Account Audit

Account audit

This section details the functionality and requirements for account auditing as well as how to set this auditor_mode in the SSMCM application.

Functionality

Given the needs of our customers, the application must be able to manage connections to the different cloud providers with read-only permissions for the accounts in which this mode is configured.

This means that, once the auditor mode is established in an account from the web interface, SSMCM will not be able to alter its infrastructure and will only execute the processes of daily or manual updating of its inventories.

Although these processes of backups, deletion of backups, scheduler, power on, power off, etc. that alter the cloud infrastructure of the account are not executed, they will be recorded in the log tables backup logs, clean backups y scheduler with the log action "ACCOUNT IN AUDIT" or an "account in audit" reference in the log message.

Requirements

In order to establish the auditor mode, the account must configure in its cloud provider what is already documented in the integrations with AWS, Azure, GCloud and add the credentials to SSMCM by adding the following configuration changes:

  • AWS : creation in the role target account named CompassAuditRole with read only permissions and settings so that the SSMCM user can assume this role in the connection.
  • Azure: assign only the default Reader role on target subscriptions for SSMCM application access.
  • GCloud: in the target organization, only the SSMCM service account will be assigned the Viewer role.
  • Oracle Cloud

Set auditor mode

Once we have configured the credentials SSMCM and the role CompassAuditRole or read only role in the target account, we can establish the corresponding audit mode for the account through its checkbox In audit.

By checking this checkbox in the SSMCM account form, you will disable all functions and disable all buttons for the actions of your users that may cause a change of status or form in the infrastructure of your cloud account (backup actions and functions, backup cleaning, planned processes, etc.).

Therefore, for audited accounts, SSMCM will only update its inventory data by disabling or disabling any other processes.