Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
123 lines (90 sloc) 6.18 KB

190715 (AzSK v.3.15.0)

Feature updates

  • DevOps Kit for PowerShell Core (Preview):

    • All the salient features of DevOps Kit (CA, SVT, Org-policy and other AzSK PowerShell cmdlets) are now supported on PowerShell Core.
    • The CA related cmdlets (ICA, GCA, RCA, etc.) will be completed in the next sprint.
    • The instructions to try these out will be updated at https://aka.ms/devopskit/pscore .
  • (Preview) Credential Hygiene:

    • We now offer a register-and-track solution to help monitor the last update of your credentials. This will help you periodically track the health of your credentials which are nearing expiry/need rotation.
    • The following cmdlets have been introduced to support this functionality:
    • New-AzSKTrackedCredential to onboard a credential for tracking via DevOps Kit. You can set the reminder period (in days) for the credential.
    • Get-AzSKTrackedCredential to list the onboarded credential(s).
    • Update-AzSKTrackedCredential to update the credential settings and reset the last updated timestamp.
    • Remove-AzSKTrackedCredential to deboard a credential from AzSK tracking.
    • A new control ‘Azure_Subscription_Check_Credential_Rotation’ has been introduced in the GSS scan to help keep a check on all the tracked credentials.
  • DevOps Kit controls expressed as Azure Policy (in progress):

    • Authored Azure Policy for 5 more DevOps Kit baseline controls. These have been submitted to the Azure Security Center (ASC) team for inclusion in the ASC initiative.
  • Security Verification Tests (SVTs):

    • Support for severity-based filter for GRS & GSS cmdlets.
  • ARM Template Checker:

    • Support for severity-based filter for ARM template scans.
  • CICD:

    • N/A
  • (Preview) In-cluster security scans for ADB, AKS, HDI Spark

    • In tune with the regular DevOps Kit CA cmdlets (ICA, GCA, UCA & RCA), in-cluster CA now supports the following (besides the install-cmd):
      • Get-AzSKContinuousAssuranceForCluster
      • Update-AzSKContinuousAssuranceForCluster
      • Remove-AzSKContinuousAssuranceForCluster
    • The above cmdlets are currently available in the main AzSK module for Databricks and HDI Spark. For AKS, use instructions available at https://aka.ms/devopskit/inclusterca
  • Log Analytics:

    • N/A

Note: The next few items mention features from recent releases retained for visibility in case you missed those release announcements:

  • Privileged Identity Management (PIM) helper cmdlets (from last sprint)

    • Set-AzSKPIMConfiguration for configuring/changing PIM settings
    • Get-AzSKPIMConfiguration for querying various PIM settings/status
    • Activating your PIM role is now as simple as this: pim -ActivateMyRole -SubscriptionId $s5 -DurationInHours 8 -Justification 'ad hoc test' -RoleName Owner
    • See docs here for more.
  • (Preview) Security Scan for Azure Active Directory (AAD)

    • You can scan security controls for your AAD tenant (as either an admin or even as a regular user) using the DevOps Kit AAD Security Scan module.
    • Use following steps: AAD scan cmdlets are packaged as a separate module (AzSK.AAD)
      Install-module AzSK.AAD -Scope CurrentUser -AllowClobber
      Import-module AzSK.AAD
      Get-AzSKAADSecurityStatusTenant    # to check the tenant (admin)
      Get-AzSKAADSecurityStatusUser      # to check objects you own (user) 
    • Caveats:
      • Do not run these in the same PS session as AzSK. Start a new PS console.
      • Az- modules require .Net Framework v4.7.2.
      • By default, the current cmdlets will scan just 3 objects of each type (Apps/SPNs/Groups, etc.). This is until we work out how best to group/batch scans when scanning the entire tenant. If you want to scan more objects you can use the ‘-MaxObj’ switch in the cmdlets.
  • (Preview) AzSK module for Azure DevOps (VSTS)

    • You can try the scan cmdlet using: #VSTS scan cmdlet is in a separate module called AzSK.AzureDevOps! Install-Module AzSK.AzureDevOps -Scope CurrentUser -AllowClobber
      Get-AzSKAzureDevOpsSecurityStatus -OrganizationName "MicrosoftIT" -ProjectNames "OneITVSO" -BuildNames "build_name_here"` -ReleaseNames "release_name_here"
      .
  • Org-policy updates (for non-CSEO users):

    • See CA section in “Other improvements/bug fixes” below to install CA in environments where subscription ownership resides with a different team.

Other improvements/bug fixes

  • Subscription Security:

    • N/A
  • SVTs:

    • N/A
  • Controls:

    • The behavior for Azure Security Center (ASC) setup control has been enhanced to evaluate ASC policy state (enabled/disabled) across multiple initiatives.
    • VM controls scan performance has been improved to fetch resource-specific ASC recommendations only.
    • Added new control ‘Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access_RG’ to check persistent access at resource group level. This control will get evaluated only during CA scan.
    • