Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Azure Security ====== * [[https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/|Cloud Adoption Framework]] * [[https://docs.microsoft.com/en-us/azure/architecture/framework/|Microsoft Azure Well-Architected Framework]] * [[https://docs.microsoft.com/en-us/azure/security/]] * [[https://docs.microsoft.com/en-us/security/benchmark/azure/introduction|Azure Security Benchmark]] * [[https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction|Microsoft Defender for Cloud]] * Secure Score ====== Assessments ====== * The minimum ARM roles/permissions needed to do an Azure security assessment are //Reader// and //Security Reader//. The //Global Reader// role is needed on Azure AD. In addition, a custom role with the following permission is needed for certain storage account checks. <code json> { "Name": "Azure Assessor", "Description": "A role temporarily used to assess the security posture of an Azure tenant.", "AssignableScopes": [ "/providers/Microsoft.Management/managementGroups/<tenant id>" ], "Actions": [ "Microsoft.Storage/storageAccounts/listkeys/action" ], "NotActions": [], "DataActions": [], "NotDataActions": [] } </code> ====== General Checks ====== * Are endpoints hybrid domain joined? ====== Getting Inventory ====== Get list of all resources in the current subscription. <code powershell> Get-AzResource | select Name,Type,ResourceGroupName,SubscriptionId | Export-Csv resources.csv </code> ====== Tools ====== * [[https://github.com/turbot/steampipe-mod-azure-compliance]] * [[https://github.com/AzureAD/AzureADAssessment]] ====== Best Practices ====== * Automated/programmatic deployment/configuration is recommended over manual processes ====== Training ====== * [[https://parveensingh.com/az-500-study-guide/]] * [[https://charbelnemnom.com/passed-exam-az-500-microsoft-certified-azure-security-engineer/]] azure/qnd/azure_security.txt Last modified: 2022/11/08 14:41by mgupton