Azure Cloud Security

The Azure cloud has many components. Each application will make use of various services and it is always best to see the use of these services and how they interact with each other to get the best overview of the general security of the landscape. To get a proper view of all the resources deployed in Azure, you may want to check the Insights section under the Resource Group in question.

General

Globally, there are some configurations which apply to the Azure Subscription or the global configuration. These are not azure service specific.

Security Notifications

Check if all subscriptions have Security notifications configured set to an email address of the team. Azure is able to detect serious security issues, as well as active attacks on resources in a subscription and inform the team about it. See also https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details

Public IP addresses

For each Public IP addresses registered in the Public IP Addresses section in Azure:

If the IP address is not associated to a load balancer, application gateway or Azure Firewall:

  • Ask why the public IP address is directly associated to an Azure resource that may not have to be publicly and directly exposed to the public internet.

If the IP address is associated to a Virtual Machine:

  • Check the Network Security Group associated to the network interface of the VM in question for inbound rules and determine if there is broad public access possible to one or more ports.
  • Check if all publicly exposed ports are necessary for the functioning of the application.
  • Make sure no remote management ports are publicly accessible, like SSH,RDP,Remote Desktop. Windows VMs should use the Azure Bastion service.
  • Make sure the Network Security Group associated to the network interface of the VM in question for outbound rules and determine if there is broad public outbound access possible to non-standard ports.

Microsoft IAM

This is primarily some default rules that we all know and love

  • Make sure every account has rights according to least privilege principle
  • Make sure every account has MFA enabled
  • Make sure no personal accounts are used to grant access. Always make sure to assign groups for RBAC

Virtual Machines

General

For each Windows based VM:

  • Make sure that remote desktop connections can only be set up using either the Azure Bastion service, and/or the remote desktop port (3389) is only accessible from the internal network in Azure.

General:

  • Make sure the OS has general hardening in place. Best to check with the CIS Benchmark.
  • Make sure Disk encryption is enabled.
  • If applicable (GDPR, AVG) make sure the data stored on the machine is in Europe.
  • Make sure there is adequate patching on the OS.

VM Disks

Automate!

az disk list --query "[?networkAccessPolicy=='AllowAll'].name"

Networking

  • Check the Network Security Group associated to the network interface of the VM in question for outbound rules and determine if there is broad public and internal outbound access possible to non-standard ports. Ports other than 80, 443 to outbound public endpoints must be investigated for business need.
  • Make sure there are no unassigned networking interface. If it is not used it should be deleted

Storage Accounts

General

Commonly, Storage Accounts are only used for either blob or file services and rarely for tables and queues. Assure the unused services are indeed disabled in the storage account.

Storage Explorer

For all storage types available in the Storage Account:

  • Check for potential sensitive information and if all connected resources with access to the storage account should really have access to these files.

Geo-replication

  • If applicable (GDPR, AVG) Make sure that no secondary locations outside the EU are chosen.

CORS

  • Check If any item exists, assure no wildcard origins are allowed.

Configuration

  • Make sure Secure transfer required is enabled.
  • Do not allow public blob access.
  • Minimum TLS version is set to 1.2.

Encryption

  • Make sure Infrastructure encryption is enabled using either MS managed or Customer managed key.

Firewalls and networks

  • Do not allow access from All networks. Allow only from specific Azure networks. Note: some cases require this to be All networks, when client uses AWS systems that use (the same) storage account as the systems in Azure do.

Blob Service / Data protection

  • It is best, especially in production, if soft delete is turned on for blobs and at least containers.

File Service / File Shares

  • Especially for production environments, it is best if soft-delete is enabled for all shares.
  • Check if file shares are used by VMs; assure there is separation between acceptance and production VMs (that they do not use the same storage account).
  • Check for shares that need it, if they have Backup Policy configured.

Public service endpoint testing

  • Check which services are publicly accessible for the storage account:
    • Find the URL of storage account in the Properties menu of the Storage Account, usually storageaccountrgdev8a62xxxxx.file.core.windows.net
    • Resolve the address and check if it has public IP address endpoints.
    • Perform full TCP port scan.
    • If port 445 is available, check for anonymous SMB access / enumeration options.

Automation

az storage account list --query [?allowBlobPublicAccess=='True'].name

Azure SQL Services

Azure SQL services provide a range of managed database services for different requirements, including SQL Database, SQL Managed Instance, and SQL Server on Azure VMs. Ensuring the security of these databases is critical to protect data integrity, confidentiality, and availability.

General Configuration

Security Settings:

  • Advanced Threat Protection: Enable Advanced Threat Protection to monitor for potential vulnerabilities and unusual activities.
  • Data Encryption: Ensure Transparent Data Encryption (TDE) is enabled to encrypt data at rest. Consider using customer-managed keys for additional control.
  • Always Encrypted: Use Always Encrypted to protect sensitive data at rest and in use.

