Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Monitor External Accounts with Write Permissions

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-024

Ensure that all the external accounts that have write permissions to your Microsoft Azure subscription(s) are monitored for review and audit purposes using the Microsoft Defender for Cloud service.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

External accounts with write privileges should be monitored, audited, and eventually removed from your Azure subscription(s) in order to prevent unauthorized access to your cloud resources. By monitoring and reviewing all the external accounts with write permissions using Microsoft Defender for Cloud, you can adhere to Azure security best practices and enforce a strict access policy. This should reduce the risk of a compromised external account being used to gain access to the cloud resources deployed within your subscription. When the monitoring of the privileged external accounts is enabled, Microsoft Defender for Cloud will flag these accounts so you can audit them and choose whether or not to proceed with their removal.

Audit

To determine if the monitoring of privileged external accounts is enabled within Microsoft Defender for Cloud settings, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab, uncheck Only show parameters that need input or review, and search for the following parameter: External accounts with write permissions should be removed from your subscription. If the specified parameter is set to Disabled, the monitoring of the external accounts with write permissions is not enabled for the selected Azure subscription.

08 Repeat steps no. 4 – 7 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to determine if the monitoring of the privileged external accounts is enabled within the current subscription by checking the identityRemoveExternalAccountWithWritePermissionsMonitoringEffect parameter value: 

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.identityRemoveExternalAccountWithWritePermissionsMonitoringEffect.value'

02 The command output should return the requested parameter value: 

"Disabled"

If the account get-access-token command output returns "Disabled", as shown in the output example above, none of the privileged external accounts are monitored using Microsoft Defender for Cloud, within the current Azure subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To start monitoring all the external accounts that have write permissions to your Microsoft Azure subscription(s), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab and uncheck the Only show parameters that need input or review checkbox to list all the initiative parameters.

08 Select AuditIfNotExists from the External accounts with write permissions should be removed from your subscription parameter dropdown list to enable the monitoring of the privileged external accounts in the selected Azure subscription.

09 Select Review + save to review the configuration changes, then choose Save to apply the new changes. If the operation is successful, the following confirmation message should be displayed: "Updating policy assignment succeeded".

10 Repeat steps no. 4 – 9 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the identityRemoveExternalAccountWithWritePermissionsMonitoringEffect parameter is enabled to turn on the monitoring feature. Save the configuration document to a JSON file named enable-privileged-external-accounts-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account subscription details: 

{
  "properties":{
     "displayName":"ASC Default (subscription: <azure-subscription-id>)",
     "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
     "scope":"/subscriptions/<azure-subscription-id>",
     "parameters":{
        "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{
           "value":"AuditIfNotExists"
        }
     }
  },
  "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-privileged-external-accounts-monitoring.json file), to enable the monitoring of the external accounts with write permissions, for the current Azure subscription: 

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-privileged-external-accounts-monitoring.json"'

03 The command output should return information about the modified configuration parameter: 

{
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "properties": {
    "displayName": "ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1234abcd-1234-1234-1234-abcd1234abcd",
    "scope": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
    "parameters": {
      "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
        "value": "AuditIfNotExists"
      }
    },
    "metadata": {
      "createdBy": "abcdabcd-1234-1234-1234-abcdabcdabcd",
      "createdOn": "2019-05-17T15:38:40.3473931Z",
      "updatedBy": "1234abcd-1234-1234-1234-abcd1234abcd",
      "updatedOn": "2022-02-01T21:22:40.7422203Z"
    }
  },
  "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "SecurityCenterBuiltIn",
  "location": "eastus"
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date Mar 27, 2020

Related SecurityCenter rules