Cloud Security
Integration setup guides for cloud security platforms (AWS, Azure, GCP).
Connect your cloud platforms to Zaun for security monitoring, configuration drift detection, and incident response.
AWS
Services: Security Hub, GuardDuty, CloudTrail - single credential set | Auth: AWS SigV4
Required Credentials
| Field | Description |
|---|---|
| Access Key ID | IAM user access key |
| Secret Access Key | IAM user secret key |
| AWS Account ID | 12-digit account ID |
| Primary Region | e.g. us-east-1 |
| Security Tooling Role ARN | Delegated admin role to assume |
| External ID (recommended) | Prevents confused deputy attacks |
| Execution Role Name | Role in member accounts (default: Zaun-SOAR-Execution-ReadOnly) |
Services Covered by These Credentials
| Service | Required IAM Actions |
|---|---|
| Security Hub | securityhub:GetFindings, securityhub:ListFindings, securityhub:GetInsights, securityhub:DescribeHub, securityhub:BatchUpdateFindings |
| GuardDuty | guardduty:ListDetectors, guardduty:GetDetector, guardduty:ListFindings, guardduty:GetFindings, guardduty:ListMembers |
| STS | sts:AssumeRole (for cross-account) |
AWS managed policies AWSSecurityHubReadOnlyAccess and AmazonGuardDutyReadOnlyAccess cover the read-only use case.
Cross-Account Architecture
IAM User (your account)
> assumes Security Tooling Role (delegated admin)
> assumes Execution Role (each member account)
> calls Security Hub / GuardDuty APIsSetup Steps
- Create an IAM user with programmatic access in your security tooling account.
- Create the Security Tooling Role with a trust policy allowing the IAM user to assume it. Include an External ID.
- In each member account, create an Execution Role (e.g.
Zaun-SOAR-Execution-ReadOnly) with Security Hub + GuardDuty read permissions. - The Execution Role trust policy should allow the Security Tooling Role to assume it.
- Paste credentials and role ARNs into Zaun.
Microsoft Azure
Services: Azure Monitor & Microsoft Sentinel - single app registration | Auth: OAuth2
Required Credentials
| Field | Description | Where to Find |
|---|---|---|
| Tenant ID | Azure AD directory identifier | Entra ID > Overview |
| Client ID | Application (client) ID | App Registration > Overview |
| Client Secret | Secret for the app | Certificates & secrets |
| Subscription ID | Azure subscription | Subscriptions blade |
| Resource Group | RG containing Sentinel workspace | Resource Groups blade |
| Workspace Name | Log Analytics workspace | Log Analytics workspaces |
Services & Required RBAC Roles
| Service | Azure Role | Purpose |
|---|---|---|
| Azure Monitor | Monitoring Reader | Metrics, activity logs, diagnostics |
| Log Analytics | Log Analytics Reader | KQL queries against workspace |
| Microsoft Sentinel | Microsoft Sentinel Responder | View data + manage incidents |
Also add Microsoft Graph > SecurityEvents.Read.All (Application) + grant admin consent.
Setup Steps
- Register an app in Entra ID (can reuse your Defender registration). Copy Client ID and Tenant ID.
- Create a Client Secret. Copy the Value immediately.
- Navigate to the Resource Group > Access control (IAM) > add the role assignments above to the app's service principal.
- Add the Graph permission and grant admin consent.
- Paste all credentials into Zaun.
Use Sentinel Reader instead of Responder for strictly read-only access.
Google Cloud Platform
Services: Cloud Logging, IAM, Compute, Asset Inventory - single service account | Auth: OAuth2 / JWT
Required Credentials
| Field | Description | Where to Find |
|---|---|---|
| Service Account JSON | Key file downloaded from GCP console (contains all fields below) | IAM & Admin > Service Accounts > Keys |
| Project ID | GCP project identifier | Project selector or JSON project_id field |
| Client Email | Service account email | Auto-extracted from JSON |
| Private Key | RSA private key (PEM) | Auto-extracted from JSON |
| Token URI | OAuth2 token endpoint | Typically https://oauth2.googleapis.com/token |
| Client ID | Numeric client identifier | Auto-extracted from JSON |
Upload the full service account JSON file - Zaun auto-extracts all required fields.
Services & Required IAM Roles
| Service | IAM Role | Purpose |
|---|---|---|
| Cloud Logging | roles/logging.viewer | Query Cloud Audit Logs |
| IAM | roles/iam.securityReviewer | List service accounts, keys, custom roles |
| Compute Engine | roles/compute.viewer | List VMs, firewall rules, VPC networks |
| Resource Manager | roles/browser | Get project metadata and IAM policies |
| Cloud Asset Inventory | roles/cloudasset.viewer | Search all resources and IAM bindings |
All roles are read-only. The cloud-platform OAuth scope is used for token management; actual access is restricted by the IAM roles above.
Setup Steps
- In GCP Console > IAM & Admin > Service Accounts > Create Service Account. Name it (e.g.
zaun-reader). - Grant the five IAM roles listed above at the project level.
- Click the service account > Keys > Add Key > Create new key > JSON. Download the key file.
- Upload the JSON file in Zaun. Verify the auto-extracted Project ID is correct.
- Click Test Connection to verify Cloud Logging and IAM access.
Workload Identity Federation (Optional)
For organizations using Okta, Zaun supports Workload Identity Federation to eliminate long-lived service account keys. Instead of a JSON key, Zaun exchanges an Okta access token for short-lived GCP credentials via the STS API.
WIF setup requires a Workload Identity Pool and Provider configured in GCP. Contact [email protected] for guided setup.