Configure Vulnerability Scan for Azure

This procedure describes how to configure vulnerability scans for Azure accounts.

In the Administration page, under the Cloud Accounts tab, click Cloud Account on the top right and click on Configure VA and select Azure.
Click Login to log in to the account that you want to set up a vulnerability scan for.
Select the name of your Azure account in the dropdown menu and click Vulnerability Scanning JSON to download the JSON Policy from the Spot Security Vulnerability Scanning Setup page.

Create a Custom Role

In the Azure console, type Subscriptions in the search bar and click the Subscriptions result that appears.
Select the subscription you want to onboard.
In the menu on the left side of the selected subscription platform, click Access Control (IAM).
Click + Add and then Add custom role.
Select Start from JSON and upload the JSON policy downloaded in Step 1.
Click Assignable scope and select the relevant subscription.
In the Create a custom role window, click Review + create and complete the custom role information.

In the Access control (IAM) platform, click + Add and then click Add role assignment.
Click the Role tab and select the custom role you created in the previous step.
Click the Members tab and click Select members.
Select the app registration that was created during the Spot onboarding and click Next.
When the Role is assigned, go back to the Spot console to finish the vulnerability scan configuration.
By default all the regions that have VMs will be pre-populated for a selected account. You can delete regions according to your preference. For each region, select a Subnet ID where the Spot Security Scanner will run.
- While choosing the Subnet ID, ensure it allows SSH inbound and Internet outbound.
- You can also create a new public Subnet ID with the above condition and manually enter it.