Infrastructure as Code Security for Azure (Part 2) – ARM Template Test Toolkit (ARM-TTK)

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In the first post of this series, I covered how to use the ARM Template Checker tool (part of the Secure DevOps Kit for Azure) to assess the security of Azure ARM templates in development and CICD stages of Azure IaC implementation.

In this second post, I’ll be showing you how to use another FREE tool by Microsoft called the ARM Template Test Toolkit (ARM-TTK) to assess the security of Azure IaC templates.

In the third post, I’ll show you how to use a FREE third party tool called Checkov to achieve the same thing but with support for more templating formats beyound ARM.

What is the ARM-TTK?

Unlike the ARM template checker of the Secure DevOps kit, this tool is less focused on security. Its main focus is on template compliance with recommended practices but as we’ll see, the recommended best practices also includes security assessments even though that’s not the focus of the tool.

If you’re familiar with the Azure Quick start templates repo on GitHub, this is the tool that Microsoft uses to continuously validate the compliance and security of those templates. The Microsoft Azure marketplace team also uses this tool to validate all Azure marketplace templates before they are published.

So what security checks can it assess by default?

  • The list of the checks can be found here
  • It currently supports assessment for 24 test cases. Here are some of the security related checks included:
  • Secure parameters can’t have hardcoded default
    • When authoring or modifying ARM templates, we use the SecureString or SecureObject parameter type to define parameters that contain sensitive values, like passwords or API keys. The main reason for this is so that the supplied value will not be logged or stored in the deployment history which could be discovered by an attacker in a credential hunt scenario
    • However, a template author that may not understand this may go ahead and supply the value as a default which defeats the benefit of using this parameter type
    • This assessment will check for these sort of hardcoded defaults and flag them
  • Use recent API version
    • To ensure that we’re not using a resource provider API version that is older than 2 years
  • Use latest VM images
    • This check ensure that if the template includes a virtual machine with an image, it is using the latest version of the image and not a legacy version that could have vulnerabilities
    • For example, the template snippet below will pass this test. Any version other than the latest version will fail the test
  • Outputs can’t include secrets
    • Another security mistake that could be made by template authors or contributors is to include sensitive values like passwords, API and access keys as template outputs
    • Anything specified as a template output is stored in the deployment history which an attacker could look to exploit
    • You can read more about this here
  • Don’t use ManagedIdentity extension
    • The managed identity extension is a legacy method of implementing managed identity in Azure.
    • The security risk here is that this method stores the credentials used to request tokens on the VM. An attacker who successfully breaches the virtual machine can exfiltrate the credentials.
    • You can read more about this here

What template formats can the tool assess?

  • Azure ARM templates only

Using the ARM-TTK in the development stage

The value of this use case is for IaC template authors and contributors to be able to assess the security compliance of their contributions ad-hoc

1. Download test toolkit

As the module is not yet in the PowerShell Gallery, we need to download it from the Github Repository and import the module into our PowerShell session.

Invoke-WebRequest -Uri https://aka.ms/arm-ttk-latest -OutFile arm-ttk-latest.zip

Expand-Archive -LiteralPath 'arm-ttk-latest.zip'

cd .\arm-ttk-latest\arm-ttk\

2. Import the module into your PowerShell session

Set-ExecutionPolicy Unrestricted

Import-Module .\arm-ttk.psd1

3. Assess ARM templates ad-hoc

  • To run the tests in PowerShell, use the following command:

Test-AzTemplate -TemplatePath <template_path>

Test-AzTemplate -TemplatePath C:\Users\azureadmin\Downloads\templates\azuredeploy.json

4. Assessing multiple templates ad-hoc

Test-AzTemplate -TemplatePath <template_folder_path>

When you provide the -TemplatePath parameter, the toolkit looks in that folder for a template named azuredeploy.json or maintemplate.json.

5. Interpreting results

  • Tests that PASS are displayed in GREEN and prefaced with [+]
  • Tests that FAIL are displayed in RED and prefaced with [-]

6. Can we add our own custom tests? YES!!

  • For ARM templates, the toolkit runs all of the tests in the folder \arm-ttk\testcases\deploymentTemplate.
    • If you want to permanently remove a test, delete that file from the folder.
  • For CreateUiDefinition files, it runs all of the tests in the folder \arm-ttk\testcases\CreateUiDefinition.
  • To add your own test, create a file with the naming convention: Your-Custom-Test-Name.test.ps1.
    E.g. Service-Bus-Key-Must-Not-Be-Referenced.test.ps1
  • https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#customize-tests
  • So this way, we can write our own unit tests

7. Selecting individual tests to run

  • BY DEFAULT, ALL TESTS ARE EXECUTED
  • However, not every test is appropriate or applies to every scenario. ARM-TTK allows for individual selection of tests.
  • To specify individual tests to run, we can use the “Test” parameter and provide the name of the test to run.

Test-AzTemplate -TemplatePath $TemplateFolder -Test "<Name of Test to Run>"

For example:

Test-AzTemplate -TemplatePath $TemplateFolder -Test "Resources Should Have Location"

  • For the list of test names, please refer to this document (the names are listed as “Test Name”)

Using the ARM-TTK in the CICD stage

The value of this use case is for continuous security validation of Azure ARM templates. This is useful for code review processes.

1. First, we need to install the ARM Test Toolkit Azure DevOps extension

2. Validate installation:

  • Azure DevOps -> Organization Settings -> Extensions
  • The installation adds a new task that we can use for security assessment to our pipelines
    • Run ARM TTK Test

The installation adds a new task that we can use for security assessment to our pipelines

  • Run ARM TTK Test

3. We can then use the task in our pipelines

  • Azure DevOps -> Release Pipeline -> Edit -> Add Task -> Search for “ttk” -> Run ARM TTK Test
  • Position task above the deployment task
  • The main options to fill are the following:
    • Template folder or template path” option where we specify the path to the template that we want to assess or the path to a folder that contains multiple templates
    • Results location option to specify the location to publish the test results (this location will be needed if we decide to publish the test results to the pipeline for clearer feedback. See step 4 for this)
    • We can also use the “Tests to include” and/or “Tests to skip” options to include or skip specific tests. The test names can be found here

4. We can also publish the test results to our pipelines

  • We can use the “Publish Test Results” task
    • Azure DevOps -> Release Pipeline -> Edit -> Add Task -> Search for “Publish Test Result” -> Publish Test Result
  • Position below the “Run ARM TTK Test” task
  • The main options to fill are the following:
    • Position below the “Run ARM TTK Test” task
    • Test Result Format: Nunit
    • Test results files: Specify the path that you published the result to in the “Run Azure RM TTK Tests
      • For example: $(System.DefaultWorkingDirectory)\results\*-armttk.xml
    • Control Options -> Run this task: Even if a previous task has failed, unless the deployment was cancelled
      • This is needed to ensure that the test results are published regardless of whether the tests passed or failed
  • SAVE the pipeline and run it

5. Sample result

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Uncategorized

New Azure Container Instance Vulnerability — What to do?

Just yesterday, Microsoft disclosed a new (and yet to be clarified) Azure Container Instance vulnerability — https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/. From the information shared in the disclosure, it seems

Protecting against #ChaosDB

Cloud security researchers @sagitz and @nirohfeld who both work at Wiz recently discovered what I think is a major vulnerability that exploits the recent CosmosDB Jupyter notebook feature to

Do You Want To Boost Your Business?

drop us a line and keep in touch