ビュー:

Azureサブスクリプションに必要な権限 親トピック

リソースをデプロイするために必要な権限と、AzureサブスクリプションをTrend Vision Oneに接続する際に付与される権限を確認してください。
次の権限が必要です。Trend Vision OneCloud Securityリソースをサブスクリプションに正常にデプロイするために。
  • Microsoft Entra IDユーザの場合、サインインには次のロールが必要です。
    • アプリケーション管理者
    • 特権ロール管理者
  • Microsoft Azureユーザの場合、接続するサブスクリプションでのサインインには、以下の役割またはそれ以上の役割が必要です。
    • ユーザアクセス管理者
    • 投稿者
  • Microsoft Defender for EndpointコレクションまたはAzureアクティビティログを有効にするには、Microsoft Azureサインインに次のロールが必要です。
    • Key Vault シークレットオフィサー
Terraformプロセスは、Cloud AccountsおよびTrend Vision One Cloud Securityサービスとの接続を確立するために、特定の権限を自らに割り当てます。これらの権限には、Cloud Accountsアプリとセキュリティサービスが一時的な認証情報を取得し、Azureクラウド環境内でタスクを完了することが含まれます。

Azureの必要な権限

機能
必要な権限
コア機能
Azure Resource Manager (ARM) permissions:
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
API Permissions:
  • Azure Active Directory Graph (4)
    • Directory.Read.All | 委任
    • Directory.Read.All | アプリケーション
    • User.Read | 委任
    • User.Read.All | 委任
  • Microsoft Graph (4)
    • Directory.Read.All | アプリケーション
    • User.Read | 委任
    • User.Read.All | 委任
    • User.Read.All | アプリケーション
Server & Workload Protection
サブスクリプションの権限:
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
仮想マシン (VM) の権限:
  • Microsoft.Compute/virtualMachines/read
Virtual Machine Scale Set (VMSS) の権限:
  • Microsoft.Compute/virtualMachineScaleSets/read
クラシック仮想マシン (VM) の権限:
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
ネットワーク権限:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
AzureメタデータAPIの権限:
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
認証とIAM権限:
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
Cloud Security Posture
requiredResourceAccess:
  • resourceAppName: Microsoft Graph
  • リソースアクセス:
    • 名前: User.Read
    • タイプ: Delegated
    • 名前: User.Read.All
    • タイプ: Delegated
    • 名前: Directory.Read.All
    • type: Application
    • 名前: User.Read.All
    • type: Application
    • 名前: Policy.Read.All
    • type: Application
requiredRoleAccess
  • resourceAppName: Microsoft App Configuration
    ロールアクション:
    • name: Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    ロールアクション:
    • name: Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    ロールアクション:
    • 名前: Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    dataActions:
    • 名前: Microsoft.KeyVault/vaults/keys/read
    • name: Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    ロールアクション:
    • name: Microsoft.Management/managementGroups/read
エージェントレスによる脆弱性と脅威の検出
Azure Resource Manager (ARM) permissions:
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
Trend Micro Resource Group permissions
Azure の組み込みロール: 貢献者
  • 処理:
    • Allow Actions:*
  • NotActions:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure組み込みロール: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure組み込みロール: Storage Blob Data Owner
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Trend Micro Storage ID permissions
Azure組み込みロール: Storage Blob Data Reader
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Data Security Posture
Azure Resource Manager (ARM) permissions:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/delete
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Automation/automationAccounts/write
  • Microsoft.Automation/automationAccounts/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Automation/automationAccounts/webhooks/read
  • Microsoft.Automation/automationAccounts/webhooks/write
  • Microsoft.Automation/automationAccounts/webhooks/delete
  • Microsoft.Insights/actionGroups/read
  • Microsoft.Insights/actionGroups/write
  • Microsoft.Insights/actionGroups/delete
  • Microsoft.Automation/automationAccounts/python3Packages/read
  • Microsoft.Automation/automationAccounts/python3Packages/write
  • Microsoft.Automation/automationAccounts/python3Packages/delete
  • Microsoft.Automation/automationAccounts/runbooks/read
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/delete
  • Microsoft.Automation/automationAccounts/jobSchedules/read
  • Microsoft.Automation/automationAccounts/jobSchedules/write
  • Microsoft.Automation/automationAccounts/jobSchedules/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/write
  • Microsoft.Network/virtualNetworks/subnets/delete
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/bastionHosts/read
  • Microsoft.Network/bastionHosts/write
  • Microsoft.Network/bastionHosts/delete
Azureアクティビティログのクラウド検出
必要な権限はありません。
Microsoft Defender for Endpoint ログコレクション
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write