Logo of Trend Micro

Monitor the Total Number of Subscription Owners

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-022

Ensure that the total number of subscription owners created for your Microsoft Azure account subscriptions is monitored by Azure Security Center service. Cloud Conformity recommends designating up to 3 Azure subscription owners in order to reduce the potential for security breaches by one or more compromised owners.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

As a security best practice, a maximum number of 3 owners should be designated for a Microsoft Azure subscription. By monitoring the number of subscription owners using Azure Security Center you can enforce these best practices and always maintain a maximum of 3 subscription owners. This should reduce the risk of a compromised owner's account being used to gain access to your subscription.

Audit

To determine if the number of subscription owners is monitored using Azure Security Center service, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the policy configuration settings for the selected subscription.

05 On the Security Policy page, choose the Security center default policy, then click View effective policy to open the policy.

06 On the default security policy page, within the Identity section, check the A maximum of 3 owners should be designated for your subscription setting status. If the configuration setting is Disabled, the total number of Azure subscription owners is not monitored using Microsoft Azure Security Center.

07 Repeat step no. 4 – 6 for each subscription available in your Microsoft Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the monitoring status for the deprecated accounts available within the current subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.identityDesignateLessThanOwnersMonitoringEffect.value'

02 The command output should return the requested Azure Security Center monitoring status: 

"Disabled"

If the command output returns "Disabled", as shown in the output example above, the total number of Azure subscription owners is not monitored using Microsoft Azure Security Center.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure account.

Remediation / Resolution

To start monitoring the total number of subscription owners using Microsoft Azure Security Center service, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to reconfigure to access the policy settings available for the selected subscription.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) link to edit the default policy assignment.

06 On the selected policy assignment page, perform the following commands:

  1. Choose the Parameters tab to access the policy parameters.
  2. Select AuditIfNotExists from A maximum of 3 owners should be designated for your subscription dropdown list to enable monitoring for the number of subscription owners designated for the selected subscription.
  3. Click Review + save to review the configuration changes, then click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the Security Center service should start monitoring for the total number of subscription owners.

07 If required, repeat steps no. 4 – 6 for other Microsoft Azure cloud subscriptions available.

Using Azure CLI

01 Define the necessary specifications for the account get-access-token command, where the identityDesignateLessThanOwnersMonitoringEffect configuration parameter is enabled using the "AuditIfNotExists" flag. Save the following content to a JSON file named enable-subscription-owners-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "identityDesignateLessThanOwnersMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-subscription-owners-monitoring.json file) to start monitoring the total number of subscription owners created for the current Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-subscription-owners-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy: 

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
      "parameters":{
         "identityDesignateLessThanOwnersMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      },
      "metadata":{
         "createdBy":"1234abcd-1234-abcd-1234-abcd1234abcd",
         "createdOn":"2019-05-18T14:55:30.00000000",
         "updatedBy":"abcd1234-abcd-1234-abcd-1234abcd1234",
         "updatedOn":"2020-03-18T15:12:40.00000000"
      }
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscriptions available.

References

Publication date Mar 27, 2020

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Monitor the Total Number of Subscription Owners

Risk level: Medium