Logo of Trend Micro

Monitor External Accounts with Write Permissions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-024

Ensure that all the external accounts that have write permissions to your Microsoft Azure subscription are monitored for review and audit purposes using the Azure Security Center service.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

As a best practice, external accounts with write privileges should be monitored, audited and eventually removed from your Azure subscription in order to prevent unauthorized access to your cloud resources. By monitoring and reviewing all the external accounts with write permissions using Azure Security Center, you can adhere to security best practices and enforce a strict access policy. This should reduce the risk of a compromised external account being used to gain access to the cloud resources deployed within your subscription. When monitoring of the privileged external accounts is enabled, Security Center service will flag these accounts so you can audit them and choose whether or not to proceed with their removal.

Audit

To determine if the monitoring of privileged external accounts is enabled within Azure Security Center settings, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the policy configuration settings for the selected subscription.

05 On the Security Policy page, choose the Security center default policy, then click View effective policy to open the policy.

06 On the default security policy page, within the Identity section, check the External accounts with write permissions should be removed from your subscription setting status. If the configuration setting is Disabled, the monitoring of the external accounts with write permissions is not enabled in the selected Azure subscription.

07 Repeat step no. 4 – 6 for each subscription available in your Microsoft Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters, to describe the monitoring status for the external accounts that have write permissions to your Microsoft Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.identityRemoveExternalAccountWithWritePermissionsMonitoringEffect.value'

02 The command output should return the requested Azure Security Center monitoring status: 

"Disabled"

If the command output returns "Disabled", as shown in the example above, none of the privileged external accounts are monitored using Azure Security Center, within the current subscription.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure account.

Remediation / Resolution

To start monitoring all the external accounts that have write permissions to your Microsoft Azure subscriptions, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to reconfigure, to access the policy settings available for the selected subscription.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) link to edit the default policy assignment.

06 On the selected policy assignment page, perform the following commands:

  1. Choose the Parameters tab to access the policy parameters.
  2. Select AuditIfNotExists from External accounts with write permissions should be removed from your subscription dropdown list to enable the monitoring of the privileged external accounts in the selected subscription.
  3. Click Review + save to review the configuration changes, then click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the Security Center service should start monitoring all the external accounts that have write permissions to the selected Microsoft Azure subscription. This will help you review these accounts and choose whether or not to remove them.

07 If required, repeat steps no. 4 – 6 for other Microsoft Azure cloud subscriptions available.

Using Azure CLI

01 Define the necessary specifications for the account get-access-token command, where the identityRemoveExternalAccountWithWritePermissionsMonitoringEffect configuration parameter is enabled using the "AuditIfNotExists" flag. Save the following content to a JSON file named privileged-external-account-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. privileged-external-account-monitoring.json file) to start monitoring the all the external accounts that have write permissions to your Microsoft Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"privileged-external-account-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy. Once the configuration changes are saved, the Security Center service should start monitoring all the privileged external accounts that have access to the current subscription. This will help you review these accounts and choose whether or not to delete them: 

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
      "parameters":{
         "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      },
      "metadata":{
         "createdBy":"1234abcd-1234-abcd-1234-abcd1234abcd",
         "createdOn":"2019-05-18T14:55:30.00000000",
         "updatedBy":"abcd1234-abcd-1234-abcd-1234abcd1234",
         "updatedOn":"2020-03-20T16:12:40.00000000"
      }
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscriptions available.

References

Publication date Mar 27, 2020

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Monitor External Accounts with Write Permissions

Risk level: Medium