# Create an assessment

Before you can begin identifying and remediating overprivileged access, you must first run an Access Discovery assessment.

An assessment scans your cloud environments and analyzes how principals use their permissions. This enables Apono to surface unused, excessive, or high-risk access across your infrastructure.

***

### Prerequisites

{% tabs %}
{% tab title="AWS (Cloudformation on ECS)" %}

<table><thead><tr><th width="208">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>CloudTrails</strong></td><td><p>Record of AWS activities that is delivered and stored in an Amazon S3 bucket</p><p>When enabling <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html">CloudTrail trails</a>, the following are required:</p><ul><li>Trails enabled for all regions and desired accounts to scan</li><li>Full <strong>Management events</strong> and <strong>Data events</strong> enabled</li></ul><p><strong>NOTE</strong>: If the trail bucket is located in a different account from the trail itself, add this tag to the trail so Apono can locate it:</p><p>Key: <code>apono-bucket-account-id</code><br>Value: <code>[ACCOUNTID]</code></p></td></tr><tr><td><strong>Apono connector &#x26; Cloud integration</strong></td><td><p>On-prem connection serving as a bridge between a <a href="#set-up-the-apono-connector-and-cloud-organization-integration">cloud instance and Apono</a> and at least one cloud integration with Apono</p><p><strong>Minimum Required Version</strong>: 1.7.3</p></td></tr></tbody></table>

**Set up the Apono connector and cloud organization integration**

{% hint style="success" %}
If you choose to use an existing connector, be sure to complete the following:

* Set all the parameters in step **9** below.
* [Upgrade your connector](https://docs.apono.io/docs/aws-environment/apono-connector-for-aws/updating-a-connector-in-aws) to **version 1.7.3 or greater**.
* Complete step **12** below to finish the cloud organization integration.
  {% endhint %}

Follow these steps to set up an Apono connector:

1. On the [**Catalog**](https://app.apono.io/catalog?search=aws) tab, click **AWS**. The **Connect Integrations Group** page appears.
2. Under **Discovery**, click **Amazon Organization**.
3. Select the **Permission Boundary** resource to allow Apono to temporarily restrict overprivileged access.
4. Click one or more resource additional types to sync with Apono.

{% hint style="info" %}
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
{% endhint %}

5. Click **Next**. The **Apono connector** section expands.
6. From the **Select Connector** dropdown menu, click **+ Add new connector**. The **Select connector installation strategy** section appears.
7. Select **Cloud installation > CloudFormation (ECS)**.
8. Under **Follow these steps to install connector**, click **Open Cloud Formation**. AWS CloudFormation opens. The **Create stack** page appears with one of Apono's AWS Account stack templates associated.

{% hint style="info" %}
If you are not already signed in, AWS will prompt you to your AWS user account. Be sure to sign in with your **Root user** account.
{% endhint %}

9. Define the following **Parameters**:
   1. (Optional) Update the **AponoConnectorId** with a descriptive name.
   2. From the **Permissions** dropdown menu, select **Full Access (Manage IAM)**.
   3. From the **S3AWSLogsScanning**, select **Enabled** to allow Apono to read Cloudtrail logs.
   4. Select one or several **SubnetIDs**.
   5. Select a **VpcId**.
10. Under **Capabilities**, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**.
11. Click **Create stack**.
12. Complete steps **6-10** of the [AWS organization integration](https://docs.apono.io/docs/aws-environment/aws-integrations/integrate-an-aws-account-or-organization#integrate-an-aws-organization).

