-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure Code Review Demo #5
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bridgecrew has found infrastructure configuration errors in this PR ⬇️
@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource azurerm_app_service "app-service2" { | |
resource azurerm_app_service "app-service2" { | |
auth_settings { | |
enabled = true | |
} |
Ensure Azure App Service Web app authentication is on
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_2
Description
Azure App Service Authentication is a feature that prevents anonymous HTTP requests from reaching the API app. Users with tokens are authenticated before they reach the API app. If an anonymous request is received from a browser, App Service redirects to a logon page. To handle the logon process select from a set of identity providers, or implement a custom authentication mechanism.Enabling App Service Authentication allows every incoming HTTP request to pass through it before being handled by the application code. Authentication of users with specified providers are handled, for example, Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter. It also handles authentication of validation, storing and refreshing of tokens, managing the authenticated sessions, and injecting identity information into request headers.
Benchmarks
- CIS AZURE V1.1 9.1
- CIS AZURE V1.3 9.1
@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource azurerm_app_service "app-service2" { | |
resource azurerm_app_service "app-service2" { | |
storage_account { | |
type = "AzureFiles" | |
} |
Ensure app services use Azure files
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_65
Description
TBA@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource azurerm_app_service "app-service2" { | |
resource azurerm_app_service "app-service2" { | |
identity = true |
Ensure App Service is registered with an Azure Active Directory account
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_IAM_1
Description
Managed service identity in **App Service** increases security by eliminating secrets from the app, for example, credentials in the connection strings. **App Service** provides a highly-scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to an Azure SQL Database and other Azure services.We recommend you register the App Service with your Azure Active Directory account ensuring the app will connect securely to other Azure services without the need of usernames and passwords.
Benchmarks
- CIS AZURE V1.1 9.5
- CIS AZURE V1.3 9.5
@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure managed identity provider is enabled for app services
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_54
How to Fix
resource "azurerm_app_service" "example" {
...
+ identity {
+ type = "SystemAssigned"
}
}
Description
TBA@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Azure resources that support tags have tags
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_81
How to Fix
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_managed_disk" "example" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
+ tags = {
+ environment = "staging"
}
}
Description
Many different types of Azure resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View Microsoft's recommended tagging best practices here.
@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource azurerm_app_service "app-service2" { | |
resource azurerm_app_service "app-service2" { | |
client_cert_enabled = true |
Ensure Web App has incoming client certificates enabled
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_NETWORKING_7
Description
Client certificates allow the Web App to require a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.
Benchmarks
- CIS AZURE V1.1 9.4
- FEDRAMP (MODERATE) 9.4
- CIS AZURE V1.3 9.4
@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource azurerm_app_service "app-service2" { | |
resource azurerm_app_service "app-service2" { | |
logs { | |
failed_request_tracing_enabled = true | |
} |
Ensure app service enables failed request tracing
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_LOGGING_10
Description
TBA@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Web App uses the latest version of HTTP
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_NETWORKING_8
How to Fix
resource "azurerm_app_service" "example" {
...
+ site_config {
+ http2_enabled = true
}
}
Description
Periodically, new versions of HTTP are released to address security flaws and include additional functionality. HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of the older HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own more efficient mechanisms for data streaming.We recommend you use the latest HTTP version for web apps and take advantage of any security fixes and new functionalities featured. With each software installation you can determine if a given update meets your organization's requirements. Organizations should verify the compatibility and support provided for any additional software, assessing the current version against the update revision being considered.
Benchmarks
- CIS AZURE V1.1 9.10
- CIS AZURE V1.3 9.9
@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure app service enables HTTP logging
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_LOGGING_8
How to Fix
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
+ logs {
+ http_logs {
retention_in_days = 4
retention_in_mb = 10
}
}
app_settings = {
"SOME_KEY" = "some-value"
}
connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}
Description
TBA@@ -0,0 +1,10 @@ | |||
resource azurerm_app_service "app-service2" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource azurerm_app_service "app-service2" { | |
resource azurerm_app_service "app-service2" { | |
https_only = true |
Ensure Azure App Service Web app redirects HTTP to HTTPS
Resource: azurerm_app_service.app-service2 | ID: BC_AZR_NETWORKING_5
Description
Azure Web Apps by default allows sites to run under both HTTP and HTTPS, and can be accessed by anyone using non-secure HTTP links. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port.We recommend you enforce HTTPS-only traffic to increase security. This will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.
Benchmarks
- CIS AZURE V1.1 9.2
- CIS AZURE V1.3 9.2
I've created some new Azure resources - please let me know if I've done this correctly!