Merge pull request #572 from HighnessAtharva/updates

add dast ppt + ai sec page updates

Author: HighnessAtharva

docs/how-to/aiml-aws-onboard.md

@@ -5,14 +5,11 @@ description: Step-by-step instructions for onboarding an AWS cloud account and A
 
 # AWS AI/ML Cloud Onboarding
 
-In this section we can find the steps to onboard an AWS cloud account to the AccuKnox SaaS platform.
-
-!!! info "AI/ML Prerequisites for AWS Cloud Accounts"
-    **Please review the [AI/ML Prerequisites for AWS](https://help.accuknox.com/how-to/cspm-prereq-aws/#aiml-security-prerequisites-for-aws-cloud-accounts) before proceeding with the onboarding process.**
+In this section we can find the steps to onboard an AWS cloud account with AI/ML asset scanning to the AccuKnox SaaS platform.
 
 ## **AWS IAM User Creation**
 
-Follow these steps to provide a user with appropriate read access:
+Follow these steps to create an IAM user with the permissions required for AI/ML asset scanning:
 
 **Step 1:** Navigate to IAM → Users and click on Add Users
 
@@ -34,7 +31,35 @@ c. Search "SecurityAudit", Filter by Type: "AWS managed - job function" and sele
 
 ![image](images/iam-user-3.png)
 
-**Step 4:** Finish creating the user. Click on the newly created user and create the Access key and Secret Key from the Security Credentials tab to be used in the AccuKnox panel
+**Step 4:** Go to **Add Permissions > Create inline policy** and attach the following policy to grant access to AI/ML services:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AccuKnoxAIMLPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "bedrock:InvokeModel",
+                "bedrock:InvokeAgent",
+                "sagemaker:InvokeEndpoint",
+                "sagemaker:ListTags",
+                "bedrock-agentcore:InvokeAgentRuntime",
+                "bedrock-agentcore:StopRuntimeSession",
+                "aws-marketplace:Subscribe",
+                "aws-marketplace:ViewSubscriptions"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+!!! note
+    `aws-marketplace:Subscribe` and `aws-marketplace:ViewSubscriptions` are required for invoking certain models (e.g., Claude Opus 4.5) that are distributed through AWS Marketplace.
+
+**Step 5:** Finish creating the user. Click on the newly created user and create the Access key and Secret Key from the Security Credentials tab to be used in the AccuKnox panel
 
 ![image](images/iam-user-4.png)
 
@@ -58,7 +83,7 @@ In this example we are onboarding AWS account using the Access Keys method.
 
 ![image](images/cloud-onboarding-5.png)
 
-**Step 5:** After giving labels and Tag in the Next Screen Provide the AWS account’s Access Key and Secret Access Key ID and Select the Region of the AWS account. **Ensure to check the box "AI/ML Assets" to enable AI/ML asset discovery** and monitoring. Finally, click on the "Add Account" button to complete the onboarding process.
+**Step 5:** After giving labels and tag, provide the AWS account’s Access Key and Secret Access Key ID and select the region. **Check the "AI/ML Assets" box** to enable AI/ML asset discovery and monitoring. Click "Add Account" to complete onboarding.
 
 ![image](images/ai-checkbox.png)
 

docs/how-to/aiml-azure-onboard.md

@@ -7,9 +7,6 @@ description: Step-by-step instructions for onboarding an Azure cloud account and
 
 In this section we can find the steps to onboard an Azure cloud account to the AccuKnox SaaS platform.
 
-!!! info "AI/ML Prerequisites for Azure Cloud Accounts"
-    **Please review the [AI/ML Prerequisites for Azure](https://help.accuknox.com/how-to/cspm-prereq-azure/#aiml-security-prerequisites-for-azure-cloud-accounts) before proceeding with the onboarding process.**
-
 ## **Rapid Onboarding (via Azure)**
 
 For Azure Onboarding it is required to register an App and grant Security read access to that App from the Azure portal.
@@ -42,11 +39,17 @@ For Azure Onboarding it is required to register an App and grant Security read a
 
 ![image](images/azure5-1.png)
 
-**Step 8:** Next, select Application Permissions and then search for Directory.Read.All and click on Add permissions
+**Step 8:** Select Application Permissions and add each of the following permissions:
+
+- `Directory.Read.All`
+- `Application.Read.All`
+- `AuditLog.Read.All`
+- `AuditLogsQuery-CRM.Read.All`
+- `AuditLogsQuery.Read.All`
 
 ![image](images/azure5-2.png)
 
-**Step 9:** Select ‘Grant Admin Consent’ for Default Directory and click on ‘Yes’
+**Step 9:** Select ‘Grant Admin Consent’ for Default Directory and click on ‘Yes’. Confirm all permissions show a Granted status.
 