Networking

Firewall Rules and Virtual Networks:

  • IP Whitelisting: Limit access to the SQL server by specifying IP ranges that can connect to the server. Use virtual network service endpoints to restrict access further.
  • Private Link: Utilize Azure Private Link to connect to the SQL database over a private endpoint within your VNet, avoiding exposure to the public internet.

Authentication and Access Control

Identity Management:

  • Azure Active Directory Authentication: Use Azure AD for authentication to eliminate the need for database users to manage passwords.
  • Role-Based Access Control (RBAC): Apply RBAC to manage database permissions according to the principle of least privilege.
  • MFA for Admin Accounts: Ensure Multi-Factor Authentication (MFA) is enforced for all administrative accounts.

Monitoring and Auditing

Logging and Auditing:

  • SQL Auditing: Enable SQL auditing to log database events and write them to an audit log. Store audit logs in a secure storage account.
  • Log Analytics: Integrate with Azure Monitor and Log Analytics to analyze performance and security logs.

Backup and Recovery

Backup Strategies:

  • Automated Backups: Ensure automated backups are enabled for point-in-time restore capabilities.
  • Geo-Redundant Backups: Use geo-redundant storage for backups to protect against regional failures.
  • Backup Encryption: Encrypt backups to protect data during the backup process.

Databricks

Azure Databricks is an analytics platform optimized for the Azure cloud. It supports big data processing and machine learning workloads. Security considerations for Databricks involve ensuring data protection, secure access, and network configurations.

Workspace Configuration

Access Control:

  • RBAC for Workspaces: Implement RBAC to control access to Databricks workspaces, notebooks, and jobs. Use least privilege principle.
  • Instance Pools: Use instance pools to manage compute resources efficiently and securely.

Networking

Network Security:

  • VNet Injection: Use VNet injection to deploy Databricks in a custom VNet, providing network isolation and control over network traffic.
  • Private Link: Configure Private Link to access Databricks workspaces privately, avoiding exposure to the public internet.

Data Security

Data Encryption:

  • Encryption at Rest: Ensure all data stored in Databricks is encrypted at rest using Azure-managed or customer-managed keys.
  • Encryption in Transit: Use TLS to encrypt data in transit between Databricks and other services.

Authentication and Access Control

Identity and Access Management:

  • Azure AD Integration: Integrate Databricks with Azure AD for unified identity management and SSO.
  • Token Management: Manage and rotate tokens securely, using Azure Key Vault for storing sensitive information.

Monitoring and Auditing

Logging and Monitoring:

  • Audit Logs: Enable audit logging to track user activities, access patterns, and configuration changes.
  • Integration with Azure Monitor: Use Azure Monitor to collect and analyze logs and metrics from Databricks.

Compliance and Governance

Policies and Compliance:

  • Data Governance: Implement data governance policies to manage data access, retention, and compliance requirements.
  • Compliance Certifications: Ensure that Databricks complies with relevant industry standards and certifications, such as GDPR, HIPAA, and SOC 2.

Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is a managed Kubernetes service that simplifies deploying, managing, and scaling containerized applications using Kubernetes.

Cluster Security

Cluster Configuration:

  • RBAC: Implement RBAC to control access to Kubernetes resources based on roles assigned to users and service accounts.
  • Network Policies: Use network policies to restrict traffic between pods and to/from the internet.

Networking

Networking Setup:

  • VNet Integration: Deploy AKS clusters within a virtual network for network isolation and control over traffic.
  • Private Clusters: Create private AKS clusters to ensure that the API server endpoint is accessible only within your VNet.

Data Security

Secret Management:

  • Azure Key Vault Integration: Store and manage Kubernetes secrets in Azure Key Vault for enhanced security and compliance.
  • Secrets Encryption: Enable Kubernetes secrets encryption at rest.

Monitoring and Logging

Monitoring:

  • Azure Monitor for Containers: Use Azure Monitor for Containers to collect and analyze metrics and logs from your AKS cluster.
  • Audit Logging: Enable Kubernetes audit logs to track access and activities within the cluster.

Compliance and Best Practices

Compliance:

  • CIS Benchmark Compliance: Follow the Center for Internet Security (CIS) Kubernetes Benchmark to secure your AKS clusters.
  • Pod Security Policies: Implement pod security policies to control the security context of pods, ensuring they run with the least privilege necessary.

These guidelines help ensure a robust security posture for Azure SQL services, Databricks, and AKS, protecting your cloud resources and data effectively.

Automation Accounts

Automation accounts are used to... automate things. These have a default option that allows for non-EntraID login. It's best practice to disable(enable actually) this.