Quick Start Guide¶

Get CertifyClouds running and complete your first scan in 15 minutes.

Prerequisites¶

Before you begin, ensure you have:

• [x] An Azure subscription with Owner or Contributor role
• [x] Azure CLI installed and logged in (az login)
• [x] A CertifyClouds license key (contact sales@certifyclouds.com)
• [x] Docker installed (for local testing) or Azure Container Registry access

Step 1: Deploy CertifyClouds (5 minutes)¶

Option A: Local Development with Docker¶

# Clone or download CertifyClouds
cd /path/to/certifyclouds

# Create .env file
cp .env.example .env

# Edit .env and add your license key
# CERTIFYCLOUDS_LICENSE_KEY=CC-XXXX-XXXX-XXXX

# Start the application
./start.sh

The application will be available at http://localhost:8080.

Option B: Azure Container Apps (Production)¶

./deploy-certifyclouds-cae.sh \
  --name prd \
  --location uksouth \
  --acr-name YOUR_ACR \
  --container-apps-subnet /subscriptions/.../subnets/snet-cae \
  --postgres-subnet /subscriptions/.../subnets/snet-psql

For full deployment instructions, see the Installation Guide.

Step 2: Configure Azure Permissions (5 minutes)¶

CertifyClouds needs Reader access to discover Key Vaults and read metadata.

Get the Managed Identity Principal ID¶

From the deployment output, or query it:

# For Container Apps
PRINCIPAL_ID=$(az containerapp show \
  --name cc-uks-prd \
  --resource-group rg-cc-uks-prd \
  --query "identity.principalId" -o tsv)

# For ACI
PRINCIPAL_ID=$(az container show \
  --name aci-cc-uks-prd \
  --resource-group rg-cc-uks-prd \
  --query "identity.principalId" -o tsv)

Grant Subscription Reader Role¶

az role assignment create \
  --assignee $PRINCIPAL_ID \
  --role "Reader" \
  --scope /subscriptions/<YOUR_SUBSCRIPTION_ID>

Run the Access Setup Script¶

./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply

This script automatically:

• Discovers all Key Vaults in your subscriptions
• Grants appropriate read permissions
• Adds your subnet to Key Vault firewall rules if needed

For detailed permissions information, see Azure Permissions.

Step 3: First Login (1 minute)¶

1. Open CertifyClouds in your browser:
2. Local: http://localhost:8080
3. Container Apps: https://<INTERNAL_FQDN> (from deployment output)

4. ACI: http://<PRIVATE_IP>:8080

5. Log in with the admin credentials from deployment output

6. Change your password immediately in Settings > Users

Step 4: Add Your Subscription (2 minutes)¶

1. Navigate to Settings > Subscriptions
2. Click Add Subscription
3. Enter your Azure subscription ID
4. Click Test Connection to verify access
5. Click Save

Step 5: Run Your First Scan (2 minutes)¶

1. Go to the Assets tab
2. Click Scan Now
3. Wait for the scan to complete (usually 30-60 seconds)
4. View your discovered secrets, keys, and certificates

Understanding Scan Results¶

Step 6: Check Compliance Score¶

1. Navigate to the Compliance tab
2. View your overall compliance score (0-100%)
3. Review any violations with recommendations

CertifyClouds checks against multiple compliance frameworks:

• CIS Azure Key Vault Benchmark
• SOC 2 Type II controls
• ISO 27001 requirements
• NIST 800-53 Rev. 5
• Azure Security Benchmark v3

Step 7: Configure Alerts (Optional)¶

Set up notifications for expiring credentials:

1. Go to Settings > Alerts
2. Click Add Rule
3. Configure:
4. Alert Type: Secrets expiring soon
5. Threshold: 30 days
6. Email: Your ops team email
7. Click Save

What's Next?¶

Troubleshooting¶

"Failed to authenticate with Azure"¶

• Verify Managed Identity is enabled
• Check Reader role is assigned on subscriptions
• Run the access setup script again

"Cannot access Key Vault"¶

• Run: ./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID
• Check if Key Vault has firewall rules blocking access

"License validation failed"¶

• Verify CERTIFYCLOUDS_LICENSE_KEY is set correctly
• Check network access to license.certifyclouds.com

For more help, see Troubleshooting or contact support@certifyclouds.com.