Discover misconfigurations in Infrastructure as Code (IaC)

Once you have set up the Microsoft Security DevOps GitHub action or Azure DevOps extension, you can configure the YAML configuration file to run a single tool or multiple tools. For example, you can set up the action or extension to run Infrastructure as Code (IaC) scanning tools only. This can help reduce pipeline run time.

Prerequisites

Configure IaC scanning and view the results in GitHub

  1. Sign in to GitHub.

  2. Navigate to your repository's home page > .github/workflows > msdevopssec.yml that was created in the prerequisites.

  3. Select Edit file.

    Screenshot that shows where to find the edit button for the msdevopssec.yml file.

  4. Under the Run Analyzers section, add:

    with:
        categories: 'IaC'
    

    Note

    Categories are case sensitive. Screenshot that shows the information that needs to be added to the yaml file.

  5. Select Start Commit

  6. Select Commit changes.

    Screenshot that shows where to select commit change on the githib page.

  7. (Optional) Add an IaC template to your repository. Skip if you already have an IaC template in your repository.

    For example, commit an IaC template to deploy a basic Linux web application to your repository.

    1. Select azuredeploy.json.

      Screenshot that shows where the azuredeploy.json file is located.

    2. Select Raw

    3. Copy all the information in the file.

      {
        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {
          "webAppName": {
            "type": "string",
            "defaultValue": "AzureLinuxApp",
            "metadata": {
              "description": "Base name of the resource such as web app name and app service plan "
            },
            "minLength": 2
          },
          "sku": {
            "type": "string",
            "defaultValue": "S1",
            "metadata": {
              "description": "The SKU of App Service Plan "
            }
          },
          "linuxFxVersion": {
            "type": "string",
            "defaultValue": "php|7.4",
            "metadata": {
              "description": "The Runtime stack of current web app"
            }
          },
          "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
              "description": "Location for all resources."
            }
          }
        },
        "variables": {
          "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
          "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
        },
        "resources": [
          {
            "type": "Microsoft.Web/serverfarms",
            "apiVersion": "2020-06-01",
            "name": "[variables('appServicePlanName')]",
            "location": "[parameters('location')]",
            "sku": {
              "name": "[parameters('sku')]"
            },
            "kind": "linux",
            "properties": {
              "reserved": true
            }
          },
          {
            "type": "Microsoft.Web/sites",
            "apiVersion": "2020-06-01",
            "name": "[variables('webAppPortalName')]",
            "location": "[parameters('location')]",
            "kind": "app",
            "dependsOn": [
              "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
            ],
            "properties": {
              "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
              "siteConfig": {
                "linuxFxVersion": "[parameters('linuxFxVersion')]"
              }
            }
          }
        ]
      }
      
    4. On GitHub, navigate to your repository.

    5. Select Add file > Create new file.

      Screenshot that shows you where to navigate to, to create a new file.

    6. Enter a name for the file.

    7. Paste the copied information into the file.

    8. Select Commit new file.

    The file is now added to your repository.

    Screenshot that shows that the new file you created has been added to your repository.

  8. Confirm the Microsoft Security DevOps scan completed:

    1. Select Actions.
    2. Select the workflow to see the results.
  9. Navigate to Security > Code scanning alerts to view the results of the scan (filter by tool as needed to see just the IaC findings).

Configure IaC scanning and view the results in Azure DevOps

To view the results of the IaC scan in Azure DevOps

  1. Sign in to Azure DevOps.

  2. Select the desired project

  3. Select Pipeline.

  4. Select the pipeline where the Microsoft Security DevOps Azure DevOps Extension is configured.

  5. Edit the pipeline configuration YAML file adding the following lines:

  6. Add the following lines to the YAML file

    inputs:
        categories: 'IaC'
    

    Screenshot showing you where to add this line to the YAML file.

  7. Select Save.

  8. (Optional) Add an IaC template to your repository. Skip if you already have an IaC template in your repository.

  9. Select Save to commit directly to the main branch or Create a new branch for this commit.

  10. Select Pipeline > Your created pipeline to view the results of the IaC scan.

  11. Select any result to see the details.

View details and remediation information on IaC rules included with Microsoft Security DevOps

PowerShell-based rules

Information about the PowerShell-based rules included by our integration with PSRule for Azure. The tool will only evaluate the rules under the Security pillar unless the option --include-non-security-rules is used.

Note

PowerShell-based rules are included by our integration with PSRule for Azure. The tool will evaluate all rules under the Security pillar.

JSON-Based Rules:

JSON-based rules for ARM templates and bicep files are provided by Template-Analyzer. Below are details on template-analyzer's rules and remediation details.

Note

Severity levels are scaled from 1 to 3. Where 1 = High, 2 = Medium, 3 = Low.

TA-000001: Diagnostic logs in App Services should be enabled

Audits the enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Recommendation: To enable diagnostic logging, in the Microsoft.Web/sites/config resource properties, add (or update) the detailedErrorLoggingEnabled, httpLoggingEnabled, and requestTracingEnabled properties, setting their values to true.

Severity level: 2

TA-000002: Remote debugging should be turned off for API Apps

Remote debugging requires inbound ports to be opened on an API app. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

Recommendation: To disable remote debugging, in the Microsoft.Web/sites/config resource properties, remove the remoteDebuggingEnabled property or update its value to false.

Severity level: 3

TA-000003: FTPS only should be required in your API App

Enable FTPS enforcement for enhanced security.

Recommendation: To enforce FTPS in the Microsoft.Web/sites/config resource properties, add (or update) the ftpsState property, setting its value to "FtpsOnly" or "Disabled" if you don't need FTPS enabled.

Severity level: 1

TA-000004: API App Should Only Be Accessible Over HTTPS

API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Recommendation: To use HTTPS to ensure, server/service authentication and protect data in transit from network layer eavesdropping attacks in the Microsoft.Web/Sites resource properties, add (or update) the httpsOnly property, setting its value to true.

Severity level: 2

TA-000005: Latest TLS version should be used in your API App

API apps should require the latest TLS version.

Recommendation: To enforce the latest TLS version in the Microsoft.Web/sites/config resource properties, add (or update) the minTlsVersion property, setting its value to 1.2.

Severity level: 1

TA-000006: CORS should not allow every resource to access your API App

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.

Recommendation: To allow only required domains to interact with your API app, in the Microsoft.Web/sites/config resource cors settings object, add (or update) the allowedOrigins property, setting its value to an array of allowed origins. Ensure it is not set to "*" (asterisks allows all origins).

Severity level: 3

TA-000007: Managed identity should be used in your API App

For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

Recommendation: To use Managed Identity, in the Microsoft.Web/sites resource managed identity property, add (or update) the type property, setting its value to "SystemAssigned" or "UserAssigned" and providing any necessary identifiers for the identity if required.

Severity level: 2

TA-000008: Remote debugging should be turned off for Function Apps

Remote debugging requires inbound ports to be opened on a function app. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

Recommendation: To disable remote debugging, in the Microsoft.Web/sites/config resource properties, remove the remoteDebuggingEnabled property or update its value to false.

Severity level: 3

TA-000009: FTPS only should be required in your Function App

Enable FTPS enforcement for enhanced security.

Recommendation: To enforce FTPS, in the Microsoft.Web/sites/config resource properties, add (or update) the ftpsState property, setting its value to "FtpsOnly" or "Disabled" if you don't need FTPS enabled.

Severity level: 1

TA-000010: Function App Should Only Be Accessible Over HTTPS

Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Recommendation: To use HTTPS to ensure, server/service authentication and protect data in transit from network layer eavesdropping attacks, in the Microsoft.Web/Sites resource properties, add (or update) the httpsOnly property, setting its value to true.

Severity level: 2

TA-000011: Latest TLS version should be used in your Function App

Function apps should require the latest TLS version.

Recommendation: To enforce the latest TLS version, in the Microsoft.Web/sites/config resource properties, add (or update) the minTlsVersion property, setting its value to 1.2.

Severity level: 1

TA-000012: CORS should not allow every resource to access your Function Apps

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app.

Recommendation: To allow only required domains to interact with your function app, in the Microsoft.Web/sites/config resource cors settings object, add (or update) the allowedOrigins property, setting its value to an array of allowed origins. Ensure it is not set to "*" (asterisks allows all origins).

Severity level: 3

TA-000013: Managed identity should be used in your Function App

For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

Recommendation: To use Managed Identity, in the Microsoft.Web/sites resource managed identity property, add (or update) the type property, setting its value to "SystemAssigned" or "UserAssigned" and providing any necessary identifiers for the identity if required.

Severity level: 2

TA-000014: Remote debugging should be turned off for Web Applications

Remote debugging requires inbound ports to be opened on a web application. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

Recommendation: To disable remote debugging, in the Microsoft.Web/sites/config resource properties, remove the remoteDebuggingEnabled property or update its value to false.

Severity level: 3

TA-000015: FTPS only should be required in your Web App

Enable FTPS enforcement for enhanced security.

