Generate Azure Credentials
Purpose
This document describes the configuration of Azure credentials on OUTSCAN and the steps to setup on Microsoft Azure account to perform a benchmark.
Configure an Azure Account on OUTSCAN
Prerequisite
A CIS Benchmark app should be defined on Azure account.
Procedure
In the drop-down menu select Microsoft Azure.
Add the Name of your Azure account.
Add the Tenant ID.
Add the Client ID.
Add the Secret.
See Steps to Find Azure Parameters in the Azure Console for reference
Click the blue Add button.
To manage your credentials, refer to Scan Credentials.[1]
Steps to Set an App on Microsoft Azure Account to Perform a Benchmark
Follow the below steps to set a CIS benchmark application.
Register an app and create credentials.
Create a custom role.
Assign app with that custom role.
If your Microsoft Azure account has more than one subscription, then you can widen the assignable scope of the custom role by adding a line for each subscription.
Register an Application and Create Credentials - Service Account
Prerequisite
A Microsoft Azure account with access to Azure portal is required.
Procedure
Login to Azure portal.
Go to Azure Active Directory.
On the left panel, click on App registrations.
On the top panel, click on+ New registration.
Fill the form by entering a name, then Register.
Select the newly registered app from the app list.
On the right panel, copy Application (client) ID value, you will need it to create Azure credential on OUTSCAN.
On the left panel, select Certificate & secrets.
On the right panel, select + New client secret, which opens a panel on the right hand side.
Fill the form by adding description and fix the duration followed by clicking Add.
On the right panel, make a copy on the value of the newly created secret (it will not be displayed later), you will need it to create Azure credential on OUTSCAN.
Create the Custom Role to Run the Benchmark
Prerequisite
Install az,[2] azure command line interface tool.
Procedure
You may refer to the Microsoft Azure link about the custom role definition tutorial [3].
Get the custom role template and customize to fit your azure subscription context:
Upload JSON file containing the custom role template: Azure_Foundations_1.1.1_benchmark_role.json. See Appendix A.
Modify the last line in the JSON file by replacing
'{subscription_id}'
by the actual value of the Azure account.Also remove the
Microsoft.Subscription/SubscriptionDefinitions/read
line from the JSON file since it is no longer supported. See Appendix B.
If you prefer to have a view per subscription then you need to define custom roles and apps as much as subscriptions.
Your Subscription ID can be found in Microsoft Azure portal under Subscriptions as shown below.
Then you run the following command:
To create adhoc custom role:
CODEaz role definition create --role-definition "<path_to>/Azure_Foundations_1.1.1_benchmark_role.json"
To list custom roles:
CODEaz role definition list --custom-role-only true
To update existing custom role:
CODEaz role definition update --role-definition "<path_to>/Azure_Foundations_1.1.1_benchmark_role.json"
To check that the custom role has been created the customer can run:
CODEaz role definition list --custom-role-only true --name "Azure Foundations 1.1.1 Benchmark Role"
Assign Application to the Custom Role
Prerequisite
Make sure that Azure Foundations 1.1.1 Benchmark Role are defined on your Azure account. See section How to Create the Custom Role to Run the Benchmark.
Procedure
Once the custom role has been created, you need to login to the Azure portal to perform the application role assignment.
Go to subscriptions,
Select one subscription.
Go to Access control (IAM).
On the right panel select + Add > Add role assignment which opens a panel on the right.
On the newly right panel fill the form.
Select the custom role: Azure Foundations 1.1.1 Benchmark Role (Custom roles are listed at the end of the list, newly created custom roles may take a while to appear on the list).
Assign access to User, group, or service principal:
Select the application you created to run the benchmark.
Go to application overview.
Go to IAM.
Add role assignment.
Select the custom role: Azure Foundations 1.1.1 Benchmark Role.
Click Save to save the changes and close the panel.
Here is an example how this looks like in the Role Assignments table.
Repeat these steps for each subscription in custom role assignable scope.
Example
The diagrams illustrate how a customer can define either one application that scopes all of the subscriptions or one application for each subscription.
Customers can also decide how many applications they wants to set and define the scope of each application. Diagrams illustrate two use cases only.
How to Find Azure Parameters in the Azure Console
Procedure
The Azure parameters can be found in the Azure console.
Tenant and Tenant ID: Tenant ID is the name of your entry in the Azure Active Directory in which the app is registered such as XXX.onmicrosoft.com or the ID of the directory.
Client ID and User Name: Client ID is the Application ID which is the application id created when you registered the app.
Secret and Password: The password you chose while creating the keys of the application in the Active Directory.
Which Specific Permission to Get 1.3 Running
1.3 check requires special ad hoc permissions. You need to grant Directory.Read.All (Application Type) to the application that runs the benchmark.
Prerequisite
Make sure that the application is registered in the Azure Account.
Procedure
Log in to Azure Portal.
Go to App registration.
Select the Application registered to run the Benchmark.
Select API permissions.
Add permissions for:
Azure Active Directory Graph.
Select Application permissions (Active Directory permissions type in Microsoft Identity Platform).
Select Directory.Read.All permission.
Add Permission.
Click on Grant Admin Consent when it is displayed in bold.
Here is an example how this looks like in the API Permissions:
Which Specific Permission to Get 8.x Running
8.x checks require special ad hoc permissions. You need to grant list permission in the Access Policies of your Key vault to the application that runs the benchmark.
Prerequisite
Make sure that the application is registered in the Azure Account.
Procedure
Log in to Azure Portal.
Go to Key Vaults.
Select a specific key vault.
Select Access policies.
Add Access Policy by selecting all List permissions to Key, Secret & Certificate Management as follow.
Here is an example how this looks like in the Access policies for a specific Key vault.
References
Install the Azure CLI - https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
Tutorial: Create a custom role for Azure resources using Azure CLI - https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli
How to: Use the portal to create an Azure AD application and service principal that can access resources - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Appendix A
Azure_Foundations_1.1.1_benchmark_role.json
{
"properties": {
"roleName": "Azure Foundations 1.1.1 Benchmark Role",
"isCustom": true,
"description": "Perform checks of Azure CIS Foundations 1.1.1 Benchmark.",
"assignableScopes":[
"/subscriptions/1546581-1562-152a-xxyx-abcdabcdabcdabcd"
],
"permissions":[
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/locations/publishers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.DBforMySQL/servers/read",
"Microsoft.DBforMySQL/servers/*/read",
"Microsoft.DBforPostgreSQL/servers/read",
"Microsoft.DBforPostgreSQL/servers/*/read",
"Microsoft.DBforPostgreSQL/serversv2/*/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/*/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkWatchers/read",
"Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
"Microsoft.Network/networkWatchers/securityGroupView/action",
"Microsoft.Resources/subscriptions/*/read",
"Microsoft.Security/*/read",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/auditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/auditingSettings/read",
"Microsoft.Sql/servers/databases/transparentDataEncryption/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/read",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
"Microsoft.Sql/servers/encryptionProtector/read",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/firewallRules/read",
"Microsoft.Sql/servers/securityAlertPolicies/read",
"Microsoft.Sql/servers/virtualNetworkRules/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/*/read",
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/config/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Appendix B
Azure Foundations 1.1.0 Benchmark Role.json
{
"Name": "Azure Foundations 1.1.0 Benchmark Role",
"IsCustom": true,
"Description": "Perform checks of Azure CIS Foundations 1.1.0 Benchmark.",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/locations/publishers/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.DBforMySQL/servers/read",
"Microsoft.DBforMySQL/servers/*/read",
"Microsoft.DBforPostgreSQL/servers/read",
"Microsoft.DBforPostgreSQL/servers/*/read",
"Microsoft.DBforPostgreSQL/serversv2/*/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/*/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkWatchers/read",
"Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
"Microsoft.Network/networkWatchers/securityGroupView/action",
"Microsoft.Resources/subscriptions/*/read",
"Microsoft.Security/*/read",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/auditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/auditingSettings/read",
"Microsoft.Sql/servers/databases/transparentDataEncryption/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/read",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
"Microsoft.Sql/servers/encryptionProtector/read",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/firewallRules/read",
"Microsoft.Sql/servers/securityAlertPolicies/read",
"Microsoft.Sql/servers/virtualNetworkRules/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/*/read",
"Microsoft.Subscription/SubscriptionDefinitions/read", <<<< Remove this line since it is no longer supported
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/config/Read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscription_id}"
]
}
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.