AzSK — Secure DevOps Kit for Azure, is a group of settings and scripts to analyze and improve the security of your Azure environments. It looks at six areas: Subscription Security, Security Verification Tests and IntelliSense, CI/CD Build/Release Extensions, Continuous Assurance Runbooks, OMS Solutions, and Cloud Risk Governance. In this article, I will focus on how to use AzSk to improve the security of your subscriptions.
To use AzSK, you first need a machine provisioned with Windows and PowerShell ISE, which you can download here if you do not already have it available. In the open PowerShell ISE window, verify the version of PowerShell. (It needs to be 5.0 or higher.) To perform a check, run this command:
Now, with the machine ready to install AzSK, run the command below to install it for your user:
> Install-Module AzSK -Scope CurrentUser
If you do not have NuGetProvider and PSGallery installed, the script will recommend it to you automatically. You will just need to Accept to move on. Once the installation is finished, a window will open with a sign-in form into Azure, complete with your credentials and confirmation of login. That’s it — AzSK is correctly installed and ready to use.
Checking the status of the subscription
Go to portal.azure.com, find “Subscriptions” and copy the subscription ID that will be used to analyze security levels. Then, in PowerShell ISE, type the command to start the check:
> Get-AzSKSubscriptionSecurityStatus -SubscriptionId ID_OF_SUBSCRIPTION
Agree with the privacy terms to continue. The process could take a while depending on your subscription’s size. When it’s finished, a log file will be created in the directory: C:\Users\IEUser\AppData\Local\Microsoft\AzSKLogs\Sub_VisualStudioEnterpriseBizSpark\TIMESTAMP_GSS. The name of the file is SecurityReport-TIMESTAMP.csv. This log contains found issues’ statuses, severity, descriptions, and recommendations.
In the PowerShell log, we can see the verifications and the total Passed and Failed results.
Fixing security issues
Azure Security Center (ASC) must be correctly configured for the subscription
One of the recommendations listed in the CSV file suggests configuring the Azure Security Center (ASC). The Azure Security Center offers security management with the ability to create and apply security policies.
To set up the Azure Security Center, provide your contact data (email and phone number) by including it in the command below. In the email field, you can use a comma to separate email addresses.
> Set-AzSKAzureSecurityCenterPolicies -SubscriptionId ID_OF_SUBSCRIPTION -SecurityContactEmails 'firstname.lastname@example.org' -SecurityPhoneNumber '+1234567890'
In Azure Portal, access Subscriptions > ID_OF_SUBSCRIPTION > Policies and check that ASC Default policy is enabled.
Alerts must be configured for critical actions on subscriptions and resources
Another suggested recommendation is to enable action alerts on the subscription’s security. To set up alerts, run the command below, and include the email address that will receive the notifications.
> Set-AzSKAlerts -SubscriptionId ID_OF_SUBSCRIPTION -SecurityContactEmails ‘email@example.com’
You will then receive an email confirming that the subscription was added to an Azure Monitor action group.
Verify the list of public IP addresses on your subscription
The removal of unused IP public addresses is also strongly recommended. Run the command below to list all of your public IPs.
The IP addresses ready to be removed have a “Not Assigned” label in the IP number column. But this status does not reflect the association with the network interface. If the IP address was associated with the network interface, it will be shown as “Not Assigned,” but deletion of the IP address will not be allowed until you disassociate it.
> Remove-AzureRmPublicIpAddress -Name NAME_OF_IP -ResourceGroupName NAME_OF_RESOURCE_GROUP
To remove an IP address, run the command above, filling the name of the IP address and the resource group. It will show a confirmation prompt, asking if you are sure you want to delete the public IP. Be alert, because this operation cannot be undone.
The effort to apply these security recommendations is worth it to help ensure a secure and healthy environment. What you choose to do with the recommendations is up to you, but with the critical importance of good security, the maximum you can do is considered a good start — so take advantage of the six areas offered by AzSK to help secure your subscriptions.