JSON block below, giving it a name such as LeanIXCloudScanBillingPolicyReader and assigning it to the user's group:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ce:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

In addition, you need to enable access to the Trusted Advisor as well using the JSON block below. For the name, use LeanIXCloudScanAdvisorPolicyReader, and assign it to the user's group:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "support:DescribeTrustedAdvisorCheckResult",
                "support:DescribeTrustedAdvisorChecks"
            ],
            "Resource": "*"
        }
    ]
}

In the end, the user's configuration should look like this:

AWS - Configuration

{
  "configurations": [
    {
      "id": "12345",
      "name": "aws.somename",
      "type": "aws",
      "data": {
        "AWSAccessKeyId": "ABCD1234",
        "AWSSecretAccessKey": "ENTER THE SECRET ACCESS KEY HERE TO STORE IT ENCRYPTED",
        "SubscriptionID": "12345"
      },
      "active": true
    }
  ]
}

Azure - Account Setup

For basic connectivity information, please refer to the Cloudockit documentation:
https://www.cloudockit.com/knowledge-base/connect-your-azure-subscription/ and https://www.cloudockit.com/knowledge-base/how-to-create-an-azure-active-directory-application/

Reader.permissions are sufficient - see https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader

Azure - Configuration

{
  "configurations": [
    {
      "id": "1234-5678-4321-1122-22334455",
      "name": "azure.somename",
      "type": "azure",
      "data": {
        "AppClientIdForAutomation": "9988-7766-5544-3322-11223344",
        "AppClientKeyForAutomation": "ENTER THE APP CLIENT KEY HERE",
        "TenantID": "1111-2222-3333-4444-5555666",
        "SubscriptionID": "1234-5678-4321-1122-22334455"
      },
      "active": true
    }
  ]
}

GCP - Service Account Setup

To connect GCP data, please follow these steps: https://www.cloudockit.com/knowledge-base/gcp-authentication-guide/

In addition to the guide above, the following changes need to be applied:

  1. Enable the “Cloud Security Command Center“ and "Cloud Security Command Center API“; to do so, just search for this API in the GCP Console and „ENABLE“ it. The Google Security Command Center itself needs to be enabled as well.
  1. To access billing information, GCP has to be set up to store a daily report with the billing information to a GCP Bucket under a well-defined name:
Bucket name: "leanix-billing"
Report prefix: "bil"
Format: "CSV"

What data is discovered from the Cloud Environments?

See https://dev.leanix.net/docs/data-model#section-cloud-intelligence-data-model

How does the integration to the Enterprise Architecture workspace work?

How are security & compliance violations detected?

There are three major ways to detect violations:

{
    "JsonRule": 
      "{\"condition\":\"AND\",
        \"rules\": [
          {
            \"id\":\"MicrosoftComputes\",
            \"field\":\"MicrosoftComputes\",
            \"type\":\"string\",
            \"operator\":\"cdk_not_contains\",
            \"value\":{
              \"condition\":\"AND\",
              \"rules\":[{
                \"id\":\"ProtectionPolicyResource|Name\",
                \"field\":\"ProtectionPolicyResource|Name\",
                \"type\":\"string\",
                \"operator\":\"is_empty\",
                \"value\":null},       
               {\"id\":\"Vault|Name\",
                \"field\":\"Vault|Name\",
                \"type\":\"string\",
                \"operator\":\"is_empty\",
                \"value\":null}
              ],
              \"valid\":true}}],
         \"valid\":true}",
    "CloudTypes": [
        "Azure"
    ],
    "Name": "CDK-Azure-VM-Disaster-Recovery",
		"Description": "No Disaster Recovery defined on Virtual Machine",
    "Criticity": 0,
    "Message_Hyperlink": "https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication"
}
  • From a dedicated operative security tool via the Integration API. In our understanding, there are good arguments to combine a tool for security experts with Cloud Intelligence, as there are different granularities and use cases.

How does Cloud Intelligence helps to manage cloud spend?

Cloud Intelligence extract Cloud Spend information directly from the hyperscalers. Details depend on the available data, e.g. AWS does currently not supported to extract data on a Cloud Component level, but only on higher levels like accounts. Cloud Intelligence aggregates cost data and syncs it to the EA workspace so that Enterprise Architects can get an indicator for hotspots. Cost data is also presented over time using (LeanIX Metrics)[https://docs.leanix.net/docs/metrics] which allows identifying trends.

Can I integrate with other sources, e.g. my private cloud environment?

Yes, all the data in Cloud Intelligence is accessible via the Integration API. Also, the data model is configurable - see Configuration Overview. However, please take into account that the mapping to the EA workspace (see above) might only work if you stick to the default data model. Please contact your Customer Success Manager for guidance.

Is it possible to add more hyperscalers?

If you want to connect to other hyperscalers than the current ones (AWS, Azure and GCP), please get in touch with your Customer Success Manager.

Updated 8 days ago


Cloud Intelligence


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.