It is important to perform security validation frequently of Azure Subscriptions and resources especially if there are several developers and devops working on the subscription. We need to make sure best security practices are followed. There are different security best practices followed by various resources in Azure such as:
- SSL transfer is mandatory for storage account.
- Restrict the public access to the objects in Azure Storage.
- Firewall in Cosmos DB must always be enabled.
- All the keys and secrets in Azure Key Vault must have expiry date.
- Soft delete is enabled to allow recovery of deleted objects in Key Vault.
- SSL is enable for custom domain in App Services
- AAD administrator is created for SQL Databases.
- SQL Server threat detection is enabled and must send alert emails to admin in case of security issues.
- Latest OS is installed on Azure VMs.
There many other security best practices for Azure resources. We can enforce these security best practices under subscription manually, but this is difficult to manage when there are lots of resources in subscriptions or lots of people are constantly provisioning resources in subscription. So it will be better to have automated method to scan complete subscription and generate a report for security health issues. It will be even better if there are automated ways to fix these security vulnerabilities. Yes, fortunately there is a solution to that i.e. AzSK.
Secure DevOps Kit for Azure (AzSK)
This is a tool developed internally by Microsoft to move the internal teams to Azure quickly and easily. It is a bundle of scripts, tools, extensions and automation scripts. This is not an official Microsoft product, it was made available to share the Azure security best practices. It’s code and documentation is open source and can be found at Github. We can download the code do the customization as per our need.
AzSk Focus Areas
- AzSK focus on securing subscription. It will generate the report of security vulnerabilities across Subscription and even go ahead and fix them
- AzSK comes with a Visual Studio extension which enables the secure development which provides the security intellisence to the developer IDE.
- The security tests can be integrated with CI/ CD pipelines.
- We can also integrate these test with Continuous Assurance cycle.
- AzSK provide support for alerting and monitoring.
- It can also provide security telemetry information inside app insights
- As we can see there are couple of pre-requisites to it first is Powershell 5.0 or above and Windows OS. So open the powershell console and run following command to check the powershell version: “$PSVersionTable.PSVersion”
- Next we can install this tool by running “Install-Module AzSK –Scope CurrentUser” command. It will ask permission for Nuget provider (with default as Y):
- Next it will ask for permission to download it from ‘PSGallery’. Provide “Y”.
- If some of the Azure modules are already installed we may get following error:
To overcome this error use: “Install-Module AzSK –Scope CurrentUser -AllowClobber”. It will install the AzSK.
Once the package is install the setup process is complete and we are ready to run our security health check.
Running Security Check
For the demo purpose I have created few resources in Azure and will run the security check against them. Here I have created a resource group “AzureSecurityHealthCheck-rg”.
We can run the security health check at:
- Global subscription level
- Resource Group level
As mentioned above we have created following resources in resource group:
So we have enough resources in resource group to test.
Security Health Check at Global Subscription Level
Before running any security scan first login into azure using “Connect-AzAccount” command
To run the security health check at global subscription level we need to run following command:
“Get-AzSKSubscriptionSecurityStatus –SubscriptionId <subId>”
We need to provide the subscription id as a parameter so update replace <subId> with actual subscription Id of Azure.
Now run this command and wait for security scan to complete.
As we can see it is connecting to the subscription and running subscription level security test.
After completion this command will automatically open the destination folder which is by default:
“C:\Users\<username>\AppData\Local\Microsoft\AzSKLogs\Sub_AzurePersonalSubscription\<name of the folder generated at run time>”
Now if we open the csv file we will find the results of subscription level security validation tests executed by DevOps kit. Now as we can see in the first test it says we must minimize the number of admin and owners, since we have only 1 so this test is passed.
Whereas if we see the tests result of row number 11, 12, 13, 20, 23, 24 and 25 which provide the description for failures. Such as row 20 says security center for this subscription is not configured and then tests in row 23, 24 and 25 talks about various security center configuration needs to be setup to secure our subscription.
Column I in the sheet provide the recommendation to be followed to fix these issues and further resources to read about the topic.
Auto Fix Issues
As we mentioned above, this tool provide the support to fix the issues as well but it will not fix all the issues. To find which all issues can be fixed we need to look at column G in above results.
The auto fixation of the issues can be done by generating powershell script. So in order to generate the script automatically with security assessment report, run the following command:
“Get-AzSKSubscriptionSecurityStatus –SubscriptionId <subId> -GenerateFixScript” When we run this script it will generate an extra folder “FixControlScripts” folder.
This “FixControlScripts” folder contains the powershell script which wen run fix the issues.
Security Health Check at Resource Group Level
Now we will run a second set of tests against the resource group. The command to generate the results will be GetAzSKAzureServicesSecurityStatus and here we need to pass resource group name:
“Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ResourceGroupNames <ResourceGroupNames> -GenerateFixScript”.
Now run this script and wait for the test to finish.
As we can see there are 6 resources in the resource group. This command will execute resource specific tests. Once the tests are complete command will open a new folder:
CSV file SecurityReport-xxxxx.csv holds the result of tests which were run. Since we have run the health check with –GenerateFixScript command we can see FixControlScripts folder which contains the powershell commands to fix the issues.
As we can see in the results folder, there is another folder with resource group name. If we look into the contents of this folder we can see it contains the log of each resource:
Now when we open the security report csv file, we can see the resource specific tests executed against the resource group.
As we can see row 2 to 14 contains the tests related to Virtual Machine.
If we see the row number 3, reports suggests to manually fix the issue by enabling malware on virtual machine. Similarly if we look at the line number 15 in Cosmos DB tests. This is a failed test because we haven’t enabled the firewall for Cosmos DB. We can see the line number 30 the test is failed because we haven’t enabled the Azure AD admin for SQL databases. On row 42 there is another failed test for allowing anonymous access to storage.
We have a total of 78 tests executed for this resource group, we will not get in to the depth of each issue as they may vary based on resources available in resource group, but one thing I want to highlight that all the issues mentioned in the sheet are the security best practices and must be taken care of. Now let’s use the Fix script and fix the issues which can be fixed automatically.
As we can see the fixed script is takes list of fixes as input parameter which is coming through Json file which exists in the same folder. Now let’s run this script in powershell.
During the execution the script will ask for certain details such as email id and storage name for validation. Once the details are validated it will ask for confirmation to make changes in subscription. As we provide the confirmation it will start fixing the issues and once the issues are fixed the script will open a new folder for us:
Now when we look into the subscription folder, in my case its “AzurePersonalSubscription” we can see a file Detailed.Log for fix script.
Within this log file we can see the verbose log for whatever was fixed.
So, here we have learnt how to run security health checks against subscription and resource group. There are lots of other stuff which we can do with AzSK.