Add Custom Policy to Azure Security Center Recommendation

Hi!

In this article, I will show you how you add a custom policy to Azure Security Center Recommendation.

These recommendations are based on industry best practices, which are incorporated into the generic, default security policy supplied to all customers. They can also come from Security Center’s knowledge of industry and regulatory standards.

With this feature, you can add your own custom initiatives. You’ll then receive recommendations if your environment doesn’t follow the policies you create.

In the Azure Security Center Portal, please select « Regulatory compliance » under « Cloud Security ».

Select, « Manage compliance policies »

Select « Add a custom initiative »

Select, « Creare New »

Please define:

  • Initiative location
  • Demo (Name of your custom initiative, for example XYZ Security Controls)
  • Category > Create new > Demo (Your category name could be storage, network, …)
  • Version 1

Select « Add policy definition(s) »

Select your policies, in this example: « Storage accounts should have infrastructure encryption »

Select « Create Control »

Define a new control, in this example Storage, with the Domain Storage security

Now the custom initiatives is created, please click on « add ».

Please find wait 1 hours before to see our custom initiative in the Azure Security Center Recommendation section.

After 1 hours, we can see our custom initiative in the Azure Security Center Recommendation section:

It’s also possible to Azure Resource Graph to see this custom policies. 

securityresources
| where type == "microsoft.security/assessments"
| extend resourceId = properties.resourceDetails.Id
| extend resourceName = tostring(split(resourceId, "/")[8])
| extend resourceGroup = (split(resourceId, "/")[4])
| extend status = properties.status.code
| extend recommendatioName = properties.displayName 
| project subscriptionId,
		  recommendatioName,
		  resourceName,
		  resourceGroup,
		  status,
		  resourceId

Maxime.

AKS Security Audit Toolbox

Hi!

In this article, I would like to share with you a list of security tools to audit the security of your AKS clusters.

Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.https://github.com/vchinnipilli/kubestriker

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. https://github.com/aquasecurity/kube-hunter

Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as: run as non-root ; use a read-only root filesystem ; don’t run privileged ; and more! https://github.com/Shopify/kubeaudit

Kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. https://github.com/aquasecurity/kube-bench

Kubiscan is a tool for scanning Kubernetes cluster for risky permissions in Kubernetes’s Role-based access control (RBAC) authorization model. https://github.com/cyberark/KubiScan

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System. https://github.com/octarinesec/kube-scan

Rback – A simple « RBAC in Kubernetes » visualizer. No matter how complex the setup, rback queries all RBAC related information of an Kubernetes cluster in constant time and generates a graph representation of service accounts, (cluster) roles, and the respective access rules in dot format. https://github.com/mhausenblas/rback

ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles. https://github.com/cyberark/kubernetes-rbac-audit

Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster. https://github.com/inguardians/peirates

Kubetap is a kubectl plugin that enables an operator to easily deploy intercepting proxies for Kubernetes Services. https://github.com/soluble-ai/kubetap

kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc). https://github.com/sysdiglabs/kube-psp-advisor

Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes applications. https://github.com/kinvolk/inspektor-gadget

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition. https://github.com/appvia/krane

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. https://github.com/stackrox/kube-linter

Kubeletctl is a command line tool that implement kubelet’s API. https://github.com/cyberark/kubeletctl

MKIT is a Managed Kubernetes Inspection Tool that leverages FOSS tools to query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster. https://github.com/darkbitio/mkit

Conmachi is a tool written in Golang intended to be used to collect information about a container environment and list potential security issues. It can be statically compiled so that it can be dropped into a container environment and run without any dependencies. https://github.com/nccgroup/ConMachi

Ktunnel is a CLI tool that establishes a reverse tunnel between a kubernetes cluster and your local machine. It lets you expose your machine as a service in the cluster or expose it to a specific deployment. You can also use the client and server without the orchestration part. Although ktunnel is identified with kubernetes, it can also be used as a reverse tunnel on any other remote system https://github.com/omrikiei/ktunnel

Dostainer – Kubernetes Resource Exhaustion PoC Container https://github.com/uchi-mata/dostainer

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines. https://github.com/Portshift/Kubei

Kubernetes Cluster dumps -Full cluster export into jsons using both native and specialized exports- https://github.com/alexivkin/kubepwn/blob/master/Tools/kubernetes-cluster-dump.sh

Maxime.

Encrypted customer managed keys policy for AKS

Hi,

Azure Kubernetes Service (AKS) now supports a new Azure policy to ensure OS and data disks are encrypted via customer managed keys. This feature enhances security by supporting the creation of a policy to audit the usage of customer managed keys on OS and data disks, or denying the creation of resources not using customer managed keys on OS and data disks.

AKS CMK Deny Policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json

Maxime.