Registering public and private cloud accounts for Cloud Workload Security in ePolicy Orchestrator
Technical Articles ID:
KB90932
Last Modified: 10/13/2021
Environment
McAfee Cloud Workload Discovery (CWD) 4.x
McAfee Cloud Workload Security (CWS) 5.x
Microsoft PowerShell
Linux Shell
Summary
This article provides guidance for registering private and public cloud accounts for CWD and CWS in ePolicy Orchestrator (ePO). To register cloud accounts on CWS, run the PowerShell or Linux shell script on Windows or Linux.
Solution
1
For Windows instances:
IMPORTANT: Make sure that the Windows PowerShell is installed for Windows instances.
- Download the required attached script and copy it into any directory that is accessible.
NOTE: Make sure that you download the correct script according to the operating system – Shell script for Linux instances and PowerShell script for Windows instances.
- Open the PowerShell as administrator.
- Navigate to the directory where the downloaded script is stored:
cd "<Path to directory containing the downloaded script>"
- Set parameters according to the samples provided. ‘M’ marks the mandatory fields and ‘?’ Represents optional fields in:
- EpoCredentials.csv – ePO credentials file
- AccountDetails.csv – account parameters file
- SubAccountDetails.csv (optional) – subaccount parameters file
NOTE: Unknown or irrelevant fields for different vendors must be filled with a question mark (?) character in the .csv file.
- To enable script execution, in the PowerShell terminal, type the following command, and then press Enter.
set-executionpolicy remotesigned
- To register accounts in the PowerShell terminal, type the following command, and then press Enter.
- Account Registration:
.\AccountRegistration.ps1 -add .\AccountDetails.csv -credentials .\EpoCredentials.csv
- Subaccount Registration for AWS:
.\AccountRegistration.ps1 -add .\AccountDetails.csv -credentials .\EpoCredentials.csv -subaccounts .\SubAccountDetails.csv
NOTE: If the script is to only register subaccounts, and not main accounts, do not change the AccountDetails.csv file.
- While the script is executing, check for error messages, success messages, or exceptions in the console.
The script execution generates two log files:
- CloudAccountRegistrationConsole.log – contains console outputs
- CloudAccountRegistrationScript.log – contains a verbose log
Solution
2
For Linux instances:
IMPORTANT: Make sure that the user can execute shell scripts.
- Download the required attached script and copy it into any directory that is accessible.
NOTE: Make sure that you download the correct script according to the operating system – Shell script for Linux instances and PowerShell script for Windows instances.
- Open the terminal.
- Navigate to the directory where the downloaded script is stored, as shown below:
cd "<Path to directory containing the downloaded script>"
- Set parameters according to the samples provided. An M indicates the mandatory fields and the question mark (?) represents optional fields in:
- EpoCredentials.csv – ePO credentials file
- AccountDetails.csv – account parameters file
- SubAccountDetails.csv (optional) – subaccount parameters file
NOTE: Unknown or irrelevant fields for different vendors must be filled with a question mark (?) character in the .csv file.
- To enable script execution, in the terminal, type the following command and press Enter.
chmod +x .\AccountRegistration.sh
- To install a package ‘jq’ for Linux, in the terminal, type the following command, and then press Enter.
Sudo apt-get install jq
- Enter the password if prompted and press Enter.
- After the package is installed, undertake an update. In the terminal, type the following command, and then press Enter.
sudo apt-get update
- To register accounts in the terminal, type the following command, and then press Enter.
- Account Registration:
.\AccountRegistration.sh -add .\AccountDetails.csv -credentials .\EpoCredentials.csv
- Subaccount Registration for AWS:
.\AccountRegistration.sh -add .\AccountDetails.csv -credentials .\EpoCredentials.csv -subaccounts .\SubAccountDetails.csv
NOTE: If the script is only to register subaccounts, and not main accounts, do not change the AccountDetails.csv file.
- While the script is executed, check for error messages, success messages, or exceptions in the terminal.
