Infrastructure as code (IaC) is a core component of many modern DevOps adoption. It allows organizations to automate the deployment, scaling, and management of infrastructure, using machine-readable template files.

It eliminates manual deployment, configuration, as well as the need to use ad-hoc imperative scripts to automate infrastructure changes. Instead, it allows infrastructure to be managed using the same processes as any other code (source control, continuous integration, continuous deployment).

In this series, I’ll be introducing three FREE tools that you can use to integrate security assessment in both the development and CICD stages of your IaC templates implementation for Azure. The tools that I’ll introduce will cover the two most popular templating formats for Azure – ARM templates and Terraform.

The first tool that I’ll start with is the Secure DevOps Kit for Azure (AzSK). It is a set of tools created by the Core Services Engineering & Operations (CSEO) division at Microsoft, to help the Microsoft teams to accelerate internal adoption of Azure. One of the tools released as part of this toolkit is the ARM Template Checker.

What is the ARM Template Checker?

It is a tool that can be used to assess the security health of our Azure IaC Templates. It currently supports 42 Azure resource types which may not sound like a lot considering the current count of Azure resource types, however, this supports the most used resource types like vNet, VM, Service Bus, CDN, Data Factory (I’ll show you how to get a list of supported resource types later in this post).

So what security checks can it assess for the supported resource types?

What template formats can the tool assess?

Using the AzSK ARM Template Checker Tool in the development stage

The value of this use case is for IaC template authors and contributors to be able to assess the security compliance of their contributions ad-hoc

1. First, we need to install the Secure DevOps Kit PowerShell module

Install-Module AzSK –AllowClobber

Install-Module AzSK -AllowClobber -Force -SkipPublisherCheck

We can use the AllowClobber switch and the -Force options to override existing installations

2. Now after installing the kit, it is recommended to configure Auto-Update..

Set-AzSKPolicySettings -AutoUpdate On

3. To test, I’ll download an Azure ARM template that I’ve deliberately designed to be vulnerable from my GitHub repo (You can also download it for testing)

Invoke-WebRequest -Uri https://raw.githubusercontent.com/davidokeyode/vulnerable-by-design-azure/master/arm/scenario-one/azuredeploy.json -OutFile azuredeploy.json

4. I can perform Adhoc Scans after I’ve finished authoring or modifying a template to ensure that I’ve not introduced a security misconfiguration to the template

Get-AzSKARMTemplateSecurityStatus –ARMTemplatePath <Path to ARM Template>

Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath .\azuredeploy.json

5. What if we want to scan multiple ARM templates? We can use the “–ARMTemplatePath” parameter to specify a folder path that contains multiple templates

Get-AzSKARMTemplateSecurityStatus  –ARMTemplatePath <Path to ARM Template Folder>

6. To send the security assessment results to a Log Analytics workspace:

Set-AzSKMonitoringSettings -WorkspaceId <workspace_ID> -SharedKey <workspace_KEY>

Using the AzSK ARM Template Checker Tool in the CICD stage

The value of this use case is for continuous security validation of Azure ARM templates. This is useful for code review processes

1. First, we need to install the Secure DevOps Kit Azure DevOps extension

2. Validate installation

3. We can then use the task in our pipelines to assess ARM templates

Leave a Reply

Your email address will not be published. Required fields are marked *