elastic · benironside · Sep 26, 2024 · Oct 2, 2024 · Oct 2, 2024 · Oct 2, 2024
@@ -30,6 +30,21 @@ This page explains how to get started monitoring the security posture of your cl
 
 You can set up CSPM for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the CSPM integration, then enable cloud account access.
 
+[discrete]
+[[cspm-aws-agentless]]
+== Agentless deployment option
+beta::[]
+
+The steps to create an agentless deployment are similar to those to create an agent-based deployment. To deploy using agentless technology, follow the instructions below with the following modifications:
+
+. On the **Add Cloud Security Posture Management (CSPM) integration** page, after you name your integration and give it a description, click **Advanced options** then select **Agentless (BETA)**.
+. Once you've selected **Agentless (BETA)**, you'll need to authenticate to AWS. Agentless AWS deployments support authentication via <<cspm-set-up-cloudformation, CloudFormation>>, and by two manual authentication methods: <<cspm-use-temp-credentials, temporary keys>> and <<cspm-use-keys-directly, direct access keys>>. 
+. Once you've selected an authentication method and provided any necessary credentials, click **Save and continue** to finish deployment.
+
+[discrete]
+[[cspm-aws-agent-based]]
+== Agent-based deployment 
+
 [discrete]
 [[cspm-add-and-name-integration]]
 == Add the CSPM integration
@@ -43,10 +58,11 @@ You can set up CSPM for AWS either by enrolling a single cloud account, or by en
 [discrete]
 [[cspm-set-up-cloud-access-section]]
 == Set up cloud account access
-The CSPM integration requires access to AWS’s built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] in order to discover and evaluate resources in your cloud account. There are several ways to provide access.
+The CSPM integration requires access to AWS's built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] in order to discover and evaluate resources in your cloud account. There are several ways to provide access.
 
 For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described below.
 
+
 [discrete]
 [[cspm-set-up-cloudformation]]
 === CloudFormation (recommended)
@@ -208,7 +224,7 @@ image::images/cspm-aws-auth-3.png[The EC2 page in AWS, showing the Modify IAM ro
 .. Click *Update IAM role*.
 .. Return to {kib} and <<cspm-finish-manual, finish manual setup>>.
 
-IMPORTANT: Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in {kib}, in the *Setup Access* section, select *Assume role* and leave *Role ARN* empty. Click *Save and continue*.
+IMPORTANT: Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in {kib}, in the *Setup Access* section, select *Assume role*. Leave **Role ARN** empty unless you want to specify a role the ((agent)) should assume instead of the default role for your EC2 instance. Click *Save and continue*.
 
 [discrete]
 [[cspm-use-keys-directly]]
@@ -222,7 +238,7 @@ IMPORTANT: You must select *Programmatic access* when creating the IAM user.
 [discrete]
 [[cspm-use-temp-credentials]]
 === Option 3 - Temporary security credentials
-You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a security token, which is typically found using `GetSessionToken`.
+You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a session token, which is typically found using `GetSessionToken`.
 
 Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration's configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss.
 

@@ -31,6 +31,18 @@ This page explains how to get started monitoring the security posture of your cl
 You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access.
 
 
+[discrete]
+[[cspm-azure-agentless]]
+== Agentless deployment option
+beta::[]
+
+The steps to create an agentless deployment are similar to those to create an agent-based deployment. To deploy using agentless technology, follow the instructions below with the following modifications:
+
+. On the **Add Cloud Security Posture Management (CSPM) integration** page, after you name your integration and give it a description, click **Advanced options** then select **Agentless (BETA)**.
+. Once you've selected **Agentless (BETA)**, you'll need to authenticate to Azure. Agentless Azure deployments support authentication via the <<cspm-azure-client-secret, Service principal with client secret>> method described below. 
+. Once you've selected an authentication method and provided any necessary credentials, click **Save and continue** to finish deployment.
+
+
 [discrete]
 [[cspm-add-and-name-integration-azure]]
 === Add your CSPM integration

@@ -30,6 +30,20 @@ This page explains how to get started monitoring the security posture of your GC
 
 You can set up CSPM for GCP either by enrolling a single project, or by enrolling an organization containing multiple projects. Either way, you need to first add the CSPM integration, then enable cloud account access.
 
