Issue:
When scanning Azure subscriptions, results for the "File Storage," "Queue Service," and/or "Table Service" plugins are shown as "Unknown" with the message:
"Aqua does not have permission to list storage account keys."
Solution:
For Aqua CSPM to properly scan Storage Accounts in Azure, we require access to the keys used to access the file, queue, and table services.
Alternative: If you would prefer not to provide Aqua access to these services, we recommend suppressing the following plugins:
- File Service All Access ACL
- Table Service All Access ACL
- Queue Service All Access ACL
Steps:
- Log into Azure and locate the subscription.
- Click into the subscription and click the Access control (IAM) settings.
- Choose the "Role Assignments" tab.
- Click "Add" > "Add role assignment."
- Choose "Storage Account Key Operator Service Role."
- Under "Select" search for the application connected to Aqua Cloud (it may be named "aquacspm" or "cloudsploit").
- "Save."