 ![image](images/azure5-3.png)
 
@@ -63,22 +66,49 @@ For Azure Onboarding it is required to register an App and grant Security read a
 ![image](https://learn.microsoft.com/en-us/azure/role-based-access-control/media/custom-roles-portal/add-custom-role-menu.png)
 
 Create a custom role with the following actions:
-`Microsoft.MachineLearningServices/workspaces/onlineEndpoints/score/action`
-`Microsoft.MachineLearningServices/serverlessEndpoints/listKeys/action`
-`Microsoft.Storage/storageAccounts/listKeys/action`
-`Microsoft.MachineLearningServices/workspaces/batchEndpoints/score/action`
+
+```
+Microsoft.MachineLearningServices/workspaces/onlineEndpoints/score/action
+Microsoft.MachineLearningServices/workspaces/serverlessEndpoints/listKeys/action
+Microsoft.MachineLearningServices/workspaces/datastores/listSecrets/action
+Microsoft.MachineLearningServices/workspaces/listStorageAccountKeys/action
+Microsoft.CognitiveServices/accounts/listKeys/action
+Microsoft.CognitiveServices/accounts/deployments/read
+Microsoft.Storage/storageAccounts/listKeys/action
+```
 
 It will look similar to this (use the above listed permissions):
 ![Azure custom role JSON editor view in Azure Portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/media/custom-roles-portal/json.png)
 
-**Step 13:** Next, we need to apply the Reader role.
-![image](https://i.ibb.co/bwNv5H2/image.png)
+**Step 13:** Apply the following built-in roles to the registered application: **Reader**, **Cognitive Services OpenAI User**, **Cognitive Services User**, and **Storage Blob Data Reader**.
+
+For each role:
 
-1. Go to the **Azure Portal** → **Subscriptions** (or **Resource Groups**) → select your target scope.
+1. Go to **Azure Portal** → **Subscriptions** (or **Resource Groups**) → select your target scope.
 2. Open **Access control (IAM)** → click **Add > Add role assignment**.
-3. In the **Role** tab, select **Reader**, then click **Next**.
-4. Under **Members**, choose the user, service principal, or group → **Review + assign** to apply the Reader role.
+3. In the **Role** tab, search for and select the role, then click **Next**.
+
+    *Example: selecting the Reader role*
+
+    ![image](images/azure-aiml-reader.png)
+
+    *Example: selecting the Storage Blob Data Reader role*
+
+    ![image](images/azure-aiml-blob-role.png)
+
+4. In the **Members** tab, click **Select members** and search for the application you registered.
+
+    ![image](images/azure-aiml-blob-member.png)
+
+5. Select the application (e.g., AccuKnox Azure CSPM Org Scanner) and click **Review + assign**.
+
+    ![image](images/azure-aiml-blob-selected.png)
+
+Repeat this process for all four roles.
+
 
+!!! tip "Using Copilot Studio?"
+    If you're integrating with Microsoft Copilot Studio (CP Studio), complete the [Copilot Studio integration steps](https://help.accuknox.com/integrations/copilot-studio/) before proceeding to the AccuKnox SaaS UI onboarding below.
 
 ## **From AccuKnox SaaS UI**
 
@@ -96,7 +126,7 @@ Configuring your Azure cloud account is complete. Now we need to onboard the clo
 
 ![image](images/azure14.png)
 
-**Step 4:** Enter the details that we saved earlier during the steps for app registration and subscription id from subscriptions in azure portal and click on connect. **Ensure to check the box "AI/ML Assets"** to enable AI/ML asset discovery and monitoring.
+**Step 4:** Enter the details saved during app registration (Application ID, Directory ID, Secret Value) and the Subscription ID from the Azure portal. **Check the "AI/ML Assets" box** to enable AI/ML asset discovery and monitoring. Click Connect.
 
 ![image](images/ai-checkbox.png)
 

docs/how-to/aiml-gcp-onboard.md

@@ -5,96 +5,112 @@ description: Step-by-step instructions for onboarding a GCP cloud account and AI
 
 # GCP AI/ML Cloud Onboarding
 
-!!! info "AI/ML Prerequisites for GCP Cloud Accounts"
-    **Please review the [AI/ML Prerequisites for GCP](https://help.accuknox.com/how-to/cspm-prereq-gcp/#aiml-security-prerequisites-for-gcp-cloud-accounts) before proceeding with the onboarding process.**
-
-Here, we will see the steps to onboard a GCP cloud account to the AccuKnox SaaS platform.
+Here, we will see the steps to onboard a GCP cloud account with AI/ML asset scanning to the AccuKnox SaaS platform.
 
 !!! note
-    Ensure the following API Libraries are enabled in your GCP account before onboarding to AccuKnox SaaS:
+    Make sure the following API libraries are enabled in your GCP account before proceeding:
 
 1. Compute Engine API
 2. Identity and Access Management (IAM) API
 3. Cloud Resource Manager API
 4. Cloud Functions API
 5. KMS API
-6. Kubernetes API
+6. Kubernetes Engine API
 7. Cloud SQL Admin API
+8. **Vertex AI API** (required for AI/ML asset discovery)
+
+GCP onboarding requires IAM Service Account access. You will create two custom roles and a service account with all required permissions.
 
-For GCP there is a requirement for IAM Service Account Access.
+## Create Custom Role: Storage Access
 
-**Step 1:**  Log into your Google Cloud console and navigate to  IAM & Admin choose “Roles“ and Click “Create Role“
+**Step 1:** Log into your Google Cloud console and navigate to IAM & Admin, choose "Roles" and click "Create Role".
 
