Auteur/autrice : zigmax

Azure Security Benchmark (v3)

Hi!

At Ignite November 2021, Microsoft released a new version of the Azure Security Benchmark (v3).

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. This benchmark is part of a set of holistic security guidance that also includes:

The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

Here’s what’s new in the Azure Security Benchmark v3:

  • Mappings to the industry frameworks PCI-DSS v3.2.1 and CIS Controls v8 are added in addition to the existing mappings to CIS Controls v7.1 and NIST SP800-53 Rev4.
  • Refining the control guidance to be more granular and actionable, e.g., security guidance is now divided into two separate parts, Security Principle and Azure Guidance. Security Principle is the « what », explaining the control at the technology-agnostic level; Azure Guidance is focused on the « how », elaborating on the relevant technical features and ways to implement the controls in Azure.
  • The addition of new control(s), e.g., DevOps Security as a new control family which also includes topics such as threat modeling and software supply chain security. Key and certificate management was introduced to recommend key and certificate management best practices in Azure.

You can download the Azure Security Benchmark in spreadsheet format.

Maxime.

New alerts for Microsoft Defender for Kubernetes

Hi!

To expand the threat protections provided by Microsoft Defender for Kubernetes, we’ve added two preview alerts.

Alert (alert type)DescriptionMITRE tacticSeverity
Anomalous pod deployment (Preview)
(K8S_AnomalousPodDeployment)
Kubernetes audit log analysis detected pod deployment that is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties.ExecutionMedium
Excessive role permissions assigned in Kubernetes cluster (Preview)
(K8S_ServiceAcountPermissionAnomaly)
Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender.Privilege EscalationLow

For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters.

Maxime.

Azure Container Apps

Hi!

At Ignite November 2021, Microsoft released Azure Container Apps as a public preview. Azure Container Apps manages the details of Kubernetes and container orchestrations for you. Containers in Azure Container Apps can use any runtime, programming language, or development stack of your choice.

Azure Container Apps: Containers

Azure Container Apps supports:

  • Any Linux-based container image
  • Containers from any public or private container registry

Azure Container Apps enables you to run microservices and containerized applications on a serverless platform. Common uses of Azure Container Apps include:

  • Deploying API endpoints
  • Hosting background processing applications
  • Handling event-driven processing
  • Running microservices

Applications built on Azure Container Apps can dynamically scale based on the following characteristics:

  • HTTP traffic
  • Event-driven processing
  • CPU or memory load
  • Any KEDA-supported scaler

With Azure Container Apps, you can:

  • Run multiple container revisions and manage the container app’s application lifecycle.
  • Autoscale your apps based on any KEDA-supported scale trigger. Most applications can scale to zero1.
  • Enable HTTPS ingress without having to manage other Azure infrastructure.
  • Split traffic across multiple versions of an application for Blue/Green deployments and A/B testing scenarios.
  • Use internal ingress and service discovery for secure internal-only endpoints with built-in DNS-based service discovery.
  • Build microservices with Dapr and access its rich set of APIs.
  • Run containers from any registry, public or private, including Docker Hub and Azure Container Registry (ACR).
  • Use the Azure CLI extension or ARM templates to manage your applications.
  • Securely manage secrets directly in your application.
  • View application logs using Azure Log Analytics.

Deploy an Azure Container Apps:

# - Install the Azure Container Apps extensions to the CLI
az extension add \
  --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl 

# - Register the Microsoft.Web namespace
az provider register --namespace Microsoft.Web

# - Setup environment variables
RESOURCE_GROUP="my-containerapps"
LOCATION="canadacentral"
LOG_ANALYTICS_WORKSPACE="containerapps-logs"
CONTAINERAPPS_ENVIRONMENT="containerapps-env"

# - Create a resource group
az group create \
  --name $RESOURCE_GROUP \
  --location "$LOCATION"

# - Create a new Log Analytics workspace
az monitor log-analytics workspace create \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $LOG_ANALYTICS_WORKSPACE

# - Retrieve the Log Analytics Client ID and client secret
LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`az monitor log-analytics workspace show --query customerId -g $RESOURCE_GROUP -n $LOG_ANALYTICS_WORKSPACE --out tsv`
LOG_ANALYTICS_WORKSPACE_CLIENT_SECRET=`az monitor log-analytics workspace get-shared-keys --query primarySharedKey -g $RESOURCE_GROUP -n $LOG_ANALYTICS_WORKSPACE --out tsv`

# - Create the Azure Container Apps environment
az containerapp env create \
  --name $CONTAINERAPPS_ENVIRONMENT \
  --resource-group $RESOURCE_GROUP \
  --logs-workspace-id $LOG_ANALYTICS_WORKSPACE_CLIENT_ID \
  --logs-workspace-key $LOG_ANALYTICS_WORKSPACE_CLIENT_SECRET \
  --location "$LOCATION"

# - Create a container app
az containerapp create \
  --name my-container-app \
  --resource-group $RESOURCE_GROUP \
  --environment $CONTAINERAPPS_ENVIRONMENT \
  --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \
  --target-port 80 \
  --ingress 'external' \
  --query configuration.ingress.fqdn

Maxime.