diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-228.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-228.adoc new file mode 100644 index 000000000..bc3221321 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-228.adoc @@ -0,0 +1,53 @@ +== Azure Virtual machine configured with public IP and serial console access +// Ensure Azure VM is not configured with public IP and serial console access + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 07ab86da-6972-48f9-abf2-3a8ceb74d524 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml[CKV_AZURE_228] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform, Terraform Plan + +|=== + +=== Description + +This policy identifies Azure Virtual machines with public IP configured with serial console access (via Boot diagnostic setting). + +The Microsoft Azure serial console feature provides access to a text-based console for virtual machines (VMs) running either Linux or Windows. Serial Console connects to the ttyS0 or COM1 serial port of the VM instance, providing access independent of the network or operating system state. Attacker can leverage public IP assigned Serial console enabled virtual machine for remote code execution and privilege escalation. It is recommended to restrict public access to the reported virtual machine and disable/restrict serial console access. + + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_network_interface, azurerm_linux_virtual_machine, azurerm_windows_virtual_machine, azurerm_virtual_machine +* *Arguments:* ip_configuration.public_ip_address_id + +[source,go] +---- +resource "azurerm_network_interface" "example" { + name = "example-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + # ... other configurations ... + ++ ip_configuration { ++ public_ip_address_id = azurerm_public_ip.example.id ++ } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-229.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-229.adoc new file mode 100644 index 000000000..ab46610cb --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-229.adoc @@ -0,0 +1,50 @@ +== Azure Storage account configured with Shared Key authorization +// Ensure storage account is configured with Shared Key authorization + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| f5c4ddc4-52fc-4c52-9a60-5c40b845a683 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml[CKV_AZURE_229] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform, Terraform Plan + +|=== + +=== Description + +Azure Storage accounts provide secure and highly scalable cloud data storage. Shared Key authorization is one of the methods to authenticate requests to the Azure Storage services. With Shared Key authorization, every request to a service must be signed using the account's access key. + +This policy ensures that the Azure Storage account is not configured with Shared Key authorization. It checks for the presence of the `shared_access_key_enabled` attribute in the `azurerm_storage_account` resource and verifies that it's either nonexistent or set to `false`. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_storage_account +* *Arguments:* shared_access_key_enabled + +[source,go] +---- +resource "azurerm_storage_account" "example" { + name = "examplestoracc" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + + # ... other configurations ... + ++ shared_access_key_enabled = false +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-230.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-230.adoc new file mode 100644 index 000000000..6e7a21076 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-230.adoc @@ -0,0 +1,52 @@ +== Azure Storage account not configured with SAS expiration policy +// Ensure storage account is configured with SAS expiration policy + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 8527f09d-effd-40b7-a897-14dc1558270a + +|Checkov ID +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml[CKV_AZURE_230] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform, Terraform Plan + +|=== + +=== Description + +Azure Storage accounts offer robust cloud data storage solutions. A Shared Access Signature (SAS) provides delegated access to resources in the storage account. It's essential to ensure that SAS tokens have an expiration policy set to minimize the risk of unauthorized access due to token leakage. + +This policy ensures that the Azure Storage account is configured with a SAS expiration policy. It checks for the presence and configuration of the `sas_policy` and its `expiration_period` attribute within the `azurerm_storage_account` resource. The policy verifies that the expiration period length is greater than zero, indicating that an expiration policy is in place. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_storage_account +* *Arguments:* sas_policy, sas_policy.expiration_period + +[source,go] +---- +resource "azurerm_storage_account" "example" { + name = "examplestoracc" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + + # ... other configurations ... + ++ sas_policy { ++ expiration_period = 30 ++ } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azure-general-policies.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azure-general-policies.adoc index d7aa6bda1..4fc0fb3b5 100644 --- a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azure-general-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azure-general-policies.adoc @@ -440,5 +440,19 @@ |MEDIUM +|xref:azr-general-228.adoc[Azure Virtual machine configured with public IP and serial console access] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml[CKV_AZURE_228] +|LOW + + +|xref:azr-general-229.adoc[Azure Storage account configured with Shared Key authorization] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml[CKV_AZURE_229] +|LOW + + +|xref:azr-general-230.adoc[Azure Storage account not configured with SAS expiration policy] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml[CKV_AZURE_230] +|LOW + |=== diff --git a/docs/en/enterprise-edition/policy-reference/book.yml b/docs/en/enterprise-edition/policy-reference/book.yml index 871605cdc..6f228ffe6 100644 --- a/docs/en/enterprise-edition/policy-reference/book.yml +++ b/docs/en/enterprise-edition/policy-reference/book.yml @@ -1035,6 +1035,12 @@ topics: file: set-an-expiration-date-on-all-keys.adoc - name: Azure AD authentication is not enabled for Azure SQL file: azr-general-85.adoc + - name: Azure Virtual machine configured with public IP and serial console access + file: azr-general-228.adoc + - name: Azure Storage account configured with Shared Key authorization + file: azr-general-229.adoc + - name: Azure Storage account not configured with SAS expiration policy + file: azr-general-230.adoc - name: Azure IAM Policies dir: azure-iam-policies topics: