Differences

This shows you the differences between two versions of the page.

--- azure:qnd:azure_security [2022/08/11 16:32] – mgupton
+++ azure:qnd:azure_security [2022/11/08 14:41] (current) – [Tools] mgupton
@@ Line 1: / Line 1: @@
 ====== Azure Security ======
+  * [[https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/|Cloud Adoption Framework]]
+  * [[https://docs.microsoft.com/en-us/azure/architecture/framework/|Microsoft Azure Well-Architected Framework]]
   * [[https://docs.microsoft.com/en-us/azure/security/]]
   * [[https://docs.microsoft.com/en-us/security/benchmark/azure/introduction|Azure Security Benchmark]]
   * [[https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction|Microsoft Defender for Cloud]]
       * Secure Score
+====== Assessments ======
+  * The minimum ARM roles/permissions needed to do an Azure security assessment are //Reader// and //Security Reader//. The //Global Reader// role is needed on Azure AD.
+In addition, a custom role with the following permission is needed for certain storage account checks.
+<code json>
+{
+    "Name": "Azure Assessor",
+    "Description": "A role temporarily used to assess the security posture of an Azure tenant.",
+    "AssignableScopes": [
+        "/providers/Microsoft.Management/managementGroups/<tenant id>"
+    ],
+    "Actions": [
+        "Microsoft.Storage/storageAccounts/listkeys/action"
+    ],
+    "NotActions": [],
+    "DataActions": [],
+    "NotDataActions": []
+}
+</code>
+====== General Checks ======
+  * Are endpoints hybrid domain joined?
+====== Getting Inventory ======
+Get list of all resources in the current subscription.
+<code powershell>
+Get-AzResource | select Name,Type,ResourceGroupName,SubscriptionId | Export-Csv resources.csv
+</code>
 ====== Tools ======
   * [[https://github.com/turbot/steampipe-mod-azure-compliance]]
+  * [[https://github.com/AzureAD/AzureADAssessment]]
 ====== Best Practices ======