Enable or disable the controller after onboarding is complete

This article describes how to enable or disable the controller in Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete.

This article also describes how to enable the controller in Amazon Web Services (AWS) if you disabled it during onboarding. You can only enable the controller in AWS at this time; you can't disable it.

Enable the controller in AWS

Note

You can only enable the controller in AWS; you can't disable it at this time.

  1. Sign in to the AWS console of the member account in a separate browser window.

  2. Go to the Permissions Management home page, select Settings (the gear icon), and then select the Data Collectors subtab.

  3. On the Data Collectors dashboard, select AWS, and then select Create Configuration.

  4. On the Permissions Management Onboarding - AWS Member Account Details page, select Launch Template.

    The AWS CloudFormation create stack page opens, displaying the template.

  5. In the CloudTrailBucketName box, enter a name.

    You can copy and paste the CloudTrailBucketName name from the Trails page in AWS.

    Note

    A cloud bucket collects all the activity in a single account that Permissions Management monitors. Enter the name of a cloud bucket here to provide Permissions Management with the access required to collect activity data.

  6. In the EnableController box, from the drop-down list, select True to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically.

  7. Scroll to the bottom of the page, and in the Capabilities box and select I acknowledge that AWS CloudFormation might create IAM resources with custom names. Then select Create stack.

    This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the Resources tab of your CloudFormation stack.

  8. Return to Permissions Management, and on the Permissions Management Onboarding - AWS Member Account Details page, select Next.

  9. On Permissions Management Onboarding – Summary page, review the information you've added, and then select Verify Now & Save.

    The following message appears: Successfully created configuration.

Enable or disable the controller in Azure

  1. In Azure, open the Access control (IAM) page.

  2. In the Check access section, in the Find box, enter Cloud Infrastructure Entitlement Management.

    The Cloud Infrastructure Entitlement Management assignments page appears, displaying the roles assigned to you.

    • If you have read-only permission, the Role column displays Reader.
    • If you have administrative permission, the Role column displays User Access Administrator.
  3. To add the administrative role assignment, return to the Access control (IAM) page, and then select Add role assignment.

  4. Add or remove the role assignment for Cloud Infrastructure Entitlement Management.

  5. Go to the Permissions Management home page, select Settings (the gear icon), and then select the Data Collectors subtab.

  6. On the Data Collectors dashboard, select Azure, and then select Create Configuration.

  7. On the Permissions Management Onboarding - Azure Subscription Details page, enter the Subscription ID, and then select Next.

  8. On Permissions Management Onboarding – Summary page, review the controller permissions, and then select Verify Now & Save.

    The following message appears: Successfully Created Configuration.

Enable or disable the controller in GCP

  1. Execute the gcloud auth login.

  2. Follow the instructions displayed on the screen to authorize access to your Google account.

  3. Execute the sh mciem-workload-identity-pool.sh to create the workload identity pool, provider, and service account.

  4. Execute the sh mciem-member-projects.sh to give Permissions Management permissions to access each of the member projects.

    • If you want to manage permissions through Permissions Management, select Y to Enable controller.
    • If you want to onboard your projects in read-only mode, select N to Disable controller.
  5. Optionally, execute mciem-enable-gcp-api.sh to enable all recommended GCP APIs.

  6. Go to the Permissions Management home page, select Settings (the gear icon), and then select the Data Collectors subtab.

  7. On the Data Collectors dashboard, select GCP, and then select Create Configuration.

  8. On the Permissions Management Onboarding - Azure AD OIDC App Creation page, select Next.

  9. On the Permissions Management Onboarding - GCP OIDC Account Details & IDP Access page, enter the OIDC Project Number and OIDC Project ID, and then select Next.

  10. On the Permissions Management Onboarding - GCP Project IDs page, enter the Project IDs, and then select Next.

  11. On the Permissions Management Onboarding – Summary page, review the information you've added, and then select Verify Now & Save.

    The following message appears: Successfully Created Configuration.

Next steps