+[discrete]
+[[cspm-gcp-agentless]]
+== Agentless deployment option
+beta::[]
+
+The steps to create an agentless deployment are similar to those to create an agent-based deployment. To deploy using agentless technology, follow the instructions below with the following modifications:
+
+. On the **Add Cloud Security Posture Management (CSPM) integration** page, after you name your integration and give it a description, click **Advanced options** then select **Agentless (BETA)**.
+. Once you've selected **Agentless (BETA)**, click **Steps to Generate GCP Account Credentials** under **Setup Access**. Follow the instructions that appear to generate the necessary GCP credentials.
+. Once you've entered your credentials under **Credentials json**, click **Save and continue** to deploy your integration.
+
+[discrete]
+[[cspm-gcp-agent-based]]
+== Agent-based deployment 
 
 [discrete]
 [[cspm-add-and-name-integration-gcp]]

@@ -3,7 +3,7 @@
 
 The Cloud Security Posture Management (CSPM) feature discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the https://www.cisecurity.org/[Center for Internet Security] (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data.
 
-This feature currently supports Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. For step-by-step getting started guides, refer to <<cspm-get-started,Get started with CSPM for AWS>>, <<cspm-get-started-gcp, Get started with CSPM for GCP>>, or <<cspm-get-started-azure, Get started with CSPM for Azure>>.
+This feature currently supports agentless and agent-based deployments on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. For step-by-step getting started guides, refer to <<cspm-get-started,Get started with CSPM for AWS>>, <<cspm-get-started-gcp, Get started with CSPM for GCP>>, or <<cspm-get-started-azure, Get started with CSPM for Azure>>.
 
 .Requirements
 [sidebar]

@@ -0,0 +1,10 @@
+[[agentless-integrations]]
+= Agentless integrations
+
+beta::[]
+
+Agentless integrations provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using agentless integrations makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. 
+
+We currently support one agentless integration: cloud security posture management (CSPM). Using this integration's agentless deployment option, you can enable Elastic's CSPM capabilities just by providing the necessary credentials. Agentless CSPM deployments support AWS, Azure, and GCP accounts.
+
+To learn more about agentless CSPM deployments, refer to the getting started guides for CSPM on <<cspm-get-started, AWS>>,  <<cspm-get-started-azure, Azure>>, or <<cspm-get-started-gcp, GCP>>. 
@@ -17,6 +17,7 @@ include::security-ui.asciidoc[leveloffset=+1]
 include::ingest-data.asciidoc[leveloffset=+1]
 include::threat-intel-integrations.asciidoc[leveloffset=+2]
 include::automatic-import.asciidoc[leveloffset=+2]
+include::agentless-integrations.asciidoc[leveloffset=+2]
 
 include::security-spaces.asciidoc[leveloffset=+1]
 

@@ -41,14 +41,22 @@ You can set up CSPM for AWS either by enrolling a single cloud account, or by en
 1. Click **Add Cloud Security Posture Management (CSPM)**.
 1. Select **AWS**, then either **AWS Organization** to onboard multiple accounts, or **Single Account** to onboard an individual account.
 1. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`.
+1. <DocBadge template="beta" /> (Optional) Click **Advanced settings** to deploy the integration using agentless technology. 
+
 
 <div id="cspm-set-up-cloud-access-section"></div>
 
 ## Set up cloud account access
-The CSPM integration requires access to AWS’s built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor) in order to discover and evaluate resources in your cloud account. There are several ways to provide access.
+The CSPM integration requires access to AWS's built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor) in order to discover and evaluate resources in your cloud account. There are several ways to provide access.
 
 For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described below.
 
+<DocCallOut title="Note">
+<DocBadge template="beta" /> Agentless deployments support two authentication methods: 
+<DocLink slug="/serverless/security/cspm-get-started" section="option-2-direct-access-keys">Direct access keys</DocLink> and <DocLink slug="/serverless/security/cspm-get-started" section="option-3-temporary-security-credentials">Temporary keys</DocLink>.
+</DocCallOut>
+
+
 <div id="cspm-set-up-cloudformation"></div>
 
 ### CloudFormation (recommended)
@@ -222,7 +230,7 @@ Follow AWS's [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/lates
     1. Return to ((kib)) and <DocLink slug="/serverless/security/cspm-get-started" section="finish-manual-setup">finish manual setup</DocLink>.
 
 <DocCallOut title="Important" color="warning">
-Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in Kibana, in the **Setup Access** section, select **Assume role** and leave **Role ARN** empty. Click **Save and continue**.
+Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in Kibana, in the **Setup Access** section, select **Assume role**. Leave **Role ARN** empty unless you want to specify a role the ((agent)) should assume instead of the default role for your EC2 instance. Click **Save and continue**.
 </DocCallOut>
 
 <div id="cspm-use-keys-directly"></div>