Snotra

AWS How To

In order for Snotra to access your account and perform a scan you need to provide a Cross-Account Role

The role should have the "ReadOnlyAccess" and "SecurityAudit" AWS Managed Policies attached and be configured with the following trust policy:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::243001516183:user/snotra"
                },
                "Action": "sts:AssumeRole",
                "Condition": {}
            }
        ]
        }

This will allow the user principal "snotra" in the AWS account "243001516183" to assume the role and perform the scan.

When the scan is launched you will be provided with a Scan ID, Remember to take note of this ID as you will need to enter it on the report page to view the completed scan report.

Scans can take 15 minutes to complete and for the report to become available in the portal.

Azure How To

In order for Snotra to access your Azure Tenancy and subscriptions and perform a scan you need to provide a client secret and id for a service principal / app registration.

Service Principal / App Registration

Create an app registration
Attach the "reader" role in Azure RBAC for all subscriptions you would like to include in the scan.
Give the the service principal the following Microsoft Graph API permissions:

Directory.Read.All
Policy.Read.All

Enter your client id, client secret and tenant id on the scan page and click scan.
All subscriptions will be included in the scan.

When the scan is launched you will be provided with a Scan ID, Remember to take note of this ID as you will need to enter it on the report page to view the completed scan report.

Scans can take 15 minutes to complete and for the report to become available in the portal.