Secure DevOps Kit for Azure

“Secure DevOps Kit for Azure”, also known as AzSK, is the collection of scrips, tools, extensions etc. to cater the security needs of the Azure subscription and/or to the security of the various azure service instances used by our applications.

How it works is that Microsoft has defined the security best practices/recommendations for the Azure services/resources and when you run this kit, it finds if the resource/subscription under investigation has security best practices implemented or not. Based on the finding, it generates a report and actions needed can be taken to tighten the security.

Its control coverage till date –

Note – Its coverage will increase day by day and so please refer to MS documentation for the latest list.

I have implemented it in two ways –

1. PowerShell Scripting
2. Integrated Azsk with release pipeline of the Azure DevOps service

Let me explain above options in detail –

PowerShell Scripting Way –

We can use PowerShell scripting to run the secure DevOps kit manually to understand the security posture of the various services we are using in the development of the applications. It will give us good health report and we can act according to the findings. Once the action has been implemented, we can again run the script to find if the implementation is successful or not.

To start, Follow the below steps:

• We need to first install the “Azsk” PowerShell Module using the below command –

  Install-Module Azsk -Scope CurrentUser -AllowClobber -Force
  

  It will install Azsk module on the machine where it is run.

• Login to Azure using the command – Login-AzAccount

Now you are ready to use various PowerShell Cmdlets as provided by the above module.

To get the list of available Cmdlets, run the command – Get-Command *AzSK* | ogv

Output –

We can now use the above Cmdlets in our PS script to find the security posture of the various services we are using.

Just to find the sample report, I ran the below command for Azure Services for the given resource group–

Get-AzSKAzureServicesSecurityStatus -SubscriptionId xxxxxx-xxxxxx-xxxxxx-xxxxxxxx -ResourceGroupNames RG -GeneratePDF Portrait

Input of the above command –

1. SubscriptionID – It is subscription ID of the subscription that you want to investigate. You can find it from Azure Portal or by running the command – Get-AzSubscription.
2. ResourceGroupName – Resource Group Name
3. GeneratePDF – To generate the report in PDF

   It has many more input parameters like resource name and resource type. Best way is to refer the help of the Cmdlet to get the detailed list of parameters.

I also ran the below command for the subscription security state. Subscription owner can use below command to check the overall security health of the subscription.

Get-AzSKSubscriptionSecurityStatus -SubscriptionId xxxxxxxx-xxxxxxx-xxxxxxx-xxxxxxxx -GeneratePDF Portrait

Important Note –

For Automation using PS, instead of using the Azure Login command, we can use the concept of application registration in Azure AD and defined required permission on the service principal.

Integrated Azsk with release pipeline of the Azure DevOps service –

One of the most interesting use-case of Azsk is to have its integration with our release pipeline using either TFS or Azure DevOps, so that we can get the security posture while we are in the pipeline and then take the required actions. We can mandate that the scan should pass before proceeding to the next level of the release.

One cool thing is that it can forward all the scan findings in the release process to Azure Log Analytics and then based on the data, alerts/runbooks can be implemented. I have implemented basic alert of sending email in case a failed test is reported.

To implement it, follow the below steps –

1. Create account in the Azure DevOps.
2. Browse to the Marketplace at https://marketplace.visualstudio.com/items?itemName=azsdktm.AzSDK-task&targetId=5da5c87c-0ec5-4c66-8f2d-2b6c9cdfb7cf&utm_source=vstsproduct&utm_medium=ExtHubManageList and install “Secure DevOps Kit (AzSK) CICD Extensions for Azure” on the account created in step (a) above.
3. Now create the release definition and add Azsk tasks. To do so, click on the “+” sign and search “azsk”, it will show below available task, add the one required –

   

4. Created Release definition will look like –

   

   Below steps needs to be implemented to configure Azsk_SVTs task in the release pipeline –

   1. If you are subscription owner, then select the subscription under “AzureRM Subscription” dropdown or click on the Manage link just after it and it will navigate you to the below screen –

      

      1. Select the Scope level and the subscription that you want to scan.
      2. You can optionally select the resource group just to target it.
      3. Check the checkbox “Allow all pipelines to use this connection”.
      4. Finally, it will create the service principal in Azure AD and will assign the “Contributor” role.

          

   2. Subscription ID – Id of the subscription hosting the resources against which Security Verification Tests (SVTs) should be run.

       

   3. For OMS logging –
      1. Select the checkbox “Enable OMS Logging”.
      2. Go to the Azure Portal and create Log Analytics workspace or ask Azure Admin to create one for you and share the below information as shown in below screenshot –
         1. OMSSharedKey
         2. OMSWorkspaceID

         In Azure Portal, go to Log Analytics workspace blade > Advanced settings and then select the highlighted values.

         

      3. Now in Azure DevOps Release definition, either create a variable or create the variable groups under Library and link them to the release definition.

         Note – Keep the variable name same as in the below screenshot. It is the requirement of the Azsk task.

         

   Below steps needs to be implemented to configure AzSK_ARMTemplateChecker task in the release pipeline to verify the ARM template for implementing various services in Azure (Infrastructure as a Service) –

   1. Browse to the ARM template file or the folder where ARM templates are created. In Azure DevOps, it will be in the published build artifacts.
   2. If you have defined the parameter file for ARM template, then browse it under “Parameter file Path or Folder Path”.

      

   One the release definition is configured correctly, create new release to test the execution of above two Azsk tasks.

     Results of my sample run –

1. AzSK_ARMTemplateChecker task –

   

2. AzSK_SVTs –

   

   You can download all the logs from the release output as well as shown below –

   

   Now go to Azure Portal > Log Analytics Workspace > Logs and enter the below query to get the logs pushed to it by the Azure DevOps –

   AzSK_CL
   

   | where ActualVerificationResult_s == “Failed”
   

   

   Based on the above query, I have created Alert that send email to me whenever it gets 1 or more error in the workspace. Below actions can be configured for taking automated actions for the findings –

   

   —End of Article—

Azure AD Privileged Identity Management – Access Review Feature

In any environment, Cloud or On-Prem, we need some privileged accounts that can be used to manage the environment and so they are very critical to the business. Compromising such accounts could lead to huge damage by the bad actors if they gain access to the environment using such accounts. They can use the victim’s privileged roles to perform the activities for their gain. These accounts must be protected all the times.

Most recommended way is to enable MFA (Multi Factor Authentication) on such accounts which will challenge user to have second level of authentication such as via mobile App (Ex. Microsoft Authenticator). It will be very hard for such accounts to be compromised.

Defense in Depth…

One level of defense is MFA as discussed above. Now second level of defense is to follow the principle of least privileges. By this I mean, why one need to have privileged access all the time. They might need the privileged access for few hours in few days and having such access all the time will put them on huge risk in case the account gets compromised.

To address such risk, Azure AD Privileged Identity Management introduced the concept of Eligible membership. If a user is eligible for a particular role, user can activate that role for a particular duration with proper justifications. Once activated, user will get the privileged access and can now perform the activity. Once the access is no longer needed, user can de-active it or it can be de-activated after the activation time is expired. Activation cycle can be workflow based or self-approval based.

With MFA + PIM roles we can put good level of defense in the environment.

Now, in the real scenarios, user roles gets changed as they move from one department to another or one role to another, we have to ensure that their privileged access should be revoked accordingly. They might not need the access anymore. As we believes in the principle of least privilege, any extra rights can be risky and so the user rights needs to be reviewed regularly. It will be important in audit process as well.

To address it, Azure AD PIM has the feature called “Access Review”, which can be used to initiate review process of one or more privilege roles. It will send notification (email as well as notification in Portal) to the members of that particular role to give justification if they still needs the access. Users can give justification and approve it or deny it to confirm that they don’t need it anymore, role can be revoked automatically depending on the access request settings.

To create Access Request –

1. Go to Azure Portal (https://portal.azure.com)
2. Navigate to Privileged Identity Management Service
3. Under Manage section, select Azure AD roles
4. In Azure AD roles screen, under Manage section, select Access reviews, following screen will appear –

Fill the above screen with the required data. Please note the frequency, Duration, role membership and reviewer fields.

Under “Upon completions settings”, enable auto apply results to resource. It will disable the role automatically if user clicks on the deny button.

Finally, click on Start button.

On successful creation, it will be shown as –

With it done, it must have send email to all the members of the role and a notification to all members in the Azure portal under PIM as well.

Important Note –

Generally, every organization have separate nomenclature of the privileged accounts which is different from the regular account. For example, regular account of user can be sam@xyz.onmicrosoft.com and his privileged account can be pr-sam@xyz.onmicrosoft.com. In this can, since both the accounts are different, email notification will only go to pr-sam@xyz.onmicrosoft.com as it is the privilege account and under review process and not to his usual mailbox and so he/she may not be able to get the notifications. To get the notification on the regular account mailbox, always set “Alternate email” of the privilege account to the email ID of the regular account. This way user will get the email notification as shown below –

User needs to click on the Start review button and it will navigate user to Azure Portal for the approve or deny.

Also, User can directly go to the Azure Portal > Azure AD Privileged Identity Management > Review Access (under Tasks) as shown below to approve or deny the request.

User then needs to click on above highlighted row.

Administrator/initiator can view the Progress of review process from Dashboard > Privileged Identity Management > Azure AD roles – Access Reviews > [Role Name] as shown below –

Please note that above process can only be implemented currently using Azure Portal. There are no PowerShell Cmdlets available to automate it but may be available in future.

——–End of the Article—–