159 lines
4.9 KiB
Plaintext
159 lines
4.9 KiB
Plaintext
Disabling certificate-based authentication can reduce an organization's ability to react against attacks on its critical functions and data if any.
|
|
|
|
Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and certificate-based authentication.
|
|
|
|
Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa.
|
|
In case of a security incident, certificates help bring investigators traceability and allow security operations teams to react faster (by massively revoking certificates, for example).
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* This Azure resource is essential for the information system infrastructure.
|
|
* This Azure resource is essential for mission-critical functions.
|
|
* Compliance policies require access to this resource to be authenticated with certificates.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Enable certificate-based authentication.
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
|
|
|
|
----
|
|
resource "azurerm_app_service" "example" {
|
|
client_cert_enabled = false # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]:
|
|
|
|
----
|
|
resource "azurerm_function_app" "example" {
|
|
client_cert_mode = "Optional" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]:
|
|
|
|
----
|
|
resource "azurerm_data_factory_linked_service_web" "example" {
|
|
authentication_type = "Basic" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
|
|
|
|
----
|
|
resource "azurerm_api_management" "example" {
|
|
sku_name = "Consumption_1"
|
|
client_certificate_mode = "Optional" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/fr-fr/services/app-service/containers/[Linux and Windows Web Apps]:
|
|
|
|
----
|
|
resource "azurerm_linux_web_app" "example" {
|
|
client_cert_enabled = false # Sensitive
|
|
}
|
|
resource "azurerm_linux_web_app" "exemple2" {
|
|
client_cert_enabled = true
|
|
client_cert_mode = "Optional" # Sensitive
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_app_service" "example" {
|
|
client_cert_enabled = true
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_function_app" "example" {
|
|
client_cert_mode = "Required"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_data_factory_linked_service_web" "example" {
|
|
authentication_type = "ClientCertificate"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_api_management" "example" {
|
|
sku_name = "Consumption_1"
|
|
client_certificate_mode = "Required"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/fr-fr/services/app-service/containers/[Linux and Windows Web Apps]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_linux_web_app" "exemple" {
|
|
client_cert_enabled = true
|
|
client_cert_mode = "Required"
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control
|
|
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
For these resources:
|
|
|
|
* `api_management`:
|
|
* `app_service`
|
|
* `data_factory_linked_service_sftp`
|
|
* `data_factory_linked_service_web`
|
|
* `linux_web_app`
|
|
* `windows_web_app` (if both parameters are non-compliant, flag `client_cert_enabled` first)
|
|
|
|
These messages apply:
|
|
|
|
* If an assignment is missing: Omitting {property_name} disables certificate-based authentication. Make sure it is safe here.
|
|
* If the assignment is security-sensitive: Make sure that disabling certificate-based authentication is safe here.
|
|
|
|
* For `function_app` and `logic_app_standard`:
|
|
** Omitting `client_cert_mode` makes certificate-based authentication optional. Make sure it is safe here.
|
|
** Make sure that setting certificate-based authentication as optional is safe here.
|
|
|
|
Make sure that disabling certificate-based authentication is safe here.
|
|
|
|
=== Highlighting
|
|
|
|
* If one (out of one) assignement is missing: Highlight the resource
|
|
* If an assignement is security-sensitive: Highlight the assignement
|
|
* For `linux_web_app` and `windows_web_app`:
|
|
** If both assignements are present and security-sensitive: Highlight `client_cert_enabled = false`
|
|
|
|
endif::env-github,rspecator-view[]
|