 ![image](images/gcp/gcp-0.png)
 
-**Step 2:**  Name the “Role” and Click “Add Permission”
+**Step 2:** Name the role and click "Add Permission".
 
 ![image](images/gcp/gcp-1.png)
 
-**Step 3:**  Use the Service: storage filter then value as “storage.buckets.getIamPolicy“
+**Step 3:** Use the Service filter set to "storage" and search for "storage.buckets.getIamPolicy".
 
 ![image](images/gcp/gcp-2.png)
 
-**Step 4:** Choose the permission and Click “Add“ then Click Create in the same page.
+**Step 4:** Select the permission, click "Add", then click "Create".
 
 ![image](images/gcp/gcp-3.png)
 
-**Step 5:**  In the Navigation Panel, navigate to IAM Admin > Service Accounts.
+## Create Custom Role: Vertex AI Access
+
+**Step 5:** Follow the same process (Steps 1–4) to create a second custom role.
+
+- Name it something identifiable, such as "AccuKnox-AIML-Role".
+- Add only the permission: `aiplatform.endpoints.predict`
+
+This grants the ability to invoke Vertex AI endpoints without granting permissions to manage or deploy them.
+
+## Create and Configure Service Account
+
+**Step 6:** In the Navigation Panel, navigate to IAM Admin > Service Accounts.
 
 ![image](images/gcp/gcp-4.png)
 
-**Step 6:** Click on "Create Service Account"
+**Step 7:** Click "Create Service Account".
 
 ![image](images/gcp/gcp-5.png)
 
-**Step 7:** Enter any name that you want on Service Account Name.
+**Step 8:** Enter a name for the Service Account.
 
-**Step 8:** Click on Continue.
+**Step 9:** Click "Continue".
 
 ![image](images/gcp/gcp-6.png)
 
-**Step 9:** Select the role: Project > Viewer and click Add another Role.
+**Step 10:** Add all of the following roles. Select the first role, then use "Add Another Role" for each additional one:
 
-![image](images/gcp/gcp-7.png)
+- **Project > Viewer**
+- **Security Reviewer**
+- **Vertex AI Viewer**
+- **Storage Object Viewer**
+- **Storage Bucket Viewer**
+- Your custom **storage role** (created in Step 4)
+- Your custom **Vertex AI role** (created in Step 5)
 
-**Step 10:** Click “Add Another Role” Choose “Custom“ Select the created Custom Role.
+![image](images/gcp/gcp-7.png)
 
 ![image](images/gcp/gcp-8.png)
 
-**Step 11:** Click on “Continue“ and ”Done”
+**Step 11:** Click "Continue" and "Done".
 
 ![image](images/gcp/gcp-9.png)
 
-**Step 12:** Go to the created Service Account, click on that Service Account navigate to the “Keys“ section.
+**Step 12:** Click on the newly created Service Account and navigate to the "Keys" section.
 
 ![image](images/gcp/gcp-10.png)
 
-**Step 13:** Click the “Add key“ button and “Create new key “ . Chosen Key type should be JSON format.
+**Step 13:** Click "Add key" then "Create new key". Select JSON as the key type.
 
 ![image](images/gcp/gcp-11.png)
 
-**Step 14:** Click the “Create“ button it will automatically download the JSON key.
+**Step 14:** Click "Create". The JSON key downloads automatically.
 
 ## From AccuKnox SaaS UI
 
-**Step 1:** Go to the AccuKnox SaaS. Navigate to the “Settings” → “Cloud Accounts” then “Add Account”.
+**Step 1:** Go to AccuKnox SaaS. Navigate to "Settings" → "Cloud Accounts" and click "Add Account".
 
 ![image](images/gcp/gcp-saas-0.png)
 
-**Step 2:** Click the “GCP Platform”
+**Step 2:** Select "GCP Platform".
 
 ![image](images/gcp/gcp-saas-1.png)
 
-**Step 3:**  Create New Label and Add the Label for identifying the assets inside this account and add a Tag optionally.
+**Step 3:** Create a new label to identify assets in this account. Optionally add a tag.
 
 ![image](images/gcp/gcp-saas-2.png)
 
-**Step 4:**  Enter the “Project ID“, “Client Email”(The Service Account mail ID) and  “Private Key” from the downloaded File.
-Copy paste the entire downloaded file into the ”Private Key” field . **Ensure to check the box "AI/ML Assets"** to enable AI/ML asset discovery and monitoring. Then Click “Connect“
+**Step 4:** Enter the "Project ID", "Client Email" (Service Account email), and "Private Key". Paste the entire contents of the downloaded JSON file into the "Private Key" field. **Check the "AI/ML Assets" box** to enable AI/ML asset discovery and monitoring. Click "Connect".
 
 ![image](images/ai-checkbox.png)
 
-The cloud account has been onboarded successfully
+The cloud account has been onboarded successfully.
 
 ![image](images/gcp/gcp-saas-4.png)