What requirements are there for a user to log in?
The following identities are supported by ARGOS:
Azure Active Directory / Office 365
Google / Gmail / GSuite
ARGOS users must log in with valid email addresses.
ONBOARDING CLOUD ENVIRONMENTS
Add Azure to ARGOS
ARGOS requires an Azure AD application to authenticate to a customer's Azure cloud. You can create one in a few simple steps:
Once that is created ARGOS requires at least Reader permissions to each Azure subscription you want to monitor.
Follow these steps to assign Reader permissions to the Azure AD application from above:
If you want to use ARGOS's remediation feature, then ARGOS also requires the appropriate "write" permissions to the Azure subscription.
Add AWS to ARGOS
ARGOS requires an AWS IAM Role to be created in every AWS account you want ARGOS to monitor.
Follow these steps here to create a role:
In your "My Account" page you can find all required information to create the roles, including the ARGOS AWS Account ID and ExternalId for the IAM role's trust policy. The process behind these information is described in this AWS article.
The role requires access to at least the following IAM policies:
Alternatively, check out the link here to find a very specific IAM policy already prepared for you with precisely the permissions required.
If remediation is used from within ARGOS then the IAM role needs access to make required changes. The policies in this case depend on the services being remediated.
In your "My Account" page you can now add an AWS account specifying the following information.
AWS Account ID(s)
AWS IAM Role name
AWS regions to be monitored
Add GCP to ARGOS
ARGOS requires a GCP Service Account to authenticate against an organisation's GCP projects.
Please follow these simple steps to create a GCP Service Account:
ARGOS will ask you to upload the Service Account key file that you can download following this process:
At a minimum ARGOS requires the Cloud Asset Viewer and Security Center Service Agent (Project) roles in order to execute the real time inventory and security scanning.
These permissions can be assigned at the Project and / or Folder level.
If you want to use ARGOS's remediation feature we will require you to grant ARGOS the appropriate "write" permissions.
In your "My Account" page you can now add the GCP Projects specifying above information.
I can't see any AWS detections
ARGOS uses the AWS Config service to scan your environment in real time.
One reason why you can't see any AWS detections can be that you have not configured the AWS Config service in your account.
Please do so following the official AWS documentation.
What do I have to deploy to use ARGOS?
You'll only have to add an Azure Service Principal / Azure AD App Registration (for Azure), your AWS IAM credentials (for AWS) or GCP Service Account to ARGOS.
That's it. You do not need to deploy any infrastructure into your cloud environment to get the full benefits of running ARGOS.
How much does it cost me to run ARGOS?
Besides the subscription cost there is no other cost associated with ARGOS on Azure or GCP.
ARGOS uses "AWS Config" advanced queries for real time inventory and a few security scans. "AWS Config" is a service many organisations will likely already have enabled, nevertheless ARGOS's use of this service will likely incur a minimal additional charge on the customer's invoice.
Note: Using ARGOS to remediate rule violations may have effects on resource cost.
Where does ARGOS store its data?
The metadata about rule detections is stored in a secured database located in Australia.
Is our data secure?
ARGOS encrypts sensitive data like the Azure, AWS or GCP credentials with AES-256 GCM in our database.
What data does ARGOS store?
ARGOS does not store any actual data about your environment apart from metadata like cloud resource IDs or resource configuration.
We do not read any files or access any application data in your environment.
ARGOS does not store any Personal Identifiable Information (PII) nor credit card information.
What happens to our data after we cancel our subscription?
Customer data is automatically marked for deletion 30 days after the end of the subscription.
Azure Key Vaults - Ensure that the expiration date is set on all keys
Keys are data stored inside of Key Vaults and in order to read keys the SPN you created for ARGOS needs to be granted an Access Policy to "Get" and "List" keys on each Key Vault that needs to be monitored. Follow this guide.
Without those permissions set ARGOS will not be able to execute this rule.
Azure Key Vaults - Ensure that the expiration date is set on all secrets
Secrets are data stored inside of Key Vaults and in order to read secrets the SPN you created for ARGOS needs to be granted an Access Policy to "Get" and "List" secrets on each Key Vault that needs to be monitored. Follow this guide.
Without those permissions set ARGOS will not be able to execute this rule.
Our Azure Storage Accounts are all configured with Firewall settings. Can we still use ARGOS to monitor them?
Yes, you can. This requires some configuration on the Storage Accounts to whitelist the ARGOS service IP on the Storage Accounts. Follow the documentation here and contact our support team to learn about our internet IP.
WORKING WITH ARGOS
Can we ignore resources?
Yes, ARGOS automatically ignores cloud resources with the following tag:
`argos-ignore = true`
Learn more about how to tag resources:
Can we ignore a detection?
Yes, specific detections can be ignored by an ARGOS user if they are expected on a resource.
Simply find the rule violation in question and click the "ignore" button.
A user can easily revert this by finding the ignored resource and selecting "unignore" at which point the resource will again be included in graphs and scoring.
GCP Detections / Remediations
GCP requires their customers to enable API endpoints in order to have applications programmatically interact with GCP services.
Please check the following URL (https://console.cloud.google.com/apis) in each of your GCP projects and make sure that all APIs of services that are in use in your environment are enabled. Follow the GCP documentation in order to enable APIs in your GCP projects.
ARGOS can send notifications of new detections into a customer-owned Slack channel.
All we require is the webhook URI to this channel. A Slack incoming webhook can be created by following this process here.
Add the webhook URI to the "Notifications" tab on https://app.argos-security.io/account
Microsoft Teams Integration
ARGOS can send notifications of new detections into a customer-owned Teams channel.
All we require is the webhook URI to this channel. A Teams incoming webhook can be created by following this process here.
Add the webhook URI to the "Notifications" tab on
Atlassian Jira Integration
ARGOS can easily create Jira tickets in order to assign detections to the right members of your team.
browse to https://app.argos-security.io/account and select Jira Integration
Add your JIRA user account's email address
Create a JIRA API token at https://id.atlassian.com/manage-profile/security/api-tokens.
Provide the URI to your JIRA workspace in the format " workspace.atlassian.net/"
Select the default project to connect ARGOS to
Select the issue type you want ARGOS to create when exporting
Once configured, a new button will appear when browsing to any detection. Test it out by browsing to https://app.argos-security.io/detections and select any detection. You will now see the "Export to Jira" button.
Exporting a detection to Jira will change its status from "open" to "acknowledged" and will increase the "Acknowledged" counter on the Summary page.
ARGOS will automatically close the detection once it confirms that the issue has been fixed on the cloud.