Merge pull request #289 from turbot/release/v1.1.0

Release/v1.1.0

CHANGELOG.md

@@ -1,3 +1,9 @@
+## v1.1.0 [2024-10-30]
+
+_What's new?_
+
+- Added CIS v3.0.0 benchmark (`powerpipe benchmark run azure_compliance.benchmark.cis_v300`). ([#282](https://github.com/turbot/steampipe-mod-azure-compliance/pull/282))
+
 ## v1.0.1 [2024-10-24]
 
 _Bug fixes_

README.md

@@ -1,8 +1,6 @@
 # Azure Compliance Mod for Powerpipe
 
-200+ checks covering industry defined security best practices for Azure. Includes full support for `CIS v1.3`,`CIS v1.4`,`CIS v1.5`,`CIS v2.0`,`CIS v2.1`,`HIPAA HITRUST 9.2`,`NIST SP 800-53`,` NIST SP 800-171` and `PCI DSS v3.2.1` compliance benchmarks across all your Azure subscriptions.
-
-**Includes full support for the CIS v1.3 Azure Benchmarks**.
+200+ checks covering industry defined security best practices for Azure. Includes full support for `CIS v1.3`,`CIS v1.4`,`CIS v1.5`,`CIS v2.0`,`CIS v2.1`,`CIS v3.0`,`HIPAA HITRUST 9.2`,`NIST SP 800-53`,` NIST SP 800-171` and `PCI DSS v3.2.1` compliance benchmarks across all your Azure subscriptions.
 
 Run checks in a dashboard:
 ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_compliance_dashboard.png)
@@ -75,7 +73,7 @@ powerpipe benchmark list
 Run a benchmark:
 
 ```sh
-powerpipe benchmark run azure_compliance.benchmark.cis_v200
+powerpipe benchmark run azure_compliance.benchmark.cis_v300
 ```
 
 Different output formats are also available, for more information please see
@@ -95,15 +93,15 @@ vi powerpipe.ppvars
 Alternatively you can pass variables on the command line:
 
 ```sh
-powerpipe benchmark run azure_compliance.benchmark.cis_v200 --var 'tag_dimensions=["Environment", "Owner"]'
+powerpipe benchmark run azure_compliance.benchmark.cis_v300 --var 'tag_dimensions=["Environment", "Owner"]'
 ```
 
 Or through environment variables:
 
 ```sh
 export PP_VAR_common_dimensions='["subscription_id", "connection_name", "resource_group"]'
 export PP_VAR_tag_dimensions='["Environment", "Owner"]'
-powerpipe benchmark run azure_compliance.benchmark.cis_v200
+powerpipe benchmark run azure_compliance.benchmark.cis_v300
 ```
 
 ## Open Source & Contributing

all_controls/compute.pp

@@ -11,6 +11,8 @@
     control.arc_compute_machine_linux_log_analytics_agent_installed,
     control.arc_compute_machine_windows_log_analytics_agent_installed,
     control.compute_disk_access_uses_private_link,
+    control.compute_disk_data_access_auth_mode_enabled,
+    control.compute_disk_public_access_disabled,
     control.compute_disk_unattached_encrypted_with_cmk,
     control.compute_os_and_data_disk_encrypted_with_cmk,
     control.compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed,
@@ -47,8 +49,8 @@
     control.compute_vm_scale_set_boot_diagnostics_enabled,
     control.compute_vm_scale_set_log_analytics_agent_installed,
     control.compute_vm_scale_set_logging_enabled,
-    control.compute_vm_scale_set_uses_managed_disks,
     control.compute_vm_scale_set_ssh_key_authentication_linux,
+    control.compute_vm_scale_set_uses_managed_disks,
     control.compute_vm_secure_communication_protocols_configured,
     control.compute_vm_ssh_key_authentication_linux,
     control.compute_vm_system_updates_installed,

cis_v300/cis.pp

@@ -0,0 +1,28 @@
+locals {
+  cis_v300_common_tags = merge(local.azure_compliance_common_tags, {
+    cis         = "true"
+    cis_version = "v3.0.0"
+  })
+}
+
+benchmark "cis_v300" {
+  title         = "CIS v3.0.0"
+  description   = "The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure."
+  documentation = file("./cis_v300/docs/cis_overview.md")
+
+  children = [
+    benchmark.cis_v300_2,
+    benchmark.cis_v300_3,
+    benchmark.cis_v300_4,
+    benchmark.cis_v300_5,
+    benchmark.cis_v300_6,
+    benchmark.cis_v300_7,
+    benchmark.cis_v300_8,
+    benchmark.cis_v300_9,
+    benchmark.cis_v300_10
+  ]
+
+  tags = merge(local.cis_v300_common_tags, {
+    type = "Benchmark"
+  })
+}

cis_v300/docs/cis_overview.md

@@ -0,0 +1,22 @@
+To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.
+
+## Overview
+
+The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure.
+
+## Profiles
+
+### Level 1
+
+Items in this profile intend to:
+- be practical and prudent;
+- provide security focused best practice hardening of a technology; and
+- limit impact to the utility of the technology beyond acceptable means.
+
+### Level 2
+
+This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
+- are intended for environments or use cases where security is more critical than manageability and usability
+- acts as defense in depth measure
+- may impact the utility or performance of the technology
+- may include additional licensing, cost, or addition of third party software.

cis_v300/docs/cis_v300_10.md

@@ -0,0 +1,3 @@
+## Overview
+
+This section covers security recommendations for Miscellaneous.

cis_v300/docs/cis_v300_10_1.md

@@ -0,0 +1,37 @@
+## Description
+
+Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.
+
+As an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to `CanNotDelete` or `ReadOnly` to achieve this purpose.
+
+- `CanNotDelete` means authorized users can still read and modify a resource, but they cannot delete the resource.
+
+- `ReadOnly` means authorized users can read a resource, but they cannot delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
+
+## Remediation
+
+### From Azure Portal
+
+1. Navigate to the specific Azure Resource or Resource Group.
+2. For each mission critical resource, click on `Locks`.
+3. Click `Add`.
+4. Give the lock a name and a description, then select the type, `Read-only` or `Delete` as appropriate.
+5. Click OK.
+
+### From Azure CLI
+
+To lock a resource, provide the name of the resource, its resource type, and its resource group name.
+
+```bash
+az lock create --name <LockName> --lock-type <CanNotDelete/Read-only> --resource-group <resourceGroupName> --resource-name <resourceName> --resource-type <resourceType>
+```
+
+### From Powershell
+
+```bash
+Get-AzResourceLock -ResourceName <Resource Name> -ResourceType <Resource Type> -ResourceGroupName <Resource Group Name> -Locktype <CanNotDelete/Read-only>
+```
+
+### Default Value
+
+By default, no locks are set.

cis_v300/docs/cis_v300_2.md

@@ -0,0 +1,9 @@
+## Overview
+
+This section covers security best practice recommendations for products in the Azure Identity services category.
+
+Azure Product Category Page: https://azure.microsoft.com/en-us/products/category/identity
+
+Many of the recommendations from this section are marked as "Manual" while the existing Azure CLI and Azure AD PowerShell support through the Azure AD Graph are being deprecated. It is now recommended to use the new Microsoft Graph PowerShell in replacement of Azure AD Graph for PowerShell and API level access. From a security posture standpoint, these recommendations are still very important and should not be discounted because they are "Manual." As automation capability is developed for this Benchmark, the related recommendations will be updated with the respective audit and remediation steps and changed to an "automated" assessment status.
+
+If any problems are encountered running Azure CLI or PowerShell methodologies, please refer to the Introduction section of this Benchmark where you will find additional detail on permission and required cmdlets.

cis_v300/docs/cis_v300_2_1.md

@@ -0,0 +1,5 @@
+## Overview
+
+**IMPORTANT:** The Azure "Security Defaults" recommendations represent an entry-level set of recommendations (such as Multi-Factor Authentication) which will be relevant to organizations and tenants that are either just starting to use Azure, or are only utilizing a bare minimum feature set, and rely on the free license tier of Microsoft Entra ID. Security Defaults recommendations are intended to ensure that these use cases are still capable of establishing a strong baseline of secure configuration.
+
+**If your subscription is licensed to use Microsoft Entra ID P1 or P2, it is strongly recommended that the "Security Defaults" section (this section and the recommendations therein) be bypassed in favor of the use of "Conditional Access."**

cis_v300/docs/cis_v300_2_10.md

@@ -0,0 +1,21 @@
+## Description
+
+Ensure that users are notified on their primary and alternate emails on password resets.
+
+User notification on password reset is a proactive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `Users`.
+4. Under `Manage`, select `Password reset`.
+5. Under `Manage`, select `Notifications`.
+6. Set `Notify users on password resets?` to `Yes`.
+7. Click `Save`.
+
+### Default Value
+
+By default, `Notify users on password resets?` is set to "Yes".

cis_v300/docs/cis_v300_2_11.md

@@ -0,0 +1,21 @@
+## Description
+
+Ensure that all Global Administrators are notified if any other administrator resets their password.
+
+Administrator accounts are sensitive. Any password reset activity notification, when sent to all Administrators, ensures that all Global Administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `Users`.
+4. Under `Manage`, select `Password reset`.
+5. Under `Manage`, select `Notifications`.
+6. Set `Notify all admins when other admins reset their password?` to `Yes`.
+7. Click `Save`.
+
+### Default Value
+
+By default, `Notify all admins when other admins reset their password?` is set to "No".

cis_v300/docs/cis_v300_2_12.md

@@ -0,0 +1,21 @@
+## Description
+
+Require administrators to provide consent for applications before use.
+
+If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `Enterprise applications`.
+4. Under `Security`, select `Consent and permissions`.
+5. Under `Manage`, select `User consent settings`.
+6. Set `User consent for applications` to `Do not allow user consent`.
+7. Click `Save`.
+
+### Default Value
+
+By default, `Users consent for applications` is set to `Allow user consent for apps`.

cis_v300/docs/cis_v300_2_13.md

@@ -0,0 +1,21 @@
+## Description
+
+Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
+
+If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `Enterprise applications`.
+4. Under `Security`, select `Consent and permissions`.
+5. Under `Manage`, select `User consent settings`.
+6. Under `User consent for applications`, select `Allow user consent for apps from verified publishers, for selected permissions`.
+7. Click `Save`.
+
+### Default Value
+
+By default, `User consent for applications` is set to `Allow user consent for apps`.

cis_v300/docs/cis_v300_2_14.md

@@ -0,0 +1,27 @@
+## Description
+
+Require administrators or appropriately delegated users to register third-party applications.
+
+It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `Users`.
+4. Under `Manage`, select `User settings`.
+5. Set `Users can register applications` to `No`.
+6. Click `Save`.
+
+### From PowerShell
+
+```bash
+$param = @{ AllowedToCreateApps = "$false" }
+Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param
+```
+
+### Default Value
+
+By default, `Users can register applications` is set to "Yes".

cis_v300/docs/cis_v300_2_15.md

@@ -0,0 +1,42 @@
+## Description
+
+Limit guest user permissions.
+
+Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.
+
+1. Guest users have the same access as members (most inclusive),
+2. Guest users have limited access to properties and memberships of directory objects (default value),
+3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
+
+The recommended option is the 3rd, most restrictive: "Guest user access is restricted to their own directory object".
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `External Identities`.
+4. Select `External collaboration settings`.
+5. Under `Guest user access`, set `Guest user access restrictions` to `Guest user access is restricted to properties and memberships of their own directory objects`.
+6. Click `Save`.
+
+### From PowerShell
+
+1. Enter the following to update the policy ID:
+
+```bash
+Update-MgPolicyAuthorizationPolicy -GuestUserRoleId "2af84b1e-32c8-42b7-82bc-daa82404023b"
+```
+
+2. Check the GuestUserRoleId again:
+
+```bash
+(Get-MgPolicyAuthorizationPolicy).GuestUserRoleId
+```
+
+3. Ensure that the GuestUserRoleId is equal to the earlier entered value of `2af84b1e-32c8-42b7-82bc-daa82404023b`.
+
+### Default Value
+
+By default, `Guest user access restrictions` is set to `Guest users have limited access to properties and memberships of directory objects`.

cis_v300/docs/cis_v300_2_16.md

@@ -0,0 +1,31 @@
+## Description
+
+Restrict invitations to users with specific administrative roles only.
+
+Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.
+
+By default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `External Identities`.
+4. Select `External collaboration settings`.
+5. Under `Guest invite settings`, set `Guest invite restrictions`, to `Only users assigned to specific admin roles can invite guest users`.
+6. Click `Save`.
+
+### From Powershell
+
+Enter the following:
+
+```bash
+Connect-MgGraph
+Update-MgPolicyAuthorizationPolicy -AllowInvitesFrom "adminsAndGuestInviters"
+```
+
+### Default Value
+
+By default, `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`.

cis_v300/docs/cis_v300_2_17.md

@@ -0,0 +1,22 @@
+## Description
+
+Restrict access to the Microsoft Entra ID administration center to administrators only.
+
+**NOTE**: This only affects access to the Entra ID administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Microsoft Entra ID.
+
+The Microsoft Entra ID administrative center has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Microsoft Entra ID data in the administration center to avoid exposure.
+
+## Remediation
+
+### From Azure Portal
+
+1. From Azure Home select the Portal Menu.
+2. Select `Microsoft Entra ID`.
+3. Under `Manage`, select `Users`.
+4. Under `Manage`, select `User settings`.
+5. Under `Administration centre`, set `Restrict access to Microsoft Entra admin center` to `Yes`.
+6. Click `Save`.
+
+### Default Value
+
+By default, `Restrict access to Microsoft Entra admin center` is set to `No`.