Catégorie : Divers

AKS | FIPS

Hi,

The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. AKS allows you to create Linux-based node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. 

In this article, I will show you how you can add a FIPS Node pool to an existing AKS cluster:

Install the aks-preview extension
az extension add --name aks-preview

Update the extension to make sure you have the latest version installed
az extension update --name aks-preview
az feature register --namespace "Microsoft.ContainerService" --name "FIPSPreview"
az feature list -o table --query "[?contains(name,'Microsoft.ContainerService/FIPSPreview')].{Name:name,State:properties.state}"
az provider register --namespace Microsoft.ContainerService
 
Add FIPS Node Pool to an existing AKS cluster
az aks nodepool add \
     --resource-group myResourceGroup \
     --cluster-name myAKSCluster \
     --name fipsnp \
     --enable-fips-image

az aks show --resource-group myResourceGroup --cluster-name myAKSCluster --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" -o table
 Name       enableFips
 ---------  ------------
 fipsnp     True
 nodepool1  False  

Maxime.

Azure Policy Search with Azure Graph

Hi!

In this article, I will show you how you can use Azure Graph to check the result of one specific policy across all the subscriptions of your Azure tenant. Before to start let me refine what’s is it?

Azure Resource Graph (ARG) provides an efficient way to query at scale across a given set of subscriptions for any Azure Resource. If you are not familiar, I will recommend you to spend some time to learn it!

In this example, I will create a query to list all the policy and I will extract the policy name, compliance status and the resource id.

policyresources
| where type == "microsoft.policyinsights/policystates"
| extend name = properties['policyDefinitionName']
| extend state = properties['complianceState']
| extend resourceid = properties['resourceId']
| project name, state, resourceid

In this second example, I will create a query to list the compliance status and the resource id of an existing policy

policyresources
| where type == "microsoft.policyinsights/policystates"
| where properties['policyDefinitionName'] == "Name Of your Azure Policy"
| extend state = properties['complianceState']
| extend resourceid = properties['resourceId']
| project state, resourceid

Maxime.

Disable SAS Key for a Storage Account

Hi,

In this article, I will show you how can disable the SAS Key feature for a Storage Account. When you disallow Shared Key authorization for a storage account, requests from clients that are using the account access keys for Shared Key authorization will fail.

When you are confident that you can safely reject requests that are authorized with Shared Key, you can set the AllowSharedKeyAccess property for the storage account to false.

The AllowSharedKeyAccess property is not set by default and does not return a value until you explicitly set it. The storage account permits requests that are authorized with Shared Key when the property value is null or when it is true.

Azure CLI:

az storage account update \
     --name  \
     --resource-group  \
     --allow-shared-key-access false

Azure Portal:

To check the Shared Key access setting across a set of storage accounts with optimal performance, you can use the Azure Resource Graph Explorer in the Azure portal.

resources 
| where type =~ 'Microsoft.Storage/storageAccounts' 
| extend allowSharedKeyAccess = parse_json(properties).allowSharedKeyAccess 
| project subscriptionId, resourceGroup, name, allowSharedKeyAccess

Maxime.