Cloud Security
Integration setup guides for cloud security platforms (AWS, Azure, GCP).
Connect your cloud platforms to Zaun so Ember can monitor for configuration drift, data exposure, and incident response.
AWS
Services: Security Hub, GuardDuty, CloudTrail - single credential set | Auth: AWS SigV4
Required Credentials
| Field | Description |
|---|---|
| Access Key ID | IAM user access key |
| Secret Access Key | IAM user secret key |
| AWS Account ID | 12-digit account ID |
| Primary Region | e.g. us-east-1 |
| Security Tooling Role ARN | Delegated admin role to assume |
| External ID (recommended) | Prevents confused deputy attacks |
| Execution Role Name | Role in member accounts (default: Zaun-SOAR-Execution-ReadOnly) |
Services Covered by These Credentials
| Service | Required IAM Actions |
|---|---|
| Security Hub | securityhub:GetFindings, securityhub:ListFindings, securityhub:GetInsights, securityhub:DescribeHub, securityhub:BatchUpdateFindings |
| GuardDuty | guardduty:ListDetectors, guardduty:GetDetector, guardduty:ListFindings, guardduty:GetFindings, guardduty:ListMembers |
| STS | sts:AssumeRole (for cross-account) |
AWS managed policies AWSSecurityHubReadOnlyAccess and AmazonGuardDutyReadOnlyAccess cover the read-only use case.
Cross-Account Architecture
IAM User (your account)
> assumes Security Tooling Role (delegated admin)
> assumes Execution Role (each member account)
> calls Security Hub / GuardDuty APIsSetup Steps
- Create an IAM user with programmatic access in your security tooling account.
- Create the Security Tooling Role with a trust policy allowing the IAM user to assume it. Include an External ID.
- In each member account, create an Execution Role (e.g.
Zaun-SOAR-Execution-ReadOnly) with Security Hub + GuardDuty read permissions. - The Execution Role trust policy should allow the Security Tooling Role to assume it.
- Paste credentials and role ARNs into Zaun.
Microsoft Azure
Services: Azure Monitor & Microsoft Sentinel - single app registration | Auth: OAuth2
Required Credentials
| Field | Description | Where to Find |
|---|---|---|
| Tenant ID | Azure AD directory identifier | Entra ID > Overview |
| Client ID | Application (client) ID | App Registration > Overview |
| Client Secret | Secret for the app | Certificates & secrets |
| Subscription ID | Azure subscription | Subscriptions blade |
| Resource Group | RG containing Sentinel workspace | Resource Groups blade |
| Workspace Name | Log Analytics workspace | Log Analytics workspaces |
Services & Required RBAC Roles
| Service | Azure Role | Purpose |
|---|---|---|
| Azure Monitor | Monitoring Reader | Metrics, activity logs, diagnostics |
| Log Analytics | Log Analytics Reader | KQL queries against workspace |
| Microsoft Sentinel | Microsoft Sentinel Responder | View data + manage incidents |
Also add Microsoft Graph > SecurityEvents.Read.All (Application) + grant admin consent.
Setup Steps
- Register an app in Entra ID (can reuse your Defender registration). Copy Client ID and Tenant ID.
- Create a Client Secret. Copy the Value immediately.
- Navigate to the Resource Group > Access control (IAM) > add the role assignments above to the app's service principal.
- Add the Graph permission and grant admin consent.
- Paste all credentials into Zaun.
Use Sentinel Reader instead of Responder for strictly read-only access.
Google Cloud Platform
Services: Cloud Logging, IAM, Compute, Asset Inventory - single service account | Auth: OAuth2 / JWT
Required Credentials
| Field | Description | Where to Find |
|---|---|---|
| Service Account JSON | Key file downloaded from GCP console (contains all fields below) | IAM & Admin > Service Accounts > Keys |
| Project ID | GCP project identifier | Project selector or JSON project_id field |
| Client Email | Service account email | Auto-extracted from JSON |
| Private Key | RSA private key (PEM) | Auto-extracted from JSON |
| Token URI | OAuth2 token endpoint | Typically https://oauth2.googleapis.com/token |
| Client ID | Numeric client identifier | Auto-extracted from JSON |
Upload the full service account JSON file - Zaun auto-extracts all required fields.
Services & Required IAM Roles
| Service | IAM Role | Purpose |
|---|---|---|
| Cloud Logging | roles/logging.viewer | Query Cloud Audit Logs |
| IAM | roles/iam.securityReviewer | List service accounts, keys, custom roles |
| Compute Engine | roles/compute.viewer | List VMs, firewall rules, VPC networks |
| Resource Manager | roles/browser | Get project metadata and IAM policies |
| Cloud Asset Inventory | roles/cloudasset.viewer | Search all resources and IAM bindings |
All roles are read-only. The cloud-platform OAuth scope is used for token management; actual access is restricted by the IAM roles above.
Setup Steps
- In GCP Console > IAM & Admin > Service Accounts > Create Service Account. Name it (e.g.
zaun-reader). - Grant the five IAM roles listed above at the project level.
- Click the service account > Keys > Add Key > Create new key > JSON. Download the key file.
- Upload the JSON file in Zaun. Verify the auto-extracted Project ID is correct.
- Click Test Connection to verify Cloud Logging and IAM access.
Workload Identity Federation (Optional)
For organizations using Okta, Zaun supports Workload Identity Federation to eliminate long-lived service account keys. Instead of a JSON key, Zaun exchanges an Okta access token for short-lived GCP credentials via the STS API.
WIF setup requires a Workload Identity Pool and Provider configured in GCP. Contact [email protected] for guided setup.