221 lines
7.1 KiB
Plaintext
221 lines
7.1 KiB
Plaintext
Authorizing anonymous access can reduce an organization's ability to protect itself against attacks on its Azure resources.
|
|
|
|
Security incidents may include disrupting critical functions, data theft, and additional Azure subscription costs due to resource overload.
|
|
|
|
Using authentication coupled with fine-grained authorizations helps bring Defense-In-Depth and bring traceability to investigators of security incidents.
|
|
|
|
Depending on the affected Azure resource, multiple authentication choices are possible: Active Directory Authentication, OpenID implementations (Google, Microsoft, etc.) or native Azure mechanisms.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* This Azure resource is essential for the information system infrastructure.
|
|
* This Azure resource is essential for mission-critical functions.
|
|
* This Azure resource stores or processes sensitive data.
|
|
* Compliance policies require access to this resource to be authenticated.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Enable authentication in this Azure resource, and disable anonymous access.
|
|
|
|
If only Basic Authentication is available, enable it.
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]:
|
|
|
|
----
|
|
resource "azurerm_function_app" "example" {
|
|
name = "example"
|
|
|
|
auth_settings {
|
|
enabled = false # Sensitive
|
|
}
|
|
|
|
auth_settings {
|
|
enabled = true
|
|
unauthenticated_client_action = "AllowAnonymous" # Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
|
|
|
|
----
|
|
resource "azurerm_api_management_api" "example" { # Sensitive, the openid_authentication block is missing
|
|
name = "example-api"
|
|
}
|
|
|
|
resource "azurerm_api_management" "example" {
|
|
sign_in {
|
|
enabled = false # Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:
|
|
|
|
----
|
|
resource "azurerm_data_factory_linked_service_sftp" "example" {
|
|
authentication_type = "Anonymous"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]:
|
|
|
|
----
|
|
resource "azurerm_storage_account" "example" {
|
|
allow_blob_public_access = true # Sensitive
|
|
}
|
|
|
|
resource "azurerm_storage_container" "example" {
|
|
container_access_type = "blob" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:
|
|
|
|
----
|
|
resource "azurerm_redis_cache" "example" {
|
|
name = "example-cache"
|
|
|
|
redis_configuration {
|
|
enable_authentication = false # Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_function_app" "example" {
|
|
name = "example"
|
|
|
|
auth_settings {
|
|
enabled = true
|
|
unauthenticated_client_action = "RedirectToLoginPage"
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_api_management_api" "example" {
|
|
name = "example-api"
|
|
|
|
openid_authentication {
|
|
openid_provider_name = azurerm_api_management_openid_connect_provider.example.name
|
|
}
|
|
}
|
|
|
|
resource "azurerm_api_management" "example" {
|
|
sign_in {
|
|
enabled = true
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_data_factory_linked_service_sftp" "example" {
|
|
authentication_type = "Basic"
|
|
username = local.creds.username
|
|
password = local.creds.password
|
|
}
|
|
|
|
resource "azurerm_data_factory_linked_service_odata" "example" {
|
|
basic_authentication {
|
|
username = local.creds.username
|
|
password = local.creds.password
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_storage_account" "example" {
|
|
allow_blob_public_access = true
|
|
}
|
|
|
|
resource "azurerm_storage_container" "example" {
|
|
container_access_type = "private"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_redis_cache" "example" {
|
|
name = "example-cache"
|
|
|
|
redis_configuration {
|
|
enable_authentication = true
|
|
}
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control
|
|
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* For App Service and equivalent resources:
|
|
** If ``auth_settings`` block is missing: Omitting ``auth_settings`` disables authentication. Make sure it is safe here.
|
|
** if ``auth_settings->enabled = false``: Make sure that disabling authentication is safe here.
|
|
** if ``auth_settings->unauthenticated_client_action = "AllowAnonymous"``: Make sure that authorizing anonymous access is safe here.
|
|
* For ``api_management_api``: Omitting ``openid_authentication`` disables authentication. Make sure it is safe here.
|
|
* For ``api_management`` resources:
|
|
** If ``sign_in`` block is missing: Omitting ``sign_in`` authorizes anonymous access. Make sure it is safe here.
|
|
** If ``sign_in->enabled = false``: Make sure that giving anonymous access without enforcing sign-in is safe here.
|
|
* For ``data_factory_linked_service_odata``: Omitting the ``basic_authentication`` block disables authentication. Make sure it is safe here.
|
|
* For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Make sure that authorizing anonymous access is safe here.
|
|
* For ``redis_cache``: Make sure that disabling authentication is safe here.
|
|
* For ``storage_account``: Make sure that authorizing potential anonymous access is safe here.
|
|
* For ``storage_container``: Make sure that authorizing potential anonymous access is safe here.
|
|
|
|
Note: App Service and equivalents resources:
|
|
|
|
* ``app_service``
|
|
* ``app_service_slot``
|
|
* ``function_app``
|
|
* ``function_app_slot``
|
|
* ``linux_web_app``
|
|
* ``windows_web_app``
|
|
=== Highlighting
|
|
|
|
* For App Service and equivalents:
|
|
** Highlight the resource if the ``auth_settings`` block is missing
|
|
** Highlight ``auth_settings->enabled = false`` regardless of ``auth_settings->unauthenticated_client_action``
|
|
** Highlight ``auth_settings->unauthenticated_client_action = "AllowAnonymous"``
|
|
* For ``api_management_api``: Highlight the resource if the ``openid_authentication`` block is missing
|
|
* For ``api_management``:
|
|
** Highlight the resource if the ``sign_in`` block is missing
|
|
** Highlight ``sign_in->enabled = false``
|
|
* For ``data_factory_linked_service_odata``: Highlight the resource if the ``basic_authentication`` block is missing
|
|
* For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Highlight ``authentication_type = "Anonymous"``
|
|
* For ``redis_cache``: Highlight ``redis_configuration->enable_authentication = false``
|
|
* For ``storage_account``: Highlight ``allow_blob_public_access = true``
|
|
* For ``storage_container``: Highlight ``container_access_type = "private"``
|
|
|
|
endif::env-github,rspecator-view[]
|