[Cloud Security] Automated creation of cloud credentials

[maxcold]

User story As a user of Cloud Security in Agentless I want help in creating cloud resources I need to make CSPM integration work so that I don't spend too much time figuring out what exactly I need to do

Motivation

If users don't have credentials required for CSPM to work at hand, we want to help them out by providing a convenient way to create one on a cloud provider of their choice (AWS, GCP, Azure), eg. Cloudformation in case of AWS

Design https://www.figma.com/file/jmdsEtaqB6im6T0Y08Vais/Agentless-CSPM-for-serverless?type=design&node-id=3557-11941&mode=design&t=vjweBGMeadQ7d2BP-0

Definition of done

• [x] it is possible to run an artifact (eg. Cloudformation template in case of AWS) to create required credentials on a cloud provider to paste them back into Kibana form on the CSPM integration page
• [ ] Write FTR tests to check the proper rendering between agentless and agent-based on all 3 providers

Out of scope

• creating Cloudformation teamplate and other artifacts relevant for GCP and Azure. This will be done by the cloudbeat team
• open question: is it only Agentless or should we also add it to Agent-based installation types? From the looks of it, it's not agentless specific

Related tasks/epics

• design https://www.figma.com/file/jmdsEtaqB6im6T0Y08Vais/Agentless-CSPM-for-serverless?type=design&node-id=3557-11941&mode=design&t=vjweBGMeadQ7d2BP-0
• depends on https://github.com/elastic/security-team/issues/6134
• https://github.com/elastic/security-team/issues/6053

Blocked by

• https://github.com/elastic/security-team/issues/8969
• https://github.com/elastic/cloudbeat/issues/2062
• https://github.com/elastic/cloudbeat/issues/2005

Team tag

@elastic/kibana-cloud-security-posture

[maxcold]

@tin @kfirpeled there are a couple of open questions for this feature:

1. Am I correct that we want to support all three cloud providers with this feature, not only AWS? Assuning that we bring Agentless support to GCP and Azure as well
2. Is the feature agentless specific? We have the same setup methods in ESS/on-prem, should we also provide the cloudformation (or other tech) option to create credentials there?
3. We need to work on a copy and the flow a bit more in my opinion. For example, in case of AWS, we support Direct Access Keys and Temp Keys as credentials for Agentless. Will cloudformation create one or the other? We need to make sure we explain well what to expect from the feature

[oren-zohar]

@maxcold @kfirpeled @olegsu @tehilashn I think my team can take care of the template part (Cloudformation, ARM, etc) next sprint

[maxcold]

@maxcold check for other tickets to link here

[maxcold]

@tinnytintin10 can you confirm that we prio this feature for Agentless, so there is no need to implement the Cloudformation/ARM Template/Cloud Shell for credential options not supported by Agentless

[Omolola-Akinleye]

Currently for this sprint the following cloud providers will be done for 8.15.0 :

• AWS Cloud Formation Direct Keys only. Temporary Keys will be more complex to implement this sprint.

With Azure ARM Template is not possible to create Automation Credentials Google Cloud Shell Work is still in progress and merged by end of next week.

[Omolola-Akinleye]

@moukoublen AWS Cloud Credentials is working! Thank you

[uri-weisman]

Verified. Agent is running and produce findings with the created credentials.

[opauloh]

Verified - QA - Serverless

VERSION: 8.16.0

BUILD: 78101

COMMIT: f51481d4d697ae23260d2b46ceae7545d3571e95

Cloudformation instructions - single account:

Cloudformation instructions - organization:

Output tab (credentials manually blurred):