You can now [create your first assessment](#create-an-assessment).
{% endtab %}

{% tab title="GCP" %}

<table><thead><tr><th width="208">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono connector</strong></td><td><p>On-prem connection serving as a bridge between a Google cloud instance and Apono</p><p><strong>Minimum Required Version</strong>: 1.7.3<br><br><a href="../../gcp-environment/apono-connector-for-gcp/updating-a-connector-in-google-cloud">Upgrade your connector</a> to version 1.7.3 or greater.</p></td></tr><tr><td><strong>GCP Organization integration</strong></td><td><p><a href="../../../gcp-environment/gcp-integrations/integrate-a-gcp-organization-or-project#organization-3">Cloud integration with Apono</a><br><br><strong>IMPORTANT</strong>: In the <strong>Integration Config</strong> settings, enter your Google customer ID in the <strong>Customer ID (optional)</strong> field.</p><p><br>Your <strong>Customer ID</strong> is located on the <a href="https://admin.google.com/ac/accountsettings"><strong>Account settings</strong></a> page in the <strong>Profile</strong> section.</p></td></tr><tr><td><strong>BigQuery sink filter with audit activity</strong></td><td><p>BigQuerey sink with audit activity with a filter that <strong>includes</strong> or <strong>does not exclude</strong> the following query: <code>protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"</code></p><p><br>This log type enables Apono to generate assessments.</p><p><br>For more information, see Google’s documentation on<a href="https://cloud.google.com/logging/docs/export/configure_export_v2?utm_source=chatgpt.com"> configuring log sinks and filters</a>.</p></td></tr><tr><td><strong>Groups Reader role</strong></td><td><p>Role allowing a principle to view group metadata and membership assigned to the service account</p><p><br>For more information, see Google's documentation to <a href="https://support.google.com/a/answer/9807615?sjid=9051601147654859122-NC#zippy=%2Cassign-a-role-to-a-service-account">Assign a role to a service account</a>.</p></td></tr></tbody></table>

**Configure BigQuery Permissions for Apono**

Tag your BigQuery datasets and assign the required IAM roles to allow Apono to access them for discovery and auditing.

**Tag BigQuery datasets**

Follow these steps to tag your datasets:

1. In your Google Cloud environment, [create a tag](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing#creating_tag) with the following values:
   1. Key: *apono\_access\_discovery\_audit\_log\_sink*
   2. Value: *true*
2. [Apply the tag](https://cloud.google.com/bigquery/docs/tags#tag_datasets) from the previous step to all BigQuery datasets you want Apono to discover.

**Associate BigQuery dataset permissions**

Follow these steps to associate permissions to the service account:

1. In your shell environment, log in to Google Cloud and enable the API.

```sh
gcloud auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable cloudidentity.googleapis.com
gcloud services enable admin.googleapis.com
```

2. Set the environment variables.

```sh
export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
```

3. Assign predefined roles to the connector service account.

{% code overflow="wrap" %}

```sh
/gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/iam.securityAuditor"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.user"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.dataViewer"

```

{% endcode %}

You can now [create your first assessment](#create-an-assessment).
{% endtab %}
{% endtabs %}

***

### Create an assessment

Follow these steps to assess an integration:

1. On the [**Access Discovery**](https://app.apono.io/access-discovery) page, click **New Assessment**. The **Create Access Discovery Assessment** page appears.
2. Under **Select Cloud Provider**, select an environment.
3. Under **Select Integration**, select one integration from the list.
4. Click **Assess** to evaluate permissions and usage.

Once configured, assessments will run nightly and present data from the last 7 days.

After the assessment is completed, click **Explore** to [analyze the assessment](https://docs.apono.io/docs/getting-started/access-discovery/analyze-an-assessment) and [remediate overprivileged access](https://docs.apono.io/docs/getting-started/access-discovery/investigate-and-resolve-overprivileged-access).

***

### Reassess an assessment

After an assessment has been created, you can always run a new assessment between the nightly runs.

Follow these steps to reassess an assessment:

1. On the [**Access Discovery**](https://app.apono.io/access-discovery) page, in the row of an assessment, click **Explore**. The **View Assessment** page opens.
2. Click **Reassess**.

After the assessment is completed, click **Explore** to [analyze the assessment](https://docs.apono.io/docs/getting-started/access-discovery/analyze-an-assessment) and [remediate overprivileged access](https://docs.apono.io/docs/getting-started/access-discovery/investigate-and-resolve-overprivileged-access).