“Secure DevOps Kit for Azure”, also known as AzSK, is the collection of scrips, tools, extensions etc. to cater the security needs of the Azure subscription and/or to the security of the various azure service instances used by our applications.
How it works is that Microsoft has defined the security best practices/recommendations for the Azure services/resources and when you run this kit, it finds if the resource/subscription under investigation has security best practices implemented or not. Based on the finding, it generates a report and actions needed can be taken to tighten the security.
Its control coverage till date –
Note – Its coverage will increase day by day and so please refer to MS documentation for the latest list.
I have implemented it in two ways –
- PowerShell Scripting
- Integrated Azsk with release pipeline of the Azure DevOps service
Let me explain above options in detail –
PowerShell Scripting Way –
We can use PowerShell scripting to run the secure DevOps kit manually to understand the security posture of the various services we are using in the development of the applications. It will give us good health report and we can act according to the findings. Once the action has been implemented, we can again run the script to find if the implementation is successful or not.
To start, Follow the below steps:
-
We need to first install the “Azsk” PowerShell Module using the below command –
Install-Module Azsk -Scope CurrentUser -AllowClobber -Force
It will install Azsk module on the machine where it is run.
- Login to Azure using the command – Login-AzAccount
Now you are ready to use various PowerShell Cmdlets as provided by the above module.
To get the list of available Cmdlets, run the command – Get-Command *AzSK* | ogv
Output –
We can now use the above Cmdlets in our PS script to find the security posture of the various services we are using.
Just to find the sample report, I ran the below command for Azure Services for the given resource group–
Get-AzSKAzureServicesSecurityStatus -SubscriptionId xxxxxx-xxxxxx-xxxxxx-xxxxxxxx -ResourceGroupNames RG -GeneratePDF Portrait
Input of the above command –
- SubscriptionID – It is subscription ID of the subscription that you want to investigate. You can find it from Azure Portal or by running the command – Get-AzSubscription.
- ResourceGroupName – Resource Group Name
-
GeneratePDF – To generate the report in PDF
It has many more input parameters like resource name and resource type. Best way is to refer the help of the Cmdlet to get the detailed list of parameters.
I also ran the below command for the subscription security state. Subscription owner can use below command to check the overall security health of the subscription.
Get-AzSKSubscriptionSecurityStatus -SubscriptionId xxxxxxxx-xxxxxxx-xxxxxxx-xxxxxxxx -GeneratePDF Portrait
Important Note –
For Automation using PS, instead of using the Azure Login command, we can use the concept of application registration in Azure AD and defined required permission on the service principal.
Integrated Azsk with release pipeline of the Azure DevOps service –
One of the most interesting use-case of Azsk is to have its integration with our release pipeline using either TFS or Azure DevOps, so that we can get the security posture while we are in the pipeline and then take the required actions. We can mandate that the scan should pass before proceeding to the next level of the release.
One cool thing is that it can forward all the scan findings in the release process to Azure Log Analytics and then based on the data, alerts/runbooks can be implemented. I have implemented basic alert of sending email in case a failed test is reported.
To implement it, follow the below steps –
- Create account in the Azure DevOps.
- Browse to the Marketplace at https://marketplace.visualstudio.com/items?itemName=azsdktm.AzSDK-task&targetId=5da5c87c-0ec5-4c66-8f2d-2b6c9cdfb7cf&utm_source=vstsproduct&utm_medium=ExtHubManageList and install “Secure DevOps Kit (AzSK) CICD Extensions for Azure” on the account created in step (a) above.
-
Now create the release definition and add Azsk tasks. To do so, click on the “+” sign and search “azsk”, it will show below available task, add the one required –
-
Created Release definition will look like –
Below steps needs to be implemented to configure Azsk_SVTs task in the release pipeline –
-
If you are subscription owner, then select the subscription under “AzureRM Subscription” dropdown or click on the Manage link just after it and it will navigate you to the below screen –
- Select the Scope level and the subscription that you want to scan.
- You can optionally select the resource group just to target it.
- Check the checkbox “Allow all pipelines to use this connection”.
-
Finally, it will create the service principal in Azure AD and will assign the “Contributor” role.
-
Subscription ID – Id of the subscription hosting the resources against which Security Verification Tests (SVTs) should be run.
-
For OMS logging –
- Select the checkbox “Enable OMS Logging”.
-
Go to the Azure Portal and create Log Analytics workspace or ask Azure Admin to create one for you and share the below information as shown in below screenshot –
- OMSSharedKey
- OMSWorkspaceID
In Azure Portal, go to Log Analytics workspace blade > Advanced settings and then select the highlighted values.
-
Now in Azure DevOps Release definition, either create a variable or create the variable groups under Library and link them to the release definition.
Note – Keep the variable name same as in the below screenshot. It is the requirement of the Azsk task.
Below steps needs to be implemented to configure AzSK_ARMTemplateChecker task in the release pipeline to verify the ARM template for implementing various services in Azure (Infrastructure as a Service) –
- Browse to the ARM template file or the folder where ARM templates are created. In Azure DevOps, it will be in the published build artifacts.
-
If you have defined the parameter file for ARM template, then browse it under “Parameter file Path or Folder Path”.
One the release definition is configured correctly, create new release to test the execution of above two Azsk tasks.
-
Results of my sample run –
-
AzSK_ARMTemplateChecker task –
-
AzSK_SVTs –
You can download all the logs from the release output as well as shown below –
Now go to Azure Portal > Log Analytics Workspace > Logs and enter the below query to get the logs pushed to it by the Azure DevOps –
AzSK_CL
| where ActualVerificationResult_s == “Failed”
Based on the above query, I have created Alert that send email to me whenever it gets 1 or more error in the workspace. Below actions can be configured for taking automated actions for the findings –
—End of Article—