| title | description | author | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|
Azure security baseline for Azure Automation |
Azure security baseline for Automation |
msmbaldwin |
security |
conceptual |
06/22/2020 |
mbaldwin |
subject-security-benchmark |
The Azure Security Baseline for Automation contains recommendations that will help you improve the security posture of your deployment.
The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.
For more information, see the Azure security baselines overview.
For more information, see Security control: Network security.
Guidance: Azure Automation account does not yet support Azure Private Link for restricting access to the service through private endpoints. Runbooks that authenticate and run against resources in Azure run on an Azure sandbox, and leverage shared backend resources, which Microsoft is responsible for isolating from each other; their networking is unrestricted and can access public resources. Azure Automation does not currently have virtual network integration for private networking beyond the support for Hybrid Runbook Workers. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
To get further isolation for your runbooks you can use Hybrid Runbook Workers running on Azure virtual machines. When you create an Azure virtual machine, you must create a virtual network (VNet) or use an existing VNet and configure your VMs with a subnet. Ensure that all deployed subnets have a Network Security Group applied with network access controls specific to your applications trusted ports and sources. For service-specific requirements, refer to the security recommendation for that specific service.
Alternatively, if you have a specific requirement, Azure Firewall may also be used to meet it.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Azure Automation currently does not have virtual network integration for private networking beyond the support for Hybrid Runbook Workers. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
If you are using Hybrid Runbook Workers backed by Azure virtual machines, ensure the subnet containing those workers are enabled with a Network Security Group (NSG) and configure flow logs to forward logs to a Storage Account for traffic audit. You may also forward NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.
While NSG rules and user defined routes do not apply to private endpoint, NSG flow logs and monitoring information for outbound connections are still supported and can be used.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Azure Automation does not currently have virtual network integration for private networking beyond the support for Hybrid Runbook Workers. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
If you are using Hybrid Runbook Workers backed by Azure virtual machines, enable Distributed Denial of Service (DDoS) Standard protection on your Virtual Networks hosting your Hybrid Runbook Workers to guard against DDoS attacks. By using Azure Security Center Integrated Threat Intelligence, you can deny communications with known malicious IP addresses. Configure Azure Firewall on each of the Virtual Network segments, with Threat Intelligence enabled, and configure to Alert and deny for malicious network traffic.
You can use Azure Security Center's Just In Time Network access to limit exposure of Windows virtual machines to the approved IP addresses for a limited period of time. Also, use Azure Security Center Adaptive Network Hardening recommendations for NSG configurations to limit ports and source IPs based on actual traffic and threat intelligence.
-
Understand Azure Security Center Integrated Threat Intelligence
-
Understand Azure Security Center Just In Time Network Access Control
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Azure Automation does not currently have virtual network integration for private networking beyond the support for Hybrid Runbook Workers, this control is not applicable if you are using the out-of-the box service without Hybrid Workers.
If you are using Hybrid Runbook Workers backed by Azure virtual machines, then you can record NSG flow logs into a storage account to generate flow records for your Azure Virtual Machines that are acting as runbook workers. When investigating anomalous activity, you could enable Network Watcher packet capture so that network traffic can be reviewed for unusual and unexpected activity.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Azure Automation does not currently have virtual network integration for private networking beyond the support for Hybrid Runbook Workers. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
If you are using Hybrid Runbook Workers hosted on Azure virtual machines, you can combine packet captures provided by Network Watcher and open source IDS tools to perform network intrusion detection for a wide range of threats to those worker machines. Also, you can deploy Azure Firewall to the Virtual Network segments as appropriate, with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Use Virtual Network service tags to define network access controls on Network Security Groups or Azure Firewall configured in Azure which require access to your Automation Resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (for example, GuestAndHybridManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Define and implement standard security configurations for network resources used by Azure Automation with Azure Policy.
You may also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition. You can apply the blueprint to new subscriptions, and fine-tune control and management through versioning.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use Tags for NSGs and other resources related to network security and traffic flow. For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.
Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.
You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their Tags.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use Azure Activity Log to monitor resource configurations and detect changes to your network resources. Create alerts within Azure Monitor that will trigger when changes to critical resources take place.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
For more information, see Security control: Logging and monitoring.
Guidance: Microsoft maintains time sources for Azure resources. However, you have the option to manage the time synchronization settings for any Hybrid Runbook Workers running on Windows virtual machines.
Azure Security Center monitoring: Not applicable
Responsibility: Microsoft
Guidance: Forward log data to Azure Monitor Logs to aggregate security data generated by Azure Automation resources. Within Azure Monitor, use log queries to search and perform analytics, and use Azure Storage Accounts for long-term/archival storage. Azure Automation can send runbook job status, job streams, Automation state configuration data, update management, and change tracking or inventory logs to your Log Analytics workspace. This information is visible from the Azure portal, Azure PowerShell, and Azure Monitor Logs API, which enables you to perform simple investigations.
Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Enable Azure Monitor for access to your audit and activity logs which includes event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: When using Azure Automation with the multi-tenant runbook workers this control is not applicable, and the platform handles the underlying virtual machines.
When using the Hybrid Runbook Worker feature, Azure Security Center provides Security Event log monitoring for Windows virtual machines. If your organization would like to retain the security event log data, it can be stored within a Data Collection tier, at which point it can be queried in Log Analytics. There are different tiers: Minimal, Common and All, which are detailed in the following link.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Within Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Analyze and monitor logs for anomalous behavior and regularly review results. Use Azure Monitor log queries to review logs and perform queries on log data.
Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use Azure Security Center with Azure Monitor for monitoring and alerting on anomalous activity found in security logs and events.
Alternatively, you may enable and on-board data to Azure Sentinel.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: When using Azure Automation with multi-tenant runbook workers, this control is not applicable, and the platform handles the underlying virtual machines.
However when using the Hybrid Runbook Worker feature, you may use Microsoft Anti-malware for Azure Cloud Services and virtual machines. Configure your virtual machines to log events to an Azure Storage Account. Configure a Log Analytics workspace to ingest the events from the Storage Accounts and create alerts where appropriate. Follow recommendations in Azure Security Center: "Compute & Apps".
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: When using Azure Automation with the multi-tenant runbook workers this control is not applicable, and the platform handles the underlying virtual machines.
However, when using the Hybrid Runbook Worker feature, Azure Security Center provides Security event log monitoring for Azure virtual machines. Security Center provisions the Log Analytics agent on all supported Azure VMs, and any new ones that are created if automatic provisioning is enabled. Or you can install the agent manually. The agent enables the process creation event 4688 and the commandline field inside event 4688. New processes created on the VM are recorded by event log and monitored by Security Center's detection services.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
For more information, see Security control: Identity and access control.
Guidance: Use Azure Active Directory built-in administrator roles which can be explicitly assigned and can be queried. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups. Whenever using Automation Account Run As accounts for your runbooks, ensure these service principals are also tracked in your inventory since they often time have elevated permissions. Delete any unused Run As accounts to minimize your exposed attack surface.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Azure Automation Account does not have the concept of default passwords. Customers are responsible for third-party applications and marketplace services that may use default passwords that run on top on the service or its Hybrid Runbook Workers.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts. Whenever using Automation Account Run As accounts for your runbooks, ensure these service principals are also tracked in your inventory since they often time have elevated permissions. Scope these identities with the least privileged permissions they need in order for your runbooks to successfully perform their automated process. Delete any unused Run As accounts to minimize your exposed attack surface.
You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Wherever possible, use SSO with Azure Active Directory rather than configuring individual stand-alone credentials per-service. Use Azure Security Center Identity and Access Management recommendations.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Enable Azure AD multi-factor authentication(MFA) and follow Azure Security Center Identity and Access Management recommendations.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use PAWs with multi-factor authentication configured to log into and configure Azure Automation Account resources in production environments.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Utilize Azure AD Risk Detections to view alerts and reports on risky user behavior. Optionally, customer may forward Azure Security Center Risk Detection alerts to Azure Monitor and configure custom alerting/notifications using Action Groups.
-
Understanding Azure Security Center risk detections (suspicious activity)
-
How to configure action groups for custom alerting and notification
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: It is recommended to use Conditional Access named locations to allow access from only specific logical groupings of IP address ranges or countries/regions.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Use Azure AD as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials. If using Hybrid Runbook Workers you may leverage managed identities instead of Run As Accounts to enable more seamless secure permissions.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Azure AD provides logs to help discover stale accounts. In addition, use Azure identity access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right users have continued access. Whenever using Automation Account Run As accounts for your runbooks ensure these service principals are also tracked in your inventory since they often time have elevated permissions. Delete any unused Run As accounts to minimize your exposed attack surface.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: You have access to Azure AD Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.
You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. You can configure desired Alerts within Log Analytics Workspace.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Use Azure AD Risk and Identity Protection features to configure automated responses to detected suspicious actions related to user identities for your network resource. You can also ingest data into Azure Sentinel for further investigation.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: For Azure Automation Accounts, Microsoft support can access platform resource metadata during an open support case without usage of another tool.
However, when using Hybrid Runbook Workers backed by Azure virtual machines and a third-party needs to access customer data (such as during a support request), use Customer Lockbox (Preview) for Azure virtual machines to review and approve or reject customer data access requests.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
For more information, see Security control: Data protection.
Guidance: Use tags to assist in tracking Azure Automation resources which store or process sensitive information.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Implement separate subscriptions and/or management groups for development, test, and production. Isolate environments by using separate Automation Account resources. Resources like Hybrid Runbook Workers should be separated by virtual network/subnet, tagged appropriately, and secured within a network security group (NSG) or Azure Firewall. For virtual machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: When using the Hybrid Runbook Worker feature, leverage a third-party solution from Azure Marketplace on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources in Azure virtual networks are able to negotiate TLS 1.2 or higher. Azure Automation fully supports and enforces transport layer (TLS) 1.2 and all client calls or later versions for all external HTPS endpoints (through webhooks, DSC nodes, hybrid runbook worker).
Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
Azure Security Center monitoring: Yes
Responsibility: Shared
Guidance: Use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located onsite or at a remote service provider and update the organization's sensitive information inventory.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Use Azure role-based access control (Azure RBAC) to control access to Azure Automation resources using the built-in role definitions, assign access for users accessing your automation resources following a least privileged or 'just-enough' access model. When using Hybrid Runbook Workers, leverage managed identities for those virtual machines to avoid using service principals, when using both the multi-tenant or Hybrid Runbook Workers make sure to apply properly scoped Azure RBAC permissions on the identity of the runbook workers.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines, and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
If you are using Hybrid Runbook Workers backed by Azure virtual machines, then you need to use a third-party host-based data loss prevention solution to enforce access controls to your hosted Hybrid Runbook Worker virtual machines.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Use customer-managed keys with Azure Automation. Azure Automation supports the use of customer-managed keys to encrypt all 'Secure assets' used such as : credentials, certificates, connections, and encrypted variables. Leverage encrypted variables with your runbooks for all of your persistent variable lookup needs to prevent unintended exposure.
When using Hybrid Runbook Workers, the virtual disks on the virtual machines are encrypted at rest using either server-side encryption or Azure disk encryption (ADE). Azure disk encryption leverages the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use Azure Monitor with Azure Activity Log to create alerts for when changes take place to critical Azure resources like networking components, Azure Automation accounts, and runbooks.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
For more information, see Security control: Vulnerability management.
Guidance: Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure resources
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines, and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
If you are using Hybrid Runbook Workers backed by Azure virtual machines, then use Azure Update Management to manage updates and patches for your virtual machines. Update Management relies on the locally configured update repository to patch supported Windows systems. Tools like System Center Updates Publisher (Updates Publisher) allow you to publish custom updates into Windows Server Update Services (WSUS). This scenario allows Update Management to patch machines that use Configuration Manager as their update repository with third-party software.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
If you are using Hybrid Runbook Workers backed by Azure virtual machines, then you can use Azure Update Management to manage updates and patches for your virtual machines. Update Management relies on the locally configured update repository to patch supported Windows systems. Tools like System Center Updates Publisher (Updates Publisher) allows you to publish custom updates into Windows Server Update Services (WSUS). This scenario enables Update Management to patch machines that use Configuration Manager as their update repository with third-party software.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. When using vulnerability management recommendation suggested by Azure Security Center, customer may pivot into the selected solution's portal to view historical scan data.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use the default risk ratings (Secure Score) provided by Azure Security Center to help prioritize the remediation of discovered vulnerabilities.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
For more information, see Security control: Inventory and asset management.
Guidance: Use Azure Resource Graph to query and discover all Azure Automation resources within your subscriptions. Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Automation resources. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner. Delete any unused Run As accounts to minimize your exposed attack surface.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: You will need to create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:
- Not allowed resource types
- Allowed resource types
In addition, use the Azure Resource Graph to query/discover resources within subscriptions. This can help in high security based environments, such as those with Storage accounts.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: The Azure Automation offering does not currently expose the underlying multi-tenant runbook worker's virtual machines and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Workers. However, it is possible to install, remove, and manage the PowerShell, or Python modules that runbooks can access via the portal or cmdlets. Unapproved or old module should be removed or updated for the runbooks.
If you are using Hybrid Runbook Workers backed by Azure Virtual Machines then Azure Automation provides complete control during deployment, operations, and decommissioning of workloads and resources. Leverage Azure Virtual Machine Inventory to automate the collection of information about all software on Virtual Machines. Software Name, Version, Publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, customer required to enable guest-level diagnostic and bring the Windows Event logs into a Log Analytics Workspace.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Customer may prevent resource creation or usage with Azure Policy as required by the customer's company guidelines. You can implement your own process for removing unauthorized resources. Within the Azure Automation offering it is possible to install, remove, and manage the PowerShell, or Python modules that runbooks can access via the Portal or cmdlets. Unapproved or old module should be removed or updated for the runbooks.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: When using the Hybrid Runbook Worker feature, you may use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:
- Not allowed resource types
- Allowed resource types
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: When using the Hybrid Runbook Worker feature, you may use the Azure Security Center Adaptive Application Controls feature with your hybrid worker virtual machines.
Adaptive application control is an intelligent, automated, end-to-end solution from Azure Security Center which helps you control which applications can run on your Azure and non-Azure machines (Windows and Linux). Implement third-party solution if this does not meet your organization's requirement.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Use Azure Conditional Access policies to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App from unsecured or unapproved locations, or devices.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: When using the Hybrid Runbook Worker feature, and depending on the type of scripts, you may use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources. You can also leverage Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
-
How to control PowerShell script execution in Windows Environments
-
How to use Azure Security Center Adaptive Application Controls
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: High risk applications deployed in your Azure environment may be isolated using separate network and resource containers using constructs like virtual networks, subnet, subscriptions, management groups, they can be sufficiently secured with either an Azure Firewall, Web Application Firewall (WAF) or network security group (NSG).
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
For more information, see Security control: Secure configuration.
Guidance: Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure Automation and related resources. You may also use built-in Azure Policy definitions.
Also, Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet / exceed the security requirements for your organization.
You may also use recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS. This is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
When using the Hybrid Runbook Worker feature, use Azure Security Center recommendation [Remediate Vulnerabilities in Security Configurations on your Virtual Machines] to maintain security configurations on your virtual machines.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Use Azure Resource Manager templates and Azure Policy to securely configure Azure resources associated with Azure Automation. Azure Resource Manager templates are JSON based files used to deploy Azure resources, and any custom templates will need to be stored and maintained securely in a code repository. Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository. Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
When using the Hybrid Runbook Worker feature, there are several options for maintaining a secure configuration for Azure virtual machines for deployment:
- Azure Resource Manager templates: These are JSON based files used to deploy a VM from the Azure portal, and custom template will need to be maintained. Microsoft performs the maintenance on the base templates.
- Custom Virtual hard disk (VHD): In some circumstances it may be required to have custom VHD files used such as when dealing with complex environments that cannot be managed through other means.
- Azure Automation State Configuration: Once the base OS is deployed, this can be used for more granular control of the settings, and enforced through the automation framework.
For most scenarios, the Microsoft base VM templates combined with the Azure Automation State Configuration can assist in meeting and maintaining the security requirements.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Use Azure DevOps to securely store and manage your code like custom Azure policies, Azure Resource Manager templates, and Desired State Configuration scripts. To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory if integrated with Azure DevOps, or Active Directory if integrated with TFS. Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
When using the Hybrid Runbook Worker feature, ensure you are properly limiting access to the custom OS image located in your storage account so only authorized users may access the image.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Define and implement standard security configurations for Azure resources using Azure Policy. Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. You may also make use of built-in policy definitions related to your specific resources.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
When using the Hybrid Runbook Worker feature, use Azure Automation State Configuration on the runbook workers which is a configuration management service for Desired State Configuration (DSC) nodes in any cloud or on-premises datacenter. It enables scalability across thousands of machines quickly and easily from a central, secure location. You can easily onboard machines, assign them declarative configurations, and view reports showing each machine's compliance to the desired state you specified.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Use Azure Policy to alert and audit Azure resource configurations, policy can be used to detect certain resource not configured with a private endpoint.
When using the Hybrid Runbook Worker feature, leverage Azure Security Center to perform baseline scans for your Azure Virtual machines. Additional methods for automated configuration includes the Azure Automation State Configuration.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: The Azure Automation offering does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Workers.
When using the Hybrid Runbook Worker feature, use Azure Automation State Configuration for the runbook workers which is a configuration management service for Desired State Configuration (DSC) nodes in any cloud or on-premises datacenter. It enables scalability across thousands of machines quickly and easily from a central, secure location. You can easily onboard machines, assign them declarative configurations, and view reports showing each machine's compliance to the desired state you specified.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
For more information, see Security control: Malware defense.
Guidance: The Azure Automation offering does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
When using the Hybrid Runbook Worker feature, use Microsoft Anti-malware for Azure Windows virtual machines to continuously monitor and defend your runbook worker resources.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Not applicable; Azure Automation as a service does not store files. Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure Automation), however it does not run on your content.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
Guidance: Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.
When using the Hybrid Runbook Worker feature, use Microsoft Antimalware for Azure to automatically install the latest signature, platform, and engine updates by default onto your runbook worker. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. The Windows OS can be further protected with additional security to limit the risk of virus or malware based attacks with the Microsoft Defender Advanced Threat Protection service that integrates with Azure Security Center.
Azure Security Center monitoring: Not applicable
Responsibility: Not applicable
For more information, see Security control: Data recovery.
Guidance: Use Azure Resource Manager to deploy Azure Automation accounts, and related resources. Azure Resource Manager provides ability to export templates which can be used as backups to restore Azure Automation accounts and related resources. Use Azure Automation to call the Azure Resource Manager template export API on a regular basis.
Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository.
-
Azure Resource Manager template reference for Azure Automation resources
-
Create an Automation account using an Azure Resource Manager template
-
Single and multi-resource export to a template in Azure portal
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Use Azure Resource Manager to deploy Azure Automation accounts, and related resources. Azure Resource Manager provides ability to export templates which can be used as backups to restore Azure Automation accounts and related resources. Use Azure Automation to call the Azure Resource Manager template export API on a regular basis. Backup customer-managed keys within Azure Key Vault. You can export your runbooks to script files using either Azure portal or PowerShell.
-
Azure Resource Manager template reference for Azure Automation resources
-
Create an Automation account using an Azure Resource Manager template
-
Single and multi-resource export to a template in Azure portal
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Ensure ability to periodically perform deployment of Azure Resource Manager templates on a regular basis to an isolated subscription if required. Test restoration of backed up customer-managed keys.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use Azure DevOps to securely store and manage your code like Azure Resource Manager templates. To protect resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory if integrated with Azure DevOps, or Active Directory if integrated with TFS.
Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
For more information, see Security control: Incident response.
Guidance: Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Additionally, clearly mark subscriptions (for ex. production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. Identify weak points and gaps and revise plan as needed.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
10.4: Provide security incident contact details and configure alert notifications for security incidents
Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.
Azure Security Center monitoring: Currently not available
Responsibility: Customer
For more information, see Security control: Penetration tests and red team exercises.
11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings
Guidance: Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Azure Security Center monitoring: Not applicable
Responsibility: Shared
- See the Azure security benchmark
- Learn more about Azure security baselines