CSPM Troubleshooting Guide¶
This guide helps troubleshoot onboarding and scanning issues for the Accuknox CNAPP SaaS deployment across AWS, Azure, and GCP.
Step 1: Validate Prerequisites¶
Ensure the required permissions are granted to the user or application for the respective cloud account.
AWS Permissions¶
-
Login to AWS Console.
-
Navigate to IAM > Users.
-
Select the user created for AccuKnox onboarding.
-
Go to the Permissions tab:
-
Confirm the following policies are attached:
-
ReadOnlyAccess
(AWS Managed - Job Function) -
SecurityAudit
(AWS Managed - Job Function)
-
-
Azure Permissions¶
-
Login to Azure Portal.
-
Navigate to App Registrations:
-
Select the application registered for onboarding.
-
Go to the API Permissions tab and verify:
Directory.Read.All
is listed under Application Permissions.
-
-
Navigate to Subscriptions:
-
Select the relevant subscription.
-
Go to Manage > Access control (IAM).
-
Verify the registered application has the following roles assigned:
-
Security Reader
(Job Function Role for subscriptions) -
Log Analytics Reader
(Job Function Role for subscriptions)
-
-
GCP Permissions¶
-
Login to Google Cloud Console.
-
Navigate to IAM & Admin > IAM:
-
Find the service account created for onboarding.
-
Verify the following roles are assigned:
-
roles/viewer
(Viewer Role) -
roles/iam.securityReviewer
(Security Reviewer Role) -
roles/logging.viewer
(Log Viewer Role)
-
-
-
Navigate to APIs & Services > Library:
-
Ensure the following APIs are enabled:
-
Compute Engine API
-
Identity and Access Management (IAM) API
-
Cloud Resource Manager API
-
Cloud Functions API
-
KMS API
-
Kubernetes API
-
Cloud SQL Admin API
-
-
If permissions and APIs are configured correctly, proceed to the next step.
Refer to the prerequisites for more info:
Step 2: Verify Cloud Scan Status¶
-
Log in to the AccuKnox SaaS platform.
-
Navigate to Settings > Cloud Account.
-
Select the specific cloud account in question.
-
Review the status of the cloud scan: