Generate Azure Credentials

Purpose

This document describes the configuration of Azure credentials on OUTSCAN and the steps to setup on Microsoft Azure account to perform a benchmark.

Configure an Azure Account on OUTSCAN

Prerequisite

A CIS Benchmark app should be defined on Azure account.

Procedure

In the drop-down menu select Microsoft Azure.
Add the Name of your Azure account.
Add the Tenant ID.
Add the Client ID.
Add the Secret.

See Steps to Find Azure Parameters in the Azure Console for reference

Click the blue Add button.

To manage your credentials, refer to Scan Credentials.^[1]

Steps to Set an App on Microsoft Azure Account to Perform a Benchmark

Follow the below steps to set a CIS benchmark application.

Register an app and create credentials.
Create a custom role.
Assign app with that custom role.

Note

If your Microsoft Azure account has more than one subscription, then you can widen the assignable scope of the custom role by adding a line for each subscription.

Register an Application and Create Credentials - Service Account

Prerequisite

A Microsoft Azure account with access to Azure portal is required.

Procedure

Login to Azure portal.
Go to Azure Active Directory.
On the left panel, click on App registrations.
On the top panel, click on+ New registration.
Fill the form by entering a name, then Register.
Select the newly registered app from the app list.
On the right panel, copy Application (client) ID value, you will need it to create Azure credential on OUTSCAN.
On the left panel, select Certificate & secrets.
On the right panel, select + New client secret, which opens a panel on the right hand side.
Fill the form by adding description and fix the duration followed by clicking Add.
On the right panel, make a copy on the value of the newly created secret (it will not be displayed later), you will need it to create Azure credential on OUTSCAN.

Create the Custom Role to Run the Benchmark

Prerequisite

Install az, ^[2] azure command line interface tool.

Procedure

You may refer to the Microsoft Azure link about the custom role definition tutorial ^[3].

Get the custom role template and customize to fit your azure subscription context:

Upload JSON file containing the custom role template: Azure_Foundations_1.1.1_benchmark_role.json. See Appendix A.
Modify the last line in the JSON file by replacing '{subscription_id}' by the actual value of the Azure account.
Also remove the Microsoft.Subscription/SubscriptionDefinitions/read line from the JSON file since it is no longer supported. See Appendix B.

If you prefer to have a view per subscription then you need to define custom roles and apps as much as subscriptions.

Your Subscription ID can be found in Microsoft Azure portal under Subscriptions as shown below.

Then you run the following command:

To create adhoc custom role:

az role definition create --role-definition "<path_to>/Azure_Foundations_1.1.1_benchmark_role.json"

To list custom roles:

az role definition list --custom-role-only true

To update existing custom role:

az role definition update --role-definition "<path_to>/Azure_Foundations_1.1.1_benchmark_role.json"

To check that the custom role has been created the customer can run:

az role definition list --custom-role-only true --name "Azure Foundations 1.1.1 Benchmark Role"

Assign Application to the Custom Role

Prerequisite

Make sure that Azure Foundations 1.1.1 Benchmark Role are defined on your Azure account. See section How to Create the Custom Role to Run the Benchmark.

Procedure

Once the custom role has been created, you need to login to the Azure portal to perform the application role assignment.

Go to subscriptions,

Select one subscription.
Go to Access control (IAM).
On the right panel select + Add > Add role assignment which opens a panel on the right.
On the newly right panel fill the form.
Select the custom role: Azure Foundations 1.1.1 Benchmark Role (Custom roles are listed at the end of the list, newly created custom roles may take a while to appear on the list).
Assign access to User, group, or service principal:
1. Select the application you created to run the benchmark.
2. Go to application overview.
3. Go to IAM.
4. Add role assignment.
5. Select the custom role: Azure Foundations 1.1.1 Benchmark Role.
6. Click Save to save the changes and close the panel.
Here is an example how this looks like in the Role Assignments table.

Note

Repeat these steps for each subscription in custom role assignable scope.

Example

The diagrams illustrate how a customer can define either one application that scopes all of the subscriptions or one application for each subscription.

Note

Customers can also decide how many applications they wants to set and define the scope of each application. Diagrams illustrate two use cases only.

How to Find Azure Parameters in the Azure Console

Procedure

The Azure parameters can be found in the Azure console.

Tenant and Tenant ID: Tenant ID is the name of your entry in the Azure Active Directory in which the app is registered such as XXX.onmicrosoft.com or the ID of the directory.

Client ID and User Name: Client ID is the Application ID which is the application id created when you registered the app.

Secret and Password: The password you chose while creating the keys of the application in the Active Directory.

Which Specific Permission to Get 1.3 Running

1.3 check requires special ad hoc permissions. You need to grant Directory.Read.All (Application Type) to the application that runs the benchmark.

Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

You need to login to Azure Portal then:

Go to App registration.
Select the Application registered to run the Benchmark.
Select API permissions.
Add permission on:
1. Azure Active Directory Graph.
2. Select Application permissions (Active Directory permissions type in Microsoft Identity Platform).
3. Select Directory.Read.All permission.
4. Add Permission.
Click on Grant admin Consent for bottom when it is displayed in bold.

Here is an example how this looks like in the API Permissions.

Which Specific Permission to Get 8.x Running

8.x checks require special ad hoc permissions. You need to grant list permission in the Access Policies of your Key vault to the application that runs the benchmark.

Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

You need to login to Azure Portal then:

Go to Key Vaults.
Select a specific key vault.
Select Access policies.
Add Access Policy by selecting all List permissions to Key, Secret & Certificate Management as follow.

Here is an example how this looks like in the Access policies for a specific Key vault.

References

Scan Credentials
Install the Azure CLI - https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
Tutorial: Create a custom role for Azure resources using Azure CLI - https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli
How to: Use the portal to create an Azure AD application and service principal that can access resources - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Appendix A

Azure_Foundations_1.1.1_benchmark_role.json

CODE

{
   "properties": {
        "roleName": "Azure Foundations 1.1.1 Benchmark Role",
        "isCustom": true,
        "description": "Perform checks of Azure CIS Foundations 1.1.1 Benchmark.",
        "assignableScopes":[
            "/subscriptions/1546581-1562-152a-xxyx-abcdabcdabcdabcd"
        ],
        "permissions":[
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/diskEncryptionSets/read",
                    "Microsoft.Compute/locations/publishers/read",
                    "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
                    "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforMySQL/servers/*/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/*/read",
                    "Microsoft.DBforPostgreSQL/serversv2/*/read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/*/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/networkSecurityGroups/securityRules/read",
                    "Microsoft.Network/networkWatchers/read",
                    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
                    "Microsoft.Network/networkWatchers/securityGroupView/action",
                    "Microsoft.Resources/subscriptions/*/read",
                    "Microsoft.Security/*/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/administrators/read",
                    "Microsoft.Sql/servers/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/databases/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
                    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
                    "Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
                    "Microsoft.Sql/servers/encryptionProtector/read",
                    "Microsoft.Sql/servers/extendedAuditingSettings/read",
                    "Microsoft.Sql/servers/firewallRules/read",
                    "Microsoft.Sql/servers/securityAlertPolicies/read",
                    "Microsoft.Sql/servers/virtualNetworkRules/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Storage/storageAccounts/*/read",
                    "Microsoft.Web/sites/read",
                    "Microsoft.Web/sites/config/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                  ],
                  "notActions": [],
                  "dataActions": [],
                  "notDataActions": []
            }
        ]

   } 
}

Appendix B

Azure Foundations 1.1.0 Benchmark Role.json

CODE

{
  "Name": "Azure Foundations 1.1.0 Benchmark Role",
  "IsCustom": true,
  "Description": "Perform checks of Azure CIS Foundations 1.1.0 Benchmark.",
  "Actions": [
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/diskEncryptionSets/read",
    "Microsoft.Compute/locations/publishers/read",
    "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
    "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/extensions/read",
    "Microsoft.Compute/virtualMachines/instanceView/read",
    "Microsoft.ContainerService/managedClusters/read",
    "Microsoft.DBforMySQL/servers/read",
    "Microsoft.DBforMySQL/servers/*/read",
    "Microsoft.DBforPostgreSQL/servers/read",
    "Microsoft.DBforPostgreSQL/servers/*/read",
    "Microsoft.DBforPostgreSQL/serversv2/*/read",
    "Microsoft.KeyVault/vaults/read",
    "Microsoft.KeyVault/deletedVaults/read",
    "Microsoft.KeyVault/*/read",
    "Microsoft.Network/networkSecurityGroups/read",
    "Microsoft.Network/networkSecurityGroups/securityRules/read",
    "Microsoft.Network/networkWatchers/read",
    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
    "Microsoft.Network/networkWatchers/securityGroupView/action",
    "Microsoft.Resources/subscriptions/*/read",
    "Microsoft.Security/*/read",
    "Microsoft.Sql/servers/read",
    "Microsoft.Sql/servers/administrators/read",
    "Microsoft.Sql/servers/auditingSettings/read",
    "Microsoft.Sql/servers/databases/read",
    "Microsoft.Sql/servers/databases/auditingSettings/read",
    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
    "Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
    "Microsoft.Sql/servers/encryptionProtector/read",
    "Microsoft.Sql/servers/extendedAuditingSettings/read",
    "Microsoft.Sql/servers/firewallRules/read",
    "Microsoft.Sql/servers/securityAlertPolicies/read",
    "Microsoft.Sql/servers/virtualNetworkRules/read",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Storage/storageAccounts/*/read",
    "Microsoft.Subscription/SubscriptionDefinitions/read", <<<< Remove this line since it is no longer supported
    "Microsoft.Web/sites/read",
    "Microsoft.Web/sites/config/Read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}

_Copyright

_{© 2024 Outpost24® All rights reserved.}_{This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}