Managing Security Center at scale using ARM templates and Azure Policy
*** Update: This blogpost has been updated with a new ARM template and new Azure Policy definitions which covers the new Security Center bundle pricings. The new ARM template can be found here, the new Azure Policy definitions can be found here *** Recently we have been receiving several customer questions on how to manage Security Center at scale in a continuous integration (CI) and continuous delivery (CD) scenario, better known as CI/CD. How do you make sure that when a new subscription is instantiated, Security Center is configured correctly and is enabled to monitor new and existing resources? How do you manage hundreds of subscriptions within your organizattion? How do you enforce your security policies? This blogpost covers two scenarios: Configure Security Center using an ARM template to support a CI/CD scenario and management at scale Enforce a Security Center configuration within your organization, using Azure Policy Since both ARM templates and Azure Policy talk to the Resource Manager API in Azure, by making a JSON formatted request, you can re-use the deployment section of an ARM template to author an Azure Policy definition. If you are new to ARM templates and are looking for guidance on authoring, go here. In case you want to leverage PowerShell for configuring ASC, go here. The Security Center ARM Template Every ARM template consists of these 7 elements (not all of them have to be used): It’s the “resources” element that we are interested in since the ARM template reference for Security Center hasn’t been documented yet. We are in the process of publishing which makes it easier to find which types and values are allowed and will also provide IntelliSense. I will update this post when that becomes available. In this blogpost I will cover the two most asked questions: How can I make sure that Security Center is configured for the Standard pricing tier, which unlocks all the Security Center features How can I enable auto provisioning, which enables automatic installation of the Microsoft Management Agent (MMA) VM extension for new resources. Please refer to the pricing tier documentation for the difference between the Free and Standard tier. Set the ASC pricing tier in an ARM template The new pricing tier API is fast and efficient to use. We are using the Microsoft.Security/pricings type to set our pricing tier. How does that look in a template? The ARM template can be found here. If you want to deploy this template, please make sure you target the subscription instead of a resource group. This is a common made mistake, since ASC lives at the subscription level, not at the resource group level. A deployment would look like this (using PowerShell): New-AzDeployment -Name myAscDeploy -Location <yourLocation> -TemplateFile ‘<yourTemplateFileAndPathHere>' -Verbose Since you have probably noticed the usage of a parameter, so you can flip it from “Free” to “Standard” or the other way around, you will be prompted for this value. Please note that we are only allowing the two values specified and it is case sensitive. You can verify the deployment in the activity log: Leveraging the ARM template to create an Azure Policy Now that you have a working ARM template, you can use it to create a deployIfNotExists type of Azure policy which allows you to remediate if the policy definition is non-compliant. If you are just starting with Azure Policy, I would recommend to explore our documentation for guidance on different policy definitions. Leveraging the ARM template we just created, you can construct a deployIfNotExists Azure Policy. You first need to create the section that allows you to find the pricingTier field and value (Standard). For this to work, you need to target your Policy at the right scope (subscriptions or higher), then you define the “effect” (deployIfNotExists) and you set the type to Microsoft.Security/pricings, where the field and value lives which we are looking for. If the existenceCondition returns false and you want to remediate it, you need to define a deployment section under the resources section, where you define your target type and properties. You can find the Azure Policy shown above here. Having your ARM Policy defined, you can now create and assign your new Azure Policy. Please note that you need the appropriate permissions to create a managed identity. This ensures that the policy has the appropriate permissions to change the Security Center configuration at the subscription level. It takes around 30 minutes for the policy to take effect as mentioned in the confirmation. Your policy will remain in this state for a while: Then after around 30 minutes, you will notice a non-compliant assignment, as shown below. If you click on the assignment, you can explore which resource is non-compliant. You can click on Create Remediation Task to remediate it. Automatically create a remediation task In case you want to use automation, you can leverage the Policy Insights API to create a remediation task. One of the options you have is to invoke the API using PowerShell. The script below shows an example how to accomplish that. Please note that besides the subscriptionId, you need to pass a remediationName and policyID: You can find the script to create a remediation task here. If you have succesfully executed the script, you should see something similar in your activity log: Your ASC pricing tier should be changed to Standard and after a policy refresh cycle, your compliance state should be updated to compliant. Configure Security Center auto provisioning using a custom workspace The following ARM template enables auto provisioning so that the Microsoft Management Agent VM extension will be deployed automatically to new created virtual machines. You will also configure a custom Log Analytics workspace instead of the default Security Center one. The ARM template for enabling auto provisioning can be found here. Please note that you need to pass specific parameters values for configuring the Log Analytics workspace like workspace name, the resource group of the workspace and the Azure subscriptionID of where the workspace is created. Deployment of the ARM template is straightforward as you have seen before while deploying the pricing tier template and should look like this:
SSL/TLS connection issue troubleshooting guide
You may experience exceptions or errors when establishing TLS connections with Azure services. Exceptions are vary dramatically depending on the client and server types. A typical ones such as "Could not create SSL/TLS secure channel." "SSL Handshake Failed", etc. In this article we will discuss common causes of TLS related issue and troubleshooting steps.
Enable HTTPS setting on Azure App service using Azure policy
Use Case: By default, clients can connect to Azure App Service endpoints by using both HTTP or HTTPS. However it is always recommended to redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. In this post , we will learn how to enable HTTPS Only setting on the Azure App service using Azure Policy. Background: Azure App Service is a fully managed platform as a service (PaaS) offering for developers. It is a HTTP-based service for hosting web applications, REST APIs, and mobile back ends. App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management , you can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates. Azure Policy is a service in Azure which helps to enforce organizational standards and to assess compliance. Policy evaluates resources in Azure by comparing the properties of those resources to business rules which are defined in the Policy. These business rules, described in JSON format, are known as policy definitions. To learn more about policy and how to create a policy you can refer this document. To ensure proper governance and considering the organization has a requirement to enforce HTTPS on both new and existing App services within your environment we are going to achieve this using Azure Policy. Prerequisites: An Azure Subscription. If you don't have an Azure subscription, create an Azure free account before you begin. You need to have required permissions to create and manage Azure policy definitions in your subscription. You can refer to Resource Policy Contributor or Security Admin role. Since this policy is using DeployIfNotExists effect, policy assignments will require a managed identity to do remediation. Create a custom policy to Enable HTTPS on App Service: In the Azure portal, select All services > search for Policy > go to Definitions > click + Policy definition. Select Definition location by clicking on the ellipsis [...] and choose your management group or subscription. Fill Name field with your policy definition name like 'Enable HTTPS on App Service' and add the Description. Select appropriate Category for your policy, you can create a new one or use existing one like 'App Service'. Here is the JSON Policy definition which you need to add in the Policy Rule section and then click on Save. DISCLAIMER: Below sample policy definition is not supported under any Microsoft standard support program or service. This is intended to be used in non-production environment only. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, owners of this GitHub repro, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. { "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Web/sites" }, { "field": "kind", "like": "app*" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Web/sites", "name": "[field('name')]", "existenceCondition": { "field": "Microsoft.Web/sites/httpsOnly", "equals": "true" }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { "mode": "incremental", "parameters": { "webAppName": { "value": "[field('name')]" }, "location": { "value": "[field('location')]" }, "kind": { "value": "[field('kind')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "webAppName": { "type": "string" }, "location": { "type": "string" }, "kind": { "type": "string" } }, "resources": [ { "type": "Microsoft.Web/sites", "apiVersion": "2021-02-01", "name": "[parameters('webAppName')]", "location": "[parameters('location')]", "kind": "[parameters('kind')]", "properties": { "httpsOnly": "true" } } ] } } } } } }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "DeployIfNotExists", "AuditIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" } } } Ensure that the roleDefinitionIds contains enough permissions to enable HTTPS settings on the resource, you can select Contributor role. If the ExistenceCondition evaluates to true, the policy doesn't trigger the deployment and if the condition evaluates to false the HTTPS deployment happens. Refer to this document to learn more about DeployIfNotExists and ExistenceCondition. Assign the custom policy: Open the Azure portal ,select All services > search for Policy > go to Assignments> select Assign policy. On the Assign Policy page, set the Scope by selecting the ellipsis and then selecting either a management group or subscription. Optionally, select a resource group. A scope determines what resources or grouping of resources the policy assignment gets enforced on. Then use the Select button at the bottom