azure:qnd:azure_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:qnd:azure_security [2022/05/19 15:04] – ↷ Page moved from qnd:azure:azure_security to azure:qnd:azure_security mguptonazure:qnd:azure_security [2022/11/08 14:41] (current) – [Tools] mgupton
Line 1: Line 1:
 ====== Azure Security ====== ====== Azure Security ======
 +  * [[https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/|Cloud Adoption Framework]]
 +  * [[https://docs.microsoft.com/en-us/azure/architecture/framework/|Microsoft Azure Well-Architected Framework]]
   * [[https://docs.microsoft.com/en-us/azure/security/]]   * [[https://docs.microsoft.com/en-us/azure/security/]]
 +  * [[https://docs.microsoft.com/en-us/security/benchmark/azure/introduction|Azure Security Benchmark]]
 +  * [[https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction|Microsoft Defender for Cloud]]
 +      * Secure Score
 +
 +====== Assessments ======
 +  * The minimum ARM roles/permissions needed to do an Azure security assessment are //Reader// and //Security Reader//. The //Global Reader// role is needed on Azure AD.
 +
 +In addition, a custom role with the following permission is needed for certain storage account checks.
 +<code json>
 +{
 +    "Name": "Azure Assessor",
 +    "Description": "A role temporarily used to assess the security posture of an Azure tenant.",
 +    "AssignableScopes": [
 +        "/providers/Microsoft.Management/managementGroups/<tenant id>"
 +    ],
 +    "Actions": [
 +        "Microsoft.Storage/storageAccounts/listkeys/action"
 +    ],
 +    "NotActions": [],
 +    "DataActions": [],
 +    "NotDataActions": []
 +}
 +</code>
 +
 +====== General Checks ======
 +  * Are endpoints hybrid domain joined?
 +
 +====== Getting Inventory ======
 +Get list of all resources in the current subscription.
 +<code powershell>
 +Get-AzResource | select Name,Type,ResourceGroupName,SubscriptionId | Export-Csv resources.csv
 +</code>
  
 ====== Tools ====== ====== Tools ======
   * [[https://github.com/turbot/steampipe-mod-azure-compliance]]   * [[https://github.com/turbot/steampipe-mod-azure-compliance]]
 +  * [[https://github.com/AzureAD/AzureADAssessment]]
 +
 +====== Best Practices ======
 +  * Automated/programmatic deployment/configuration is recommended over manual processes
 +
  
 ====== Training ====== ====== Training ======
  • azure/qnd/azure_security.1652972683.txt.gz
  • Last modified: 2022/05/19 15:04
  • by mgupton