Catégorie : Divers

Azure Policy for Azure Key Vaults

Hi!

At Ignite November 2021, Microsoft released few new Azure Policy for Azure Key Vault.

Azure Policy for Key Vault helps you audit secrets, keys, and certificates stored in your key vault to make sure they meet compliance requirements you set. Any secret, key, or certificate that does not meet the requirements will appear as non-compliant on your policy compliance dashboard.

Name
(Azure portal)
DescriptionEffect(s)Version
(GitHub)
[Preview]: Azure Key Vault Managed HSM should disable public network accessDisable public network access for your Azure Key Vault Managed HSM so that it’s not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.Audit, Deny, Disabled1.0.0-preview
Azure Key Vault Managed HSM should have purge protection enabledMalicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.Audit, Deny, Disabled1.0.0
[Preview]: Azure Key Vault Managed HSM should use private linkPrivate link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-linkAudit, Disabled1.0.0-preview
[Preview]: Azure Key Vault should disable public network accessDisable public network access for your key vault so that it’s not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.Audit, Deny, Disabled2.0.0-preview
[Preview]: Azure Key Vaults should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.Audit, Deny, Disabled1.0.0-preview
Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.audit, deny, disabled2.0.1
Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault.audit, deny, disabled2.0.1
Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration.audit, deny, disabled2.0.1
[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.audit, deny, disabled2.1.0-preview
Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.audit, deny, disabled2.0.1
Certificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates.audit, deny, disabled2.0.1
Certificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.audit, deny, disabled2.0.1
Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.audit, deny, disabled2.0.1
[Preview]: Configure Azure Key Vault Managed HSM to disable public network accessDisable public network access for your Azure Key Vault Managed HSM so that it’s not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.Modify, Disabled1.0.0-preview
[Preview]: Configure Azure Key Vault Managed HSM with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link.DeployIfNotExists, Disabled1.0.0-preview
[Preview]: Configure Azure Key Vaults to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.DeployIfNotExists, Disabled1.0.0-preview
[Preview]: Configure Azure Key Vaults with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.DeployIfNotExists, Disabled1.0.0-preview
[Preview]: Configure key vaults to disable public network accessDisable public network access for your key vault so that it’s not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.Modify, Disabled1.0.0-preview
Deploy – Configure diagnostic settings for Azure Key Vault to Log Analytics workspaceDeploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.DeployIfNotExists, Disabled1.0.1
Deploy – Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSMDeploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated.DeployIfNotExists, Disabled1.0.0
Deploy Diagnostic Settings for Key Vault to Event HubDeploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated.deployIfNotExists2.0.0
Key Vault keys should have an expiration dateCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Audit, Deny, Disabled1.0.2
Key Vault secrets should have an expiration dateSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Audit, Deny, Disabled1.0.2
Key vaults should have purge protection enabledMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Audit, Deny, Disabled2.0.0
Key vaults should have soft delete enabledDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Audit, Deny, Disabled2.0.0
Keys should be backed by a hardware security module (HSM)An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key.Audit, Deny, Disabled1.0.1
Keys should be the specified cryptographic type RSA or ECSome applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment.Audit, Deny, Disabled1.0.1
Keys should have more than the specified number of days before expirationIf a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.Audit, Deny, Disabled1.0.1
Keys should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault.Audit, Deny, Disabled1.0.1
Keys should not be active for longer than the specified number of daysSpecify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years.Audit, Deny, Disabled1.0.1
Keys using elliptic curve cryptography should have the specified curve namesKeys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment.Audit, Deny, Disabled1.0.1
Keys using RSA cryptography should have a specified minimum key sizeSet the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn’t meet many industry certification requirements.Audit, Deny, Disabled1.0.1
[Preview]: Private endpoint should be configured for Key VaultPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Audit, Deny, Disabled1.1.0-preview
Resource logs in Azure Key Vault Managed HSM should be enabledTo recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging.AuditIfNotExists, Disabled1.0.0
Resource logs in Key Vault should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedAuditIfNotExists, Disabled5.0.0
Secrets should have content type setA content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets.Audit, Deny, Disabled1.0.1
Secrets should have more than the specified number of days before expirationIf a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.Audit, Deny, Disabled1.0.1
Secrets should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault.Audit, Deny, Disabled1.0.1
Secrets should not be active for longer than the specified number of daysIf your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration.Audit, Deny, Disabled1.0.1

Maxime.

Audit your DockerFile with ConfTest

Hi!

In this article, I will show you how you can audit your DockerFile with ConfTest.

This tool will help you to write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Terraform code, Serverless configs or any other config files.

For this blog post, we will create a ConfTest policies in rego to audit a DockerFile. In this DockerFile, I have included few bad practices and security weakness:

  • Hardcoded tokens
  • Looking for ADD command instead using COPY command
  • Usage of sudo
FROM ubuntu:latest
LABEL MAINTAINER "Maxime"

ENV SECRET AAAAAAAAAAAAAAAAAAA
ENV GITLAB_API_ID aaaaaaaaaaaaaaaaaaaaaaaaaaaaa 

WORKDIR /app

ADD app /app
COPY README.md /app/README.md
ADD code /tmp/code
RUN sudo apt-get udpate

RUN apt-get update && apt-get install -y htop

CMD ["/bin/bash", "/app/entrypoint.sh"]

Now, we will create a security policy to detect the previous security weakness:

package main

suspicious_env_keys = [
    "passwd",
    "password",
    "secret",
    "key",
    "access",
    "api_key",
    "apikey",
    "token",
]


# Looking for suspicious environemnt variables
deny[msg] {    
    input[i].Cmd == "env"
    val := input[i].Value
    contains(lower(val[_]), suspicious_env_keys[_])
    msg = sprintf("Suspicious ENV key found: %s", [val])
}

# Looking for ADD command instead using COPY command
deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

# sudo usage
deny[msg] {
    input[i].Cmd == "run"
    val := concat(" ", input[i].Value)
    contains(lower(val), "sudo")
    msg = sprintf("Avoid using 'sudo' command: %s", [val])
}

Install ConfTest: https://www.conftest.dev/install/ and run the analyze with the following command:

conftest test Dockerfile

Maxime.

Microsoft MVP Azure 2021-2022 !

Hi!

Its my immense pleasure to share you that I have been awarded as Microsoft Most Valuable Professional (MVP) for the 5th time.

I would like to thanks Microsoft MVP Award team, Betsy and Rochelle. Finally, thanks to all my colleagues, blog readers and commentators. Congratulations to all the new and renewed MVP!

Maxime.