How do we restrict the CloudQuery permission only to get relevant information, but not information like the following? My infosec team is particular about giving access to the Azure subscription, and they want us to discover only assets/infrastructure/services and nothing else. Can anyone help me achieve this?
If I’m understanding your question correctly, you’ll have to restrict the access that the service principal has, giving it access only to the resources you’ve selected for CloudQuery to sync (the tables you’ve selected).
To start off, we recommend using the Reader role, as that gives all the access CloudQuery might need. It tends to be wider than necessary though, so you can have a look at other built-in roles here: Built-in Roles and either select from there or build a custom role with read access to only the resources you want to sync.
I don’t have more specific advice, like the exact permissions you need, as that will depend largely on the tables you choose to sync, and it goes a bit beyond what we can do in terms of community support. We do have support plans, should you be interested.
Thanks. But I was looking if the support is to restrict for one resource as advice?
For example, with the Firewall resource, we only need firewall subscription level information, but we should not be getting the rules related information.
Oh, I see. Yes, you can sync only the tables you are interested in.
For example, to get firewall subscription level information, you can set:
tables: ["azure_network_azure_firewalls"]
This won’t sync the rules.
Sometimes a table has other tables that depend on it. For example, if you sync azure_sql_servers, it will also sync azure_sql_server_firewall_rules by default. But you can turn off this behavior by setting:
