DEV Community: Wilfried Woivré

Azure Bicep - Finally functions to manipulate CIDRs

Wilfried Woivré — Wed, 23 Aug 2023 00:00:00 +0000

After long periods of waiting, and Powershell scripts to prepare parameters to deploy networks or NetworkRules on services, Microsoft finally offers functions to manipulate CIDRs within your Bicep templates.

You can find the different methods on the Microsoft documentation

Now we will try to play with it right here.

The first cidrSubnet method allows you to split a CIDR into different ranges, which can be very useful when you deploy standardized landing zones, and you don’t want to precalculate all the ranges of your subnets. Clearly in our Bicep template, we will have something like this

var cidr = '10.0.0.0/20'
var cidrSubnets = [for i in range(0, 10): cidrSubnet(cidr, 24, i)]

resource virtual_network 'Microsoft.Network/virtualNetworks@2023-04-01'= {
  name: 'virtual-network-demo'
  location: resourceGroup().location
  properties: {
    addressSpace: {
      addressPrefixes: [
        cidr
      ]
    }
  }
}

@batchSize(1)
resource subnets 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' = [for (item, index) in cidrSubnets : {
  name: 'subnet-${index}'
  parent: virtual_network
  properties: {
    addressPrefix: item
  }
}]

And now very useful thing, when you configure Network Rules on your Azure services, you know very well that each service has its format. And in particular PostgreSQL which does not ask for a range, but which wants the start IP and the end IP. Well, thanks to the parseCidr method, you no longer need to do it in your script that calculates the parameters. You can simply do like this:

var cidrSubnets = [
  '4.175.0.0/16'
  '4.180.0.0/16'
  '4.210.128.0/17'
  '4.231.0.0/17'
  '4.245.0.0/17'
  '13.69.0.0/17'
  '13.73.128.0/18'
  '13.73.224.0/21'
  '13.80.0.0/15'
  '13.88.200.0/21'
  '13.93.0.0/17'  
]

resource flexServer 'Microsoft.DBforPostgreSQL/flexibleServers@2023-03-01-preview' = {
  name: 'flexwwopgs'
  location: resourceGroup().location
  properties: {
    administratorLogin: 'bigchief'
    administratorLoginPassword: ''
    version: '13'
    availabilityZone: '1'  
    storage: {
      storageSizeGB: 32
    }
    highAvailability: {
      mode: 'Disabled'
    }
    maintenanceWindow: {
      customWindow: 'Disabled'
      dayOfWeek: 0
      startHour: 0
      startMinute: 0
    }
  }
  sku: {
    name: 'Standard_B1ms'
    tier: 'Burstable'
  }
}

@batchSize(1)
resource flexServerAcls 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = [for (item, index) in cidrSubnets: {
  name: 'flexpgswwo-${index}'
  parent: flexServer
  properties: {
    startIpAddress: parseCidr(item).firstUsable
    endIpAddress: parseCidr(item).lastUsable
  }
}]

So a big time saver, and it helps to avoid mistakes. For my part, I am very happy to see that Microsoft continues to invest in new functions with real added value.

Azure Policy - Find unused policies

Wilfried Woivré — Thu, 10 Nov 2022 00:00:00 +0000

Creating Azure policies is very easy, however it can be handy to know if all of your Azure policies are in use in your environment.

For this I created a very practical Resource Graph query

policyresources
| where type == "microsoft.authorization/policydefinitions"
| extend policyType = tostring(properties.policyType)
| where policyType == "Custom"
| join kind=leftouter (
    policyresources
    | where type == "microsoft.authorization/policysetdefinitions"
    | extend policyType = tostring(properties.policyType)
    | extend policyDefinitions = properties.policyDefinitions
    | where policyType == "Custom"
    | mv-expand policyDefinitions
    | extend policyDefinitionId = tostring(policyDefinitions.policyDefinitionId)
    | project associedIdToInitiative=policyDefinitionId 
    | distinct associedIdToInitiative) on $left.id == $right.associedIdToInitiative
| where associedIdToInitiative == ""
| join kind=leftouter(
    policyresources
    | where type == "microsoft.authorization/policyassignments"
    | extend policyDefinitionId = tostring(properties.policyDefinitionId)
    | project associatedDefinitionId=policyDefinitionId 
    | distinct associatedDefinitionId
) on $left.id == $right.associatedDefinitionId
| where associatedDefinitionId == ""
| extend displayName = tostring(properties.displayName)
| project id, displayName

You can find the resource graph query on my github.

In this Resource Graph query, we start by listing all the Azure Policies that are defined in your environment, and we will filter only on those that are Custom.

And then we will see if they are not assigned in an Initiative, or directly on an Azure scope, and retrieve our list of unnecessary Policies.

It is up to you afterwards to delete them if they are really of no use to you.

This new feature in Azure Resource Graph is very practical, and the tool is really useful for all things governance, and it is constantly evolving at Microsoft, which I think is a good thing. I can’t wait to be able to query Azure Role Assignments, and Azure AD objects (yes, that’s my wishlist for new features).

Azure - Overview of cloud governance

Wilfried Woivré — Wed, 07 Sep 2022 00:00:00 +0000

Cloud governance is a vast subject that is very trendy today. In this post, we will try to reveal everything behind this term, and how to respond to it for a company. Here we will only talk about Azure, but it would be quite possible to draw a parallel with any other Cloud, whether public or private.

Let’s start with Microsoft’s definition that can be found on thedocumentation Azure

Governance in th e cloud is one aspect of Azure management. This article describes the different areas of management to deploy and maintain your resources in Azure.

Management refers to the tasks and processes necessary to maintain your business applications and the resources that support them. Azure has many services and tools that work together to provide comprehensive management. These services are not only for resources in Azure, but also in other clouds and on-premises. The first step to designing a complete management environment is to fully understand the different tools and how they work together.

All this is well summarized by a diagram:

But what does that really mean? We will try to define it in the most exhaustive way possible. And feel free to add comments to this article if you have any other ideas.

Let’s start at the beginning, and by asking questions about “Under what conditions does my company want to use Azure? And under what security context?” :

What budget do I want to invest in this governance?
How many applications / users in Azure in 5 years?
What risks do I want to cover when using Azure? Zero-trust approach? More flexible personalized approach? Open bar ?
How will we provide Cloud assets to my users? Team autonomy? Centralization? Mixed approach?
How to add new applications / new users?
How will I train my teams? my users?
How will I monitor Azure, my applications, my costs?
How will I connect Azure with my company?
Will I do a lift & shift migration, or transform my applications so that they are Cloud Native?

If you can answer these different questions, you will be able to approach your strategy for using Azure in a more zen way.

But beware, there are no wrong answers to these questions, because it all depends on your business and the choices you make.

I propose to detail possible answers to some of these questions in future articles, and we will also see how to implement this on Azure, particularly on security and governance topics.

But first of all, let’s break open doors. Having a cloud migration plan and a migration strategy for existing applications because it makes it easier to make the right choices, and to have success indicators.

Indeed, if we take the example of a large company which chooses to migrate a large number of applications to the public Cloud versus another company which only wishes to migrate a limited number of applications, but which the choice to use the Cloud as a backup for its data. We find ourselves here on two totally different scenarios and which are rather viable for companies today.

One of the great advantages of the Cloud is to have access to a large number of resources very quickly, and to be able to delete them at the end of use, so it is possible to make security choices solely related to the data, and to leave the Compute part with less perimeter security.

For online sales sites, if we migrate all the visible part, namely the e-commerce site, directly to the Public Cloud, we will first take into account the availability and proper functioning of the site. But we can also choose to migrate only another part of the information system in the Cloud which is less sensitive to this operational risk, but which can be harmful in the event of a data leak.

In short, through these few examples we can see that each company is different, and therefore that there is no strategy all drawn according to the type of company that wishes to go to Azure. But we will see that it is possible to find common biases and afterwards everyone is free to make their choice, or even not to use the public Cloud, but there you would be depriving yourself of an extraordinary adventure.

Azure Storage - Control usage of your SAS Keys

Wilfried Woivré — Thu, 21 Apr 2022 00:00:00 +0000

The use of SAS Keys in Azure Storage is a very practical system when you want to provide limited access to a Storage Account, whether in terms of rights, scope, or validity period.

However, leaving this to the teams can be a source of data leakage, as it is quickly possible to create a SAS Key with a very long duration in order to save time when using it, as it is always the same.

As an ops or security manager, it is therefore necessary to search the Storage logs for the different SAS Keys used in order to find errors of this type.

Well, once again, Microsoft is going to simplify our lives with this new feature. We can now add an alert when the SAS Key has a too long lifetime. Be careful though, it is an alert, not a blocking if you generate or use a non compliant SAS Key.

In ARM, you add this property to your storage, or put it in the configuration of your storage in the Azure portal

"sasPolicy": {
                "sasExpirationPeriod": "1.00:00:00",
                "expirationAction": "Log"
            },

However note that there is a expirationAction field in Log which is the only possible value, but I hope to see a Deny in the future.

Once again, it is possible to have an Azure Policy to tell you which storage does not have a SAS Key Policy configured, and it is built-in you can find it under the name Storage accounts should have shared access signature (SAS) policies configured or here is its definition:

{
  "properties": {
    "displayName": "Storage accounts should have shared access signature (SAS) policies configured",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Audit allows a non-compliant resource to be created, but flags it as non-compliant. Deny blocks the resource creation and update. Disable turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/sasPolicy",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bc1b984e-ddae-40cc-801a-050a030e4fbe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bc1b984e-ddae-40cc-801a-050a030e4fbe"
}

In order to know if your storages are using invalid SAS Keys, you have to go in the Logs of your storage, which you have of course configured, and perform the following Kusto search:

StorageBlobLogs 
| where SasExpiryStatus startswith "Policy violated"
| summarize count() by AccountName, SasExpiryStatus

And voilà how to quickly gain more control over your storages.

Azure Storage - Simplify your keys rotation

Wilfried Woivré — Wed, 20 Apr 2022 00:00:00 +0000

From a security point of view, it is often necessary to rotate your access keys, whether it is a user password or an SPN key. But don’t forget your technical assets where you can identify yourself with a key such as Azure Storage.

Unless you have managed this brilliantly in your application and infrastructure, rotating the keys of your storage can be tedious, and above all you risk forgetting to do it if you don’t do it regularly.

To help you do it more often, Microsoft has released a new feature that will allow you to remember more easily, it is now possible to add an alerting when your keys have not been running for a long time.

To do this, simply add the following property to your storage in ARM:

"keyPolicy": {
                "keyExpirationPeriodInDays": 60
            },

It is of course possible from the Azure portal, in the key management blade.

Now it’s good to have a policy in place, but how we are alerted, well simply thanks to an Azure Policy built-in that you can find under the name Storage account keys should not be expired.

And for the curious here is its definition:

{
  "properties": {
    "displayName": "Storage account keys should not be expired",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.",
    "metadata": {
      "version": "3.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Audit allows a non-compliant resource to be created, but flags it as non-compliant. Deny blocks the resource creation and update. Disable turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "value": "[utcNow()]",
                "greater": "[if(and(not(empty(coalesce(field('Microsoft.Storage/storageAccounts/keyCreationTime.key1'), ''))), not(empty(string(coalesce(field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays'), ''))))), addDays(field('Microsoft.Storage/storageAccounts/keyCreationTime.key1'), field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays')), utcNow())]"
              },
              {
                "value": "[utcNow()]",
                "greater": "[if(and(not(empty(coalesce(field('Microsoft.Storage/storageAccounts/keyCreationTime.key2'), ''))), not(empty(string(coalesce(field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays'), ''))))), addDays(field('Microsoft.Storage/storageAccounts/keyCreationTime.key2'), field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays')), utcNow())]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "044985bb-afe1-42cd-8a36-9d5d42424537"
}

Note that it is not possible to memorize the definition of this policy in the evening…

And don’t forget to rotate your keys, you never know you might have to do it because of a security incident, it’s better to have tested it before.

Azure Policy - Trigger policy scan

Wilfried Woivré — Fri, 18 Mar 2022 00:00:00 +0000

When you create your own Azure Policies, it can be tedious to test them, as the evaluation is triggered by Azure.

It has been possible for some time to force its execution on the scope of a resource group or a subscription. Even if in our case, it is more about forcing on a test resource group than on a subscription in order not to impact your other policies.

To trigger an evaluation, you can use a PowerShell command like this:

# Subscription scope
Start-AzPolicyComplianceScan -AsJob

#Resource Group Scope
Start-AzPolicyComplianceScan -ResourceGroupName $rgName -AsJob

You can run without a Powershell Job, but the operation is very long, it’s why i recommend usage of Powershell Job in a development scenario

It is possible to do this also with a REST API

To do this, you need to use the following urls:

Subscription: https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01 Resource Group: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{YourRG}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01

$token = Get-AzAccessToken
$authHeader = @{
    'Content-Type'='application/json'
    'Authorization'='Bearer ' + $token.Token
}

$subscriptionId = ""
$resourceGroup = ""

$restUrl = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview"

 Invoke-WebRequest -Uri $restUrl -Method POST -Headers $authHeader

And you will find this trace in your Activity Log:

So no more excuses to take a coffee while waiting for the policy to be triggered.

Azure - Use regional endpoint for ARM REST API calls

Wilfried Woivré — Wed, 16 Mar 2022 00:00:00 +0000

Recently I opened different support cases to Microsoft for an unusual behavior on Azure.

When I created a new resource in West Europe, it was available on the Azure portal, but from my Automation Account in North Europe I could not see it.

In other words, when I did a Get-AzStorageAccount -ResourceGroup $resourceGroupName from my workstation I could see my new storage, but from my Automation account I could not.

In order to diagnose the problem there is a very simple way, you just have to do in powershell the following commands:

$token = Get-AzAccessToken
$authHeader = @{
    'Content-Type'='application/json'
    'Authorization'='Bearer ' + $token.Token
}

$locations = @("westeurope", "northeurope")

foreach ($location in $locations) {
    Write-Host "Location : $location" -ForegroundColor Cyan
    $restUrl = "https://$location.management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/resources?api-version=2022-01-01"; 
    (Invoke-WebRequest -Uri $restUrl -Method GET -Headers $authHeader).Headers
}

And you will see through which region your calls go through via the x-ms-routing-request-id header which contains the WESTEUROPE value corresponding to the region

Very useful when there is a synchronization problem on Azure side, and the support can force a sync if you don’t want to wait for it to happen

Azure - Easily get an Access Token for your REST API calls

Wilfried Woivré — Mon, 14 Mar 2022 00:00:00 +0000

Using REST APIs on Azure is of course an essential skill for all Cloud users whether they are developers or administrators.

In a script it is often convenient to switch to a REST API instead of a Powershell cmdlet, for different reasons like the following:

Use of a property not available on our version of Powershell module
Updating a property of an object not easy to do in powershell

And of course to be able to call Azure REST APIs you need an access token, and for that there are several ways to get one.

If you have an old version of the powershell modules, you can always use this script :

$azContext = Get-AzContext
$azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile)
$token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)
$authHeader = @{
    'Content-Type'='application/json'
    'Authorization'='Bearer ' + $token.AccessToken
}

Or more simply if you forgot this piece of code, I advise you to go on the site of the documentation Azure and to test an API, you will have the possibility of recovering an access token.

And if you have a fairly recent module, you can use the following method:

$token = Get-AzAccessToken
$authHeader = @{
    'Content-Type'='application/json'
    'Authorization'='Bearer ' + $token.Token
}

And voilà you can call Azure REST APIs with your token as follows:

$restUrl = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups?api-version=2022-01-01"
Invoke-WebRequest -Uri $restUrl -Method GET -Headers $authHeader

We agree that it is much easier to remember.

Azure Policy - Add custom error messages

Wilfried Woivré — Tue, 08 Mar 2022 00:00:00 +0000

Azure Policy is very useful to do governance on Azure, however the error messages are not always clear, but it is possible to customize them as we will see in this article

Let’s imagine a policy for your storage accounts to validate that they will all be accessible only in https, so we will have a policy like this:

"if": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
        },
        {
            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
            "equals": false
        }
    ]
},
"then": {
    "effect": "deny"
}

When assigning it, you will want to give it a name, at this point you have several choices:

Put a name that speaks to all those who will have the error message such as AllowOnlyStorageAccountWithOnlyHttpsSupport
Put a unique identifier such as 4cd4c48a-9a10-4386-ae0e-45ee0205231b, since we agree that there is nothing better than a Guid, or not …
Have a nomenclature on your different Azure Policies in order to find them easily and avoid typos or approximate English, except that there is a risk of ending up with a code that is not always clear such as STG-SPEC-NWK-RSK0 (Storage-Specific-Network-Risk_0)
The answer D

Well, to be honest, I prefer the third choice, because a nomenclature can be declined and there is no need to invent a name for everything. The real drawback however is that sometimes your policies get triggered and your users legitimately ask you “If not Wilfried, what does this error code mean?” Well you should know that now all these support concerns are over, because Microsoft has provided the ability to put custom error messages like this:

So when you create your Storage Account, for example in powershell, you will get this message:

PS C:\Users\wilfr> New-AzStorageAccount -Name policytestwwo -ResourceGroupName policy-test-2 -Kind StorageV2 -SkuName Standard_LRS -Location westeurope -AccessTier Hot -EnableHttpsTrafficOnly $false
New-AzStorageAccount : Resource 'policytestwwo' was disallowed by policy. Reasons: 'Allow only storage account with
only https support enabled'. See error details for policy resource IDs.
At line:1 char:1
+ New-AzStorageAccount -Name policytestwwo -ResourceGroupName policy-te ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [New-AzStorageAccount], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.NewAzureStorageAccountCommand

And voilà there you have your custom message! Of course, you can put whatever you want like a link to your internal documentation for this Policy.

Improve your Microsoft Defender for Cloud with your custom rules

Wilfried Woivré — Tue, 14 Dec 2021 00:00:00 +0000

With Microsoft Defender for Cloud, previously known as Security Center, you can easily monitor your Azure subscriptions on a large scale. For continuous improvement, or even regulatory purposes, it is possible to directly affect initiatives as I mentioned in a previous post https://woivre.com/blog/2021/12/microsoft-defender-for-cloud-your-toolbox-for-azure-governanceHowever, you can go further via the “Regulatory compliance” tab in Microsoft Defender for Cloud.

But it is also possible to integrate your own controls with your own policies to fully customize your experience with this tool.

n order to begin, we will start by creating a new Azure Policy, such as this one:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
          "equals": false
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

We will of course think of giving it a name and a comment, but you have the choice for all the parameters, such as the following:

Policy Definition : Tenant Root Group
Name : AzSecure-Storage-OnlyHTTPS
Description : Enforce HTTPS Traffic only for Azure Storage
Category : AzSecure-Storage

Now we will not assign this policy directly, but we will create a new Initiative Definition with the following parameters:

Initiative Definition : Tenant Root Group
Name : AzSecure-Compliance
Description : Contains all Azure policies to secure your Azure account
Category : AzSecure
Version : 1.0

Then in the list of policies, we will now integrate the policy that we created earlier. You can also create groups to organize your different policies later.

We will then define our parameters for our Initiative, and our policies if we have any. This is not the case here.

Once we have created our policy, we will then assign it to our subscription. And here, it can be very useful to edit your different Non-Compliance messages for your policies to guide your users.

Now that your initiative is assigned to your subscription, you will be able to observe the behavior of the policies in a very classical way, i.e. to create non-compliant services, and to see the different elements in the different Policies blades available.

But it is also possible to go further thanks to Microsoft Defender for Cloud, in the Microsoft Defender settings section.

You have to go to Security Policy and then add your own initiative as below:

Now you have to be patient, and wait several hours to be able to your Regulatory compliance blade enriched by your own initiative as below:

Now for the bad news, you have to activate this feature in Microsoft Defender for cloud to be able to use it, and therefore pay for this feature. But security is priceless.

Microsoft Defender for cloud - Your toolbox for Azure governance

Wilfried Woivré — Mon, 13 Dec 2021 00:00:00 +0000

Azure offers both services to host your applications, but also tools to help you manage them better, such as the Security Center.

This is a toolbox that is constantly evolving at Microsoft, and good news some of these tools are free, and of course another not.

Among the essential tools that we find there are :

The degree of security (or the Secure Score)
Your regulatory compliance
Azure Defender
Firewall Manager
Insights
Workbooks
Workflow automation

The Security Center is a real gold mine if you want to invest in SecOps on Azure.

However, beware that the various recommendations in the Security Center are not always applicable to your use of Azure.

Let’s take for example the following rule “ Storage account public access should be disallowed ”: This one is not applicable in case your storage account is used to expose images via a CDN for example.

So before applying each action, it is necessary to understand if it corresponds to a legitimate architecture.

Now as it is necessary to understand how this works, these different recommendations come from a Policy Initiative called Azure Security Benchmark (previously Enable Monitoring in Azure Security Center). This is the initiative with the following definition: /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8

Sometimes it is necessary to see the settings related to this initiative in order to customize them according to the context of the subscription.

For example in the Security Center, we have this rule: Network Watcher should be enabled. If we click on it, we can see the definition of the associated policy

{
  "properties": {
    "displayName": "Network Watcher should be enabled",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.",
    "metadata": {
      "version": "2.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfLocations": {
        "type": "Array",
        "metadata": {
          "displayName": "Locations",
          "description": "Audit if Network Watcher is not enabled for region(s).",
          "strongType": "location"
        }
      },
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "NetworkWatcher resource group name",
          "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG. This is the resource group where the Network Watchers are located."
        },
        "defaultValue": "NetworkWatcherRG"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/networkWatchers",
          "resourceGroupName": "[parameters('resourceGroupName')]",
          "existenceCondition": {
            "field": "location",
            "in": "[parameters('listOfLocations')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"
}

We can see that there are several parameters taken into account here, such as the name of the resource group, and the list of regions that we want to monitor.

On my subscription, I deploy the network watcher for each region in a dedicated resource group that I know, because I do not like resource groups created by Microsoft without prior request. So we have to think here about modifying our resource group for networking by default it is NetworkWatcherRG. (capital letters, I like it ….)

In short, we can see here some examples of the usefulness of the Security Center, provided that it is used properly, and not just looked at from time to time. Later, I will try to make other articles around these topics related to Security Center in order to dig more in detail the different features that it brings.

Azure RBAC - How to extract all permissions from a role

Wilfried Woivré — Mon, 01 Feb 2021 00:00:00 +0000

One of the most important things in the Cloud (any providers) is IAM permissions, and one of the best practices is to define least privileges for your needs.

In Azure, it’s not an exception, and Microsoft provides lot of built in role to help you to secure your environment. Yes you read it correctly Owner, contributor and Reader are not the only built in roles provides by Microsoft, currently you have 245 role definitions in Azure.

If i take one role, for example Key Vault Contributor , you have this definition:

{
    "Name": "Key Vault Contributor",
    "Id": "f25e0fa2-a7c8-4377-a976-54943a77a395",
    "IsCustom": false,
    "Description": "Lets you manage key vaults, but not access to them.",
    "Actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.KeyVault/*",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Support/*"
                ],
    "NotActions": [
                       "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                       "Microsoft.KeyVault/hsmPools/*",
                       "Microsoft.KeyVault/managedHsms/*"
                   ],
    "DataActions": [

                    ],
    "NotDataActions": [

                       ],
    "AssignableScopes": [
                             "/"
                         ]
}

As you see, you have some permissions with a star in their name, it’s good because when Microsoft add a new feature, they don’t have to update the built in role if it’s not necessary.

But now for security reason, you want block some feature for your users and perhaps some “future” features, so you can’t use the built in role like that, and copy paste in a custom role doesn’t help you to provide the full least privileges you want.

