Cloud Intelligence is part of the LeanIX Cloud Native Suite. It discovers Cloud Components from AWS, Azure and GCP automatically and imports these into a LeanIX workspace to help customers increase agility, manage cloud-specific security and governance, and create transparency about cloud spend, especially for multi-cloud environments. The data from the Cloud Intelligence workspace can be aggregated and automatically synchronized into a LeanIX Enterprise Architecture workspace.
Why is there a separate workspace?
The scanned data is typically too granular for Enterprise Architecture use cases. Cloud Intelligence will discover every single Cloud Component, e.g. every single AWS EC2 instance, S3 bucket or Lambda function. This is helpful for use cases like Cloud Security or Cloud Cost Management but irritating for business users who want to understand the high-level architecture. Using two separate but integrated workspaces allows users to access information on the right level.
How does it work?
LeanIX uses Cloudockit as a strategic partner to scan information from the hyperscalers. The following diagram depicts the high-level architecture which heavily depends on the LeanIX Integration API.
How do I set up the AWS User / Azure Account / GCP Service Account?
Cloudockit programmatically collects information about the cloud environment using the cloud provider's API, hence only data can be loaded via cloudockit access has been granted for. This means, the privileges for the account need to be set up accordingly to allow the necessary access. If access is lacking to certain resources - e.g. to the Trusted Advisor - this information will not be included in the collected cloud information and hence in the Cloud Intelligence workspace, but the other data will still be loaded.
Assigning the Necessary Privileges
For the three main providers, these are the requirements known.
Amazon AWS
The setup is described here, by our partner cloudockit:
See https://www.cloudockit.com/documentation/aws-create-user-for-cloudockit/
In addition to the guide above, the following change needs to be applied:
- Enable access to the Trusted Advisor for the user, this is done by creating a new policy using the JSON block below, giving it a name such as LeanIXCloudScanAdvisorPolicyReader and assigning it to the user's group:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks"
],
"Resource": "*"
}
]
}In the end, the user's configuration should look like this:
Microsoft Azure
see https://www.cloudockit.com/knowledge-base/how-to-create-an-azure-active-directory-application/
Google Cloud Platform (GCP)
To connect GCP data, please follow these steps: https://www.cloudockit.com/knowledge-base/gcp-authentication-guide/
In addition to the guide above, the following changes need to be applied:
- Enable the “Cloud Security Command Center“ and "Cloud Security Command Center API“; to do so, just search for this API in the GCP Console and „ENABLE“ it. The Google Security Command Center itself needs to be enabled as well.
- To access billing information, GCP has to be set up to store a daily report with the billing information to a GCP Bucket under a well-defined name:
Bucket name: "leanix-billing"
Report prefix: "bil"
Format: "CSV"How can I connect my AWS Account / Azure Subscription / GCP Project?
For basic connectivity information, please refer to the Cloudockit documentation:
- AWS: https://www.cloudockit.com/knowledge-base/aws-role-and-keys-access-guide/ and https://www.cloudockit.com/documentation/aws-create-user-for-cloudockit/
- Azure: https://www.cloudockit.com/knowledge-base/connect-your-azure-subscription/ and https://www.cloudockit.com/knowledge-base/how-to-create-an-azure-active-directory-application/
- GCP: https://www.cloudockit.com/knowledge-base/gcp-authentication-guide/
For productive usage, we can support two different modes:
- Cloudockit service hosted by LeanIX. In this case, no action on customer side is required, but credentials with appropriate roles (e.g. AWS SecurityAudit policy) needs to be configured on LeanIX side
- For larger setups (>20 accounts or subscriptions), LeanIX would provide a Cloudockit Scan Agent as VM. The customer runs the VM, e.g. in EC2, and can efficiently access his accounts without managing credentials for every single environment. Detailed information can be made available on demand.
What data is discovered from the Cloud Environments?
How are security & compliance violations detected?
There are three major ways to detect violations:
- From the hyperscaler directly: We scan data from services like Azure Advisor, AWS Trusted Advisor or Google Cloud Security Command Center to make them available centrally
- From Cloudockit: Cloudockit provides its own best practice Compliance Rules and lets users configure their own custom rules, via UI or in a format like
{
"JsonRule":
"{\"condition\":\"AND\",
\"rules\": [
{
\"id\":\"MicrosoftComputes\",
\"field\":\"MicrosoftComputes\",
\"type\":\"string\",
\"operator\":\"cdk_not_contains\",
\"value\":{
\"condition\":\"AND\",
\"rules\":[{
\"id\":\"ProtectionPolicyResource|Name\",
\"field\":\"ProtectionPolicyResource|Name\",
\"type\":\"string\",
\"operator\":\"is_empty\",
\"value\":null},
{\"id\":\"Vault|Name\",
\"field\":\"Vault|Name\",
\"type\":\"string\",
\"operator\":\"is_empty\",
\"value\":null}
],
\"valid\":true}}],
\"valid\":true}",
"CloudTypes": [
"Azure"
],
"Name": "CDK-Azure-VM-Disaster-Recovery",
"Description": "No Disaster Recovery defined on Virtual Machine",
"Criticity": 0,
"Message_Hyperlink": "https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication"
}- From a dedicated operative security tool via the Integration API. In our understanding, there are good arguments to combine a tool for security experts with Cloud Intelligence, as there are different granularities and use cases.
How does Cloud Intelligence helps to manage cloud spend?
Cloud Intelligence extract Cloud Spend information directly from the hyperscalers. Details depend on the available data, e.g. AWS does currently not supported to extract data on a Cloud Component level, but only on higher levels like accounts. Cloud Intelligence aggregates cost data and syncs it to the EA workspace so that Enterprise Architects can get an indicator for hotspots. Cost data is also presented over time using (LeanIX Metrics)[https://docs.leanix.net/docs/metrics] which allows identifying trends.
Can I integrate with other sources, e.g. my private cloud environment?
Yes, all the data in Cloud Intelligence is accessible via the Integration API. Also, the data model is configurable - see Configuration Overview. However, please take into account that the mapping to the EA workspace (see above) might only work if you stick to the default data model. Please contact your Customer Success Manager for guidance.
Is it possible to add more hyperscalers?
If you want to connect to other hyperscalers than the current ones (AWS, Azure and GCP), please get in touch with your Customer Success Manager.
Updated 19 days ago