of the Scope page. Resources can be excluded based on the Scope. Exclusions start at one level lower than the level of the Scope. Exclusions are optional, so leave it blank for now. Select the Policy definition ellipsis to open the list of available definitions. Search for the custom policy 'Enable HTTPS on App Service' that you have created in the previous step and then click on Select. The Assignment name is automatically populated with the policy name you selected, but you can change it. For this example, leave Enable HTTPS on App Service. You can also add an optional Description. The description provides details about this policy assignment. Assigned by will automatically fill based on who is logged in. This field is optional, so custom values can be entered. Leave policy enforcement Enabled. For more information, see Policy assignment - enforcement mode. Select Next at the bottom of the page or the Parameters tab at the top of the page to move to the next segment of the assignment wizard. If the policy definition selected on the Basics tab included parameters, they are configured on this tab. Since our definition has parameters (DeployIfNotExists , AuditIfNotExists , Disabled) , by default DeployIfNotExists is selected. In the Remediation tab, you can see that "Create a Managed Identity" is selected by default as the policy effect is DeployIfNotExists. Policies with the deployIfNotExists and modify effect types need the ability to deploy or modify the resources To do this, choose between an existing user assigned managed identity or creating a system assigned managed identity. This identity will also be given the Contributor permissions. For more information , refer managed identities. To evaluate the existing resources, you can select "Create a remediation task" as shown below. In the next page, set your desired message in Non-compliance message field. This custom message is displayed when a resource is denied or for non-compliant resources during regular evaluation. Then click Review + Create. Review the selected options, then select Create at the bottom of the page. Verify if the policy evaluation triggered: It takes around 30 minutes for the policy assignment to be applied to the defined scope and then the evaluation cycle begins for resources within that scope against the newly assigned policy and depending on the effects used by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. Also for every 24 hours, there is a standard compliance evaluation cycle which will trigger and assignments are automatically reevaluated. Also you can trigger an On demand evaluation scan. You're now ready to identify non-compliant resources to understand the compliance state of your environment. Identify non-compliant resources: Select Compliance in the left side of the page. Then locate the 'Enable HTTPS on App Service' policy assignment you created. If there are any existing App Service resources that don't have HTTPS enabled, they appear under Non-compliant resources. Remember that when a condition is evaluated against your existing App Service resources and HTTPS is not enabled, then those resources are marked as non-compliant but no action is taken on these existing resources. For this reason, we have created a remediation task during the policy assignment. On the left side, click on Remediation and locate with your Policy definition name and you can see that the existing non-compliant resources got remediated successfully. And after the remediation run, all the App Services in your environment will get marked as compliant. Now that you can verify the HTTPS setting is enabled on your App Service now. Go to your App Service > TLS/SSL settings > HTTPS Only Note : This Policy is used to enable HTTPS setting for App Service resources only. But you can use the same policy rule for function app by modifying the below field. { "field": "kind", "like": "functionapp*" } This way, we can use Azure Policy to Enable HTTPS setting on Azure App Services. To learn more about Azure Policy, refer to the following documentation Azure PolicyImplementing Azure Policy using Terraform
Terraform is a tool that could help us to create infrastructure using the configuration files. The infrastructure could later be updated with change in execution plan. It can be used as a tool for carrying out continuous deployments for various Azure Resources .Azure Policy is a governance service to keep our environments in consistent shape and exercise control.
Compliance for Exposed Secrets Discovered by DevOps Security in Defender for Cloud
Compliance for Exposed Secrets Discovered by DevOps Security in Defender for Cloud Azure Policy helps enforce organizational standards and assess compliance at-scale. You can now create a custom Azure Policy to add DevOps security to your centralized compliance dashboards. This blog walks through creating a custom Azure Policy that leverages the DevOps security recommendations in Defender for Cloud called “Azure DevOps repositories should have secret scanning findings should be resolved", "GitHub repositories should have secret scanning findings resolved", and "GitLab projects should have secret scanning findings resolved". This policy gives Security and Compliance Teams visibility into discovered secrets found in Azure DevOps, GitHub, and GitLab that have been onboarded to Microsoft Defender for Cloud. Objectives: Create a custom AuditIfNotExist Azure Policy Visualize the custom policy in the Compliance view in Azure Policy Prerequisites: Connector provisioned in Defender for Cloud to your Source Code Management System (such as Azure DevOps, GitHub, or GitLab) For Azure DevOps: enable secret scanning in GitHub Advanced Security for Azure DevOps For GitHub: enable secret scanning in GitHub Advanced Security For GitLab: enable secret scanning in GitLab Ultimate Create a Custom Azure Compliance Policy for Exposed Secrets Navigate to Azure Policy Click Definitions Click + Policy definition For Definition location, choose a subscription or management group For Name, type code repositories should have secret scanning findings resolved Type a Description, such as: DevOps security in Defender for Cloud has found a secret in code repositories. This should be remediated immediately to prevent a security breach. For Category, click Create new, then type DevOps Security For Policy Rule, cut and paste the following JSON: { "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" } }, "policyRule": { "if": { "field": "type", "in": [ "microsoft.security/securityconnectors/devops/azuredevopsorgs/projects/repos" ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Security/assessments", "name": "b5ef903f-8655-473b-9784-4f749eeb25c6", "existenceCondition": { "field": "Microsoft.Security/assessments/status.code", "in": [ "NotApplicable", "Healthy" ] } } } } } Note: The example above is for Azure DevOps. To replicate the same policy for GitHub or GitLab: GitHub Change "microsoft.security/securityconnectors/devops/azuredevopsorgs/projects/repos" to "microsoft.security/securityconnectors/devops/githubowners/repos" Change assessment key name "b5ef903f-8655-473b-9784-4f749eeb25c6" to "dd98425c-1407-40cc-8a2c-da5d0a2f80da" GitLab Change "microsoft.security/securityconnectors/devops/azuredevopsorgs/projects/repos" to "microsoft.security/securityconnectors/devops/gitlabgroups/projects" Change assessment key name "b5ef903f-8655-473b-9784-4f749eeb25c6" to "867001c3-2d01-4db7-b513-5cb97638f23d" For more information on Azure Policy definition structure, effects, scope, and more, review this documentation. The policy we just created uses the assessment ID for the Defender for Cloud DevOps securirty recommendation called “Code repositories should have secret scanning findings resolved” to determine whether there are any resources that are not NotApplicable or Healthy. If the policy finds an Unhealthy status code, that repository will be flagged as non-compliant because a secret was discovered. Click Save Navigate to Azure Policy Click Assignments Click Assign Policy For Scope, choose the subscription that has your connector or a top-level management group For Policy definition, choose code repositories should have secret scanning findings resolved Click Review + create Click Create Click Compliance Find the policy and click on it to view details The custom Policy gives you reporting capabilities on both compliant and non-compliant repositories. It should look like the following in the Policy Compliance details: Conclusion To review, we’ve walked through setting up a custom Azure Policy to audit repositories against a Defender for Cloud assessment that finds exposed secrets. We assigned the policy to a subscription and visualized the results in Azure Policy’s centralized Compliance view. This helps Compliance Managers, Security Operators, and Governance Teams identify non-compliant repositories across connected DevOps environments. You can then use Azure Policy reporting on these discovered secrets to implement governance for resource consistency, regulatory compliance, security, and management. Additional Resources To learn more about DevOps security, read this documentation Download (free) a special Appendix about DevOps security from the latest Microsoft Defender for Cloud book published by Microsoft Press To learn how to onboard your Source Code Management System to Defender for Cloud, read this documentation for GitHub and this documentation for Azure DevOps To learn more about the Microsoft Security DevOps (MSDO) tools, read this documentation for GitHub and this documentation for Azure DevOps
