In my previous blog I addressed the issue of managing credentials in the code and presented two different alternatives to secure it. In this post, I will focus on Azure subscription security health and its challenge. I could summarize the subscription security health challenges as follows:
Of course, there is an option to develop manual security checks as the scripts and run them on the subscription. However maintaining such a tool and updating it would be a nightmare, especially as the company adapts more resources type in the subscription.
Wouldn't it be nice if there was a tool that I could run against the subscription? And it could come back with a list of security issues and even give me the option to fix them automatically? Fortunately, this tool exists, and it is called a secure DevOps kit for Azure or AzSK.
In the subscription, I can have different azure services like Azure SQL Server, virtual machines, storage accounts, Azure key, Walt Instances, API management instances ..etc, there are few options to user AzSK tool
NOTE: Not all the issues found can be fixed automatically. DevOps Admin will need to fix them manually.
All the requirement and step by step instruction can be found here
I will need the following Pre-requisites:
To Install the Secure DevOps Kit for Azure (AzSK) PS module:
Install-Module AzSK -Scope CurrentUser
I am going to use the tool to scan on Azure subscription for Security Health. I will also use the tool to scan a resource group for security health. The resource group will have the following
The following the azSK command will run security scans against the subscription.
Get-AzSKSubscriptionSecurityStatus -SubscriptionId '<subscriptionId>' --GenerateFixScript
Once the command is finished it will open an explorer window and show the result.
The SecurityReport file will show a list of the subscription level test, which were executed, and its result. For example, there is a test to make sure the admin owners off.
Also, since I used “GenerateFixScript” flag, there is a folder calls “FixControlScript” and if I opened this folder I can see Powershell fix script
In this second test, I will run the AzSK command against a resource group
Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ResourceGroupNames <rgname>
Like the last test, AzSK command will open the result folder where I can find the security scan result report
Also, there will be a “FixControlScript” folder where I will find the “RunFixScript” file
If I edit the file I could see the script and how it will attempt to fix the problem
Also if I checked the result folder again I could see a “security-validation-rg” folder that contains logs for each azure service that exists under the resource group. The log will contain information about the test and results that executed against the resource.
Summary
AzSK enables us to run security health checks against our subscriptions or resource groups. The tool will give a report and also an option to automatically fix issues that are found. In our next blog, I will discuss Azure sentinel.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.