So here a powershell script to create a new custom role, with the same permission as your initial role, but without any star in the permissions:

$role = Get-AzRoleDefinition 'Key Vault Contributor'

$role.IsCustom = $true
$role.Name = "Custom $($role.Name)"
$role.Id = ''

$actions = @()
$role.Actions | % { Get-AzProviderOperation $_ | % { $actions += $_.Operation } }
$role.Actions.Clear()
$actions | Select -Unique | % { $role.Actions.Add($_) }

$dataActions = @()
$role.DataActions | % { Get-AzProviderOperation $_ | % { $dataActions += $_.Operation } }
$role.DataActions.Clear()
$dataActions | Select -Unique | % { $role.DataActions.Add($_) }

$notActions = @()
$role.NotActions | % { Get-AzProviderOperation $_ | % { $notActions += $_.Operation } }
$role.NotActions.Clear()
$notActions | Select -Unique | % { $role.NotActions.Add($_) }

$notDataActions = @()
$role.NotDataActions | % { Get-AzProviderOperation $_ | % { $notDataActions += $_.Operation } }
$role.NotDataActions.Clear()
$notDataActions | Select -Unique | % { $role.NotDataActions.Add($_) }

$role | ConvertTo-Json

I replace all possible permissions with the full name of the operation. Thanks to the method Get-AzProviderOperation!

And now my role is pretty big, but without any surprises for the future

{
    "Name": "Custom Key Vault Contributor",
    "Id": "",
    "IsCustom": true,
    "Description": "Lets you manage key vaults, but not access to them.",
    "Actions": [
                    "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/locks/read",
                    "Microsoft.Authorization/roleDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/denyAssignments/read",
                    "Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/read",
                    "Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/read",
                    "Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/read",
                    "Microsoft.Authorization/policyAssignments/privateLinkAssociations/read",
                    "Microsoft.Authorization/policyExemptions/read",
                    "Microsoft.Insights/AlertRules/Write",
                    "Microsoft.Insights/AlertRules/Delete",
                    "Microsoft.Insights/AlertRules/Read",
                    "Microsoft.Insights/AlertRules/Activated/Action",
                    "Microsoft.Insights/AlertRules/Resolved/Action",
                    "Microsoft.Insights/AlertRules/Throttled/Action",
                    "Microsoft.Insights/AlertRules/Incidents/Read",
                    "Microsoft.KeyVault/register/action",
                    "Microsoft.KeyVault/unregister/action",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/vaults/write",
                    "Microsoft.KeyVault/vaults/delete",
                    "Microsoft.KeyVault/vaults/deploy/action",
                    "Microsoft.KeyVault/vaults/secrets/read",
                    "Microsoft.KeyVault/vaults/secrets/write",
                    "Microsoft.KeyVault/vaults/secrets/delete",
                    "Microsoft.KeyVault/vaults/secrets/backup/action",
                    "Microsoft.KeyVault/vaults/secrets/purge/action",
                    "Microsoft.KeyVault/vaults/secrets/update/action",
                    "Microsoft.KeyVault/vaults/secrets/recover/action",
                    "Microsoft.KeyVault/vaults/secrets/restore/action",
                    "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
                    "Microsoft.KeyVault/vaults/secrets/getSecret/action",
                    "Microsoft.KeyVault/vaults/secrets/setSecret/action",
                    "Microsoft.KeyVault/vaults/accessPolicies/write",
                    "Microsoft.KeyVault/operations/read",
                    "Microsoft.KeyVault/checkNameAvailability/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/locations/deletedVaults/read",
                    "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                    "Microsoft.KeyVault/locations/operationResults/read",
                    "Microsoft.KeyVault/locations/deleteVirtualNetworkOrSubnets/action",
                    "Microsoft.KeyVault/hsmPools/read",
                    "Microsoft.KeyVault/hsmPools/write",
                    "Microsoft.KeyVault/hsmPools/delete",
                    "Microsoft.KeyVault/hsmPools/joinVault/action",
                    "Microsoft.KeyVault/vaults/eventGridFilters/read",
                    "Microsoft.KeyVault/vaults/eventGridFilters/write",
                    "Microsoft.KeyVault/vaults/eventGridFilters/delete",
                    "Microsoft.KeyVault/vaults/certificatecas/delete",
                    "Microsoft.KeyVault/vaults/certificatecas/read",
                    "Microsoft.KeyVault/vaults/certificatecas/write",
                    "Microsoft.KeyVault/vaults/certificatecontacts/write",
                    "Microsoft.KeyVault/vaults/certificates/delete",
                    "Microsoft.KeyVault/vaults/certificates/read",
                    "Microsoft.KeyVault/vaults/certificates/backup/action",
                    "Microsoft.KeyVault/vaults/certificates/purge/action",
                    "Microsoft.KeyVault/vaults/certificates/update/action",
                    "Microsoft.KeyVault/vaults/certificates/create/action",
                    "Microsoft.KeyVault/vaults/certificates/import/action",
                    "Microsoft.KeyVault/vaults/certificates/recover/action",
                    "Microsoft.KeyVault/vaults/certificates/restore/action",
                    "Microsoft.KeyVault/vaults/keys/read",
                    "Microsoft.KeyVault/vaults/keys/write",
                    "Microsoft.KeyVault/vaults/keys/update/action",
                    "Microsoft.KeyVault/vaults/keys/create/action",
                    "Microsoft.KeyVault/vaults/keys/import/action",
                    "Microsoft.KeyVault/vaults/keys/recover/action",
                    "Microsoft.KeyVault/vaults/keys/restore/action",
                    "Microsoft.KeyVault/vaults/keys/delete",
                    "Microsoft.KeyVault/vaults/keys/backup/action",
                    "Microsoft.KeyVault/vaults/keys/purge/action",
                    "Microsoft.KeyVault/vaults/keys/encrypt/action",
                    "Microsoft.KeyVault/vaults/keys/decrypt/action",
                    "Microsoft.KeyVault/vaults/keys/wrap/action",
                    "Microsoft.KeyVault/vaults/keys/unwrap/action",
                    "Microsoft.KeyVault/vaults/keys/sign/action",
                    "Microsoft.KeyVault/vaults/keys/verify/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/read",
                    "Microsoft.KeyVault/vaults/storageaccounts/set/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/delete",
                    "Microsoft.KeyVault/vaults/storageaccounts/backup/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/purge/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/regeneratekey/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/recover/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/restore/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/sas/set/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/sas/delete",
                    "Microsoft.KeyVault/managedHSMs/read",
                    "Microsoft.KeyVault/managedHSMs/write",
                    "Microsoft.KeyVault/managedHSMs/delete",
                    "Microsoft.KeyVault/vaults/keys/versions/read",
                    "Microsoft.Resources/deployments/read",
                    "Microsoft.Resources/deployments/write",
                    "Microsoft.Resources/deployments/delete",
                    "Microsoft.Resources/deployments/cancel/action",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Resources/deployments/whatIf/action",
                    "Microsoft.Resources/deployments/exportTemplate/action",
                    "Microsoft.Resources/deployments/operations/read",
                    "Microsoft.Resources/deployments/operationstatuses/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Support/register/action",
                    "Microsoft.Support/checkNameAvailability/action",
                    "Microsoft.Support/supportTickets/read",
                    "Microsoft.Support/supportTickets/write",
                    "Microsoft.Support/services/read",
                    "Microsoft.Support/services/problemClassifications/read",
                    "Microsoft.Support/supportTickets/communications/read",
                    "Microsoft.Support/supportTickets/communications/write",
                    "Microsoft.Support/operationresults/read",
                    "Microsoft.Support/operationsstatus/read",
                    "Microsoft.Support/operations/read"
                ],
    "NotActions": [
                       "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                       "Microsoft.KeyVault/hsmPools/read",
                       "Microsoft.KeyVault/hsmPools/write",
                       "Microsoft.KeyVault/hsmPools/delete",
                       "Microsoft.KeyVault/hsmPools/joinVault/action",
                       "Microsoft.KeyVault/managedHSMs/read",
                       "Microsoft.KeyVault/managedHSMs/write",
                       "Microsoft.KeyVault/managedHSMs/delete"
                   ],
    "DataActions": [

                    ],
    "NotDataActions": [

                       ],
    "AssignableScopes": [
                             "/"
                         ]
}