The script execution generates two log files:
- CloudAccountRegistrationConsole.log – contains console outputs
- CloudAccountRegistrationScript.log – contains a verbose log
Solution
3
CWS 5.3.1 and later (post installation task)
You can register multiple Microsoft Azure accounts with ePO so that ePO can communicate with the Microsoft Azure cloud.
Before you begin, make sure that the following conditions are met:
- Your Microsoft Azure account and its details are ready.
- You have created an application in the Microsoft Azure console.
- You have the client ID and tenant ID from the Microsoft Azure console after creating the application.
- You have configured the Client key for your application.
- You have set the delegated permissions for your application.
- You have assigned the newly created application to a role and to your Microsoft Azure cloud account subscription.
- You have downloaded the CSV file format from this article and filled all mandatory fields (contained in the attached AzureAccounts_Bulk.zip).
- You have installed the Cloud Workload Security extension on ePO.
- Your ePO system date and time are synchronized with the current date and time.
To register multiple Microsoft Azure Accounts:
- Log on to the ePO server as an administrator.
- Click Menu, Systems, Cloud Workload Security. Opens the Cloud Workload Security page.
- From the Accounts pane, click Add Account. Opens the Registered Cloud Account pane.
- Select Microsoft Azure from the drop-down list.
- To register one or more Microsoft Azure accounts:
- Select the Upload the CSV file option.
- Select the CSV file that you want to upload.
- Click Upload.
The CSV file contains information about the Microsoft Azure account parameters.
The CSV file contains the following information about the Microsoft Azure account:
Parameter |
Description |
Mandatory/
Optional |
AccountNameParam |
The name of the Microsoft Azure account. Account names can include characters a–z, A–Z, 0–9, and [_.–], without spaces. |
Mandatory |
accessKeyIDParam |
The access key of the Microsoft Azure account. |
Mandatory |
subscriptionIdParam |
The subscription ID of the Microsoft Azure account. |
Mandatory |
secretKeyParam T |
The secret key of the Microsoft Azure account. |
Mandatory |
tagsParam |
The ePO tag to be applied on the VMs discovered for the Microsoft Azure account. The tag name can include characters a–z, A–Z, 0–9, and [_.–], without spaces.
NOTE: You can't use multiple tag names. |
Optional |
isGovCloudRegion |
Specify if the cloud accounts belong to the Microsoft Azure
GovCloud (US) region. |
Optional |
isEnableVpcFlowlog |
Specify if you have to enable Virtual Private Cloud (VPC) flow logs for the VMs discovered for the Microsoft Azure account. |
Optional |
syncIntervalMinsAttr |
The time taken for ePO to synchronize with the Microsoft Azure account. The minimum sync interval value is 5 minutes and the maximum value is 60 minutes. |
Optional |
Vendor |
The name of the vendor. The vendor name is azure.vendor. |
Optional |
AutoDeployMA |
Specify if you want to deploy McAfee Agent automatically. The values can include 0, 1, and 2. |
Optional |
generalPolicy |
The name of the general assessment rule. |
Optional |
isPolicyChanged |
Specify if you want to change the policies assigned to the VMs associated with this cloud account. The values can include TRUE or FASLE. |
Optional |
winDomain |
The Windows domain credentials to deploy McAfee Agent. |
Optional |
winUsername |
The user name to deploy McAfee Agent. |
Optional |
winPassword |
The password to deploy McAfee Agent. |
Optional |
endpointURL |
The Endpoint URL to deploy McAfee Agent. |
Optional |
TenantID |
The tenant ID of the Microsoft Azure account. |
Mandatory |
ClientID |
The client ID of the Microsoft Azure account. |
Mandatory |
changeSecretKeyParam |
Specify if you want to change the Secret key. The values include TRUE and FALSE. |
Optional |
changeWinLoginPw |
Specify if you want to change the Windows logon password. The values include TRUE and FALSE. |
Optional |
cardBasedUI |
Specify if you want to use the cloud-based user interface. The values include TRUE and FASLE. |
Optional |
cloudTags |
List of the user-defined Microsoft Azure tags assigned to your workloads. |
Optional |
|