Recommendation: To enforce FTPS, in the Microsoft.Web/sites/config resource properties, add (or update) the ftpsState property, setting its value to "FtpsOnly" or "Disabled" if you don't need FTPS enabled.

Severity level: 1

TA-000016: Web Application Should Only Be Accessible Over HTTPS

Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Recommendation: To use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks, in the Microsoft.Web/Sites resource properties, add (or update) the httpsOnly property, setting its value to true.

Severity level: 2

TA-000017: Latest TLS version should be used in your Web App

Web apps should require the latest TLS version.

Recommendation: To enforce the latest TLS version, in the Microsoft.Web/sites/config resource properties, add (or update) the minTlsVersion property, setting its value to 1.2.

Severity level: 1

TA-000018: CORS should not allow every resource to access your Web Applications

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Web application. Allow only required domains to interact with your web app.

Recommendation: To allow only required domains to interact with your web app, in the Microsoft.Web/sites/config resource cors settings object, add (or update) the allowedOrigins property, setting its value to an array of allowed origins. Ensure it is not set to "*" (asterisks allows all origins).

Severity level: 3

TA-000019: Managed identity should be used in your Web App

For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

Recommendation: To use Managed Identity, in the Microsoft.Web/sites resource managed identity property, add (or update) the type property, setting its value to "SystemAssigned" or "UserAssigned" and providing any necessary identifiers for the identity if required.

Severity level: 2

TA-000020: Audit usage of custom RBAC roles

Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.

Recommendation: Use built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles

Severity level: 3

TA-000021: Automation account variables should be encrypted

It is important to enable encryption of Automation account variable assets when storing sensitive data. This step can only be taken at creation time. If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables. To apply encryption of the Automation account variable assets, in Azure PowerShell - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'

Recommendation: Enable encryption of Automation account variable assets

Severity level: 1

TA-000022: Only secure connections to your Azure Cache for Redis should be enabled

Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.

Recommendation: To enable only connections via SSL to Redis Cache, in the Microsoft.Cache/Redis resource properties, update the value of the enableNonSslPort property from true to false or remove the property from the template as the default value is false.

Severity level: 1

TA-000023: Authorized IP ranges should be defined on Kubernetes Services

To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.

Recommendation: Restrict access by defining authorized IP ranges or set up your API servers as private clusters

Severity level: 1

TA-000024: Role-Based Access Control (RBAC) should be used on Kubernetes Services

To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process.

Recommendation: Enable RBAC in Kubernetes clusters

Severity level: 1

TA-000025: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+. Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.

Recommendation: To upgrade Kubernetes service clusters, in the Microsoft.ContainerService/managedClusters resource properties, update the kubernetesVersion property, setting its value to one of the following versions (making sure to specify the minor version number): 1.11.9+, 1.12.7+, 1.13.5+, or 1.14.0+.

Severity level: 1

TA-000026: Service Fabric clusters should only use Azure Active Directory for client authentication

Service Fabric clusters should only use Azure Active Directory for client authentication. A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer, Visual Studio and PowerShell. Access to the cluster must be controlled using AAD.

Recommendation: Enable AAD client authentication on your Service Fabric clusters

Severity level: 1

TA-000027: Transparent Data Encryption on SQL databases should be enabled

Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.

Recommendation: To enable transparent data encryption, in the Microsoft.Sql/servers/databases/transparentDataEncryption resource properties, add (or update) the value of the state property to enabled.

Severity level: 3

TA-000028: SQL servers with auditing to storage account destination should be configured with 90 days retention or higher

Set the data retention for your SQL Server's auditing to storage account destination to at least 90 days.

Recommendation: For incident investigation purposes, we recommend setting the data retention for your SQL Server's auditing to storage account destination to at least 90 days, in the Microsoft.Sql/servers/auditingSettings resource properties, using the retentionDays property. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.

Severity level: 3

TA-000029: Azure API Management APIs should use encrypted protocols only

Set the protocols property to only include HTTPS.

Recommendation: To use encrypted protocols only, add (or update) the protocols property in the Microsoft.ApiManagement/service/apis resource properties, to only include HTTPS. Allowing any additional protocols (for example, HTTP, WS) is insecure.

Severity level: 1

Learn more

In this tutorial you learned how to configure the Microsoft Security DevOps GitHub Action and Azure DevOps Extension to scan for Infrastructure as Code (IaC) security misconfigurations and how to view the results.

Next steps

Learn more about Defender for DevOps.

Learn how to connect your GitHub to Defender for Cloud.

Learn how to connect your Azure DevOps to Defender for Cloud.