ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6378/description.adoc
github-actions[bot] ed8762d5ac
Create rule S6378[terraform] : Disabling Managed Identities for Azure resources is security-sensitive (#569) 
* clean-up old metadata file

* Create rule S6378

* Add first draft

* added link to managed service resources list

* fix vague title

* add metadata tagging

* add metadata - sec standards

* add owasp ref

* add concise var names

Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com>

* add concise var names and reduces identity.type

Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com>

* Update rules/S6378/description.adoc

* add other distinct code sample

* add down to earth recos

Clear-text credentials || third party systems

* add description - clearer on M-Identities stakes

* changed remediation cost to 1h

* add cleared reco - use system-assigned

* fix layout pb

* fix metadata 'hour' mistake: 'hour'->'h'

* reformulate ask-yourself

* fixed potential confusion

* applied review suggestions

* add highlight

* Update rules/S6378/metadata.json

* Update rules/S6378/message.adoc

Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com>

* Update rules/S6378/metadata.json

* Update rules/S6378/ask-yourself.adoc

Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com>
Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com>
Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com>
Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2021-12-14 09:37:33 +00:00

8 lines
723 B
Plaintext
Raw Blame History

Disabling Managed Identities can reduce an organization's ability to protect itself against configuration faults and credentials leaks.
Authenticating via managed identities to an Azure resource solely relies on an API call with a non-secret token. The process is inner to Azure: secrets used by Azure are not even accessible to end-users.
In typical scenarios without managed identities, the use of credentials can lead to mistakenly leaving them in code bases. In addition, configuration faults may also happen when storing these values or assigning them permissions.
By transparently taking care of the Azure Active Directory authentication, Managed Identities allow getting rid of day-to-day credentials management.
Reference in New Issue View Git Blame Copy Permalink