How to Secure DevOps in Microsoft Azure
Want to establish best practices within Microsoft Azure? Learn how to integrate a Secure DevOps Kit for Azure (AzSK) at the subscription level, as well as in your development process during coding, CI/CD pipeline, and future alerting and reporting.
This is a pretty neat discovery that I did test some experiments with over the rainy weekend! I plan on having this is a series and additional tests, since I am not done fiddling with this toolkit quite just yet! Microsoft has released the toolkit to help the DevOps community establish best practices within Microsoft Azure. You can integrate this tooling at your subscription level, in your development process during coding, CI/CD with Azure DevOps, and also subsequent alerting and reporting.
To get started, you are going to want to head on over to the official website and GitHub repository for the Azure Secure Devops Toolkit (AzSK). The official Microsoft site is located here https://azsk.azurewebsites.net/index.html . The official GitHub is located here https://github.com/azsk/DevOpsKit . Once you have the AzSK installed as documented, there are a number of features that you can do with it with the included Microsoft Powershell Modules. I would suggest to start at the beginning like I did, and run an overall security check status against your Azure Subscription. This is a check against 25+ services at this time. You also can generate some "Fix It" Microsoft Powershell scripts as well with an alternative flag in the Powershell cmdlet.
Here is the example output from my first test run. After loading the toolkit and associated Microsoft Powershell modules, I wanted to run a scan on one of my test subscriptions.
The interesting thing after the run is that it will produce a CSV report of all findings ranked on severity and passed checks. This is shown from my sample test below.
Pretty cool! So, lets try to generate some "Fix It" Microsoft Powershell scripts. I accomplish that by utilizing the "-GenerateFixScript" flag.
Wow! look at that the scripts are automatically generated, and it even looks like I can generate my scan results to an Azure Log Analytics Workspace as well. Lets take a look at some of the scripts generated in an IDE.
Well, here it is in Microsoft Visual Studio Code ready to execute to remediate my security findings!
Well, let me try a new test. I am going to provision a new Azure Virtual Machine and leave RDP open to the world and see what the adjusted scan comes back with. While I am waiting on that, I went ahead and downloaded the associated ARM template as well. I saw where as an added bonus, I can perform a security scan the ARM template as part of the Toolkit.
This time on the re-scan, I am going to change the flags and use a different Azure Powershell cmdlet Get-AzSKAzureServicesSecurityStatus. Using this new module, I am going to run a deeper scan on that specific Azure Resource Group where I provisioned the Azure Virtual Machine.
$s = Get-AzSubscription -SubscriptionName 'Pay-As-You-Go'
$subID = $s.SubscriptionId
Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subID -GenerateFixScript -ResourceGroupNames TESTVMAzureSecureDevOps
Whoah! It's doing a deep scan on that resource group with all my Virtual Machine components.
Well there it is! It did in fact detect my dodgy security Azure Network Security group after all, and some other useful information detected that I should perform on my Virtual Machine for security best practices.
It also generated the "Autofix" script to fix the vulnerabilities. See below, namely the Storage Account fix was interesting. Here is is Microsoft Visual Studio Code ready to run.
Well, the last thing I wanted to accomplish this weekend was run a scan on this ARM template that I used for previous test. This is done utilizing the Get-AzSKARMTemplateSecurityStatus cmdlet.
Here are the results in the CSV output.
You can see the line numbers, description of the vulnerabilities, associated severity, and suggestions for the changes!
Well, this is a good start for some future testing with the Azure Secure Devops Toolkit! I hope you enjoyed it. I plan on performing some future experiments with the toolkit as well.