Infrastructure as code (IaC) is a core component of many modern DevOps adoption. It allows organizations to automate the deployment, scaling, and management of infrastructure, using machine-readable template files.
It eliminates manual deployment, configuration, as well as the need to use ad-hoc imperative scripts to automate infrastructure changes. Instead, it allows infrastructure to be managed using the same processes as any other code (source control, continuous integration, continuous deployment).
In this series, I’ll be introducing three FREE tools that you can use to integrate security assessment in both the development and CICD stages of your IaC templates implementation for Azure. The tools that I’ll introduce will cover the two most popular templating formats for Azure – ARM templates and Terraform.
The first tool that I’ll start with is the Secure DevOps Kit for Azure (AzSK). It is a set of tools created by the Core Services Engineering & Operations (CSEO) division at Microsoft, to help the Microsoft teams to accelerate internal adoption of Azure. One of the tools released as part of this toolkit is the ARM Template Checker.
What is the ARM Template Checker?
It is a tool that can be used to assess the security health of our Azure IaC Templates. It currently supports 42 Azure resource types which may not sound like a lot considering the current count of Azure resource types, however, this supports the most used resource types like vNet, VM, Service Bus, CDN, Data Factory (I’ll show you how to get a list of supported resource types later in this post).
So what security checks can it assess for the supported resource types?
- The list of the checks can be found here
What template formats can the tool assess?
- Azure ARM templates only
Using the AzSK ARM Template Checker Tool in the development stage
The value of this use case is for IaC template authors and contributors to be able to assess the security compliance of their contributions ad-hoc
1. First, we need to install the Secure DevOps Kit PowerShell module
Install-Module AzSK –AllowClobber
Install-Module AzSK -AllowClobber -Force -SkipPublisherCheck
We can use the AllowClobber switch and the -Force options to override existing installations
2. Now after installing the kit, it is recommended to configure Auto-Update..
- The reason for this is that as the Azure platform evolves with new features added to services, the “Secure DevOps Kit” also evolves with new security rules being added. The recommendation is to always run the latest DevOps kit module.
- The best way to do this is to enable auto-update
Set-AzSKPolicySettings -AutoUpdate On
3. To test, I’ll download an Azure ARM template that I’ve deliberately designed to be vulnerable from my GitHub repo (You can also download it for testing)
Invoke-WebRequest -Uri https://raw.githubusercontent.com/davidokeyode/vulnerable-by-design-azure/master/arm/scenario-one/azuredeploy.json -OutFile azuredeploy.json
4. I can perform Adhoc Scans after I’ve finished authoring or modifying a template to ensure that I’ve not introduced a security misconfiguration to the template
Get-AzSKARMTemplateSecurityStatus –ARMTemplatePath <Path to ARM Template>
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath .\azuredeploy.json
5. What if we want to scan multiple ARM templates? We can use the “–ARMTemplatePath” parameter to specify a folder path that contains multiple templates
Get-AzSKARMTemplateSecurityStatus –ARMTemplatePath <Path to ARM Template Folder>
6. To send the security assessment results to a Log Analytics workspace:
- We first need to create a Log Analytics workspace in Azure, obtain the workspace ID and key and specify the details in the command below:
Set-AzSKMonitoringSettings -WorkspaceId <workspace_ID> -SharedKey <workspace_KEY>
- The workspace ID and key can be obtained from Workspace -> Settings -> Agents Management
Using the AzSK ARM Template Checker Tool in the CICD stage
The value of this use case is for continuous security validation of Azure ARM templates. This is useful for code review processes
1. First, we need to install the Secure DevOps Kit Azure DevOps extension
- This extension can also be installed on Azure DevOps on-premises instances
2. Validate installation
- Azure DevOps -> Organization Settings -> Extensions
- The installation adds two new tasks that we can use for security assessment to our pipelines
- AzSK Security Verification Tests
- AzSK ARM Template Checker
3. We can then use the task in our pipelines to assess ARM templates
- Azure DevOps -> Release Pipeline -> Edit -> Add Task -> Search for “AzSK” -> AzSK ARM Template Checker
- Position task above the deployment task (if it is a release pipeline)
- The main option to fill is the “ARM template file path or folder path” option where we specify the path to the template that we want to assess or the path to a folder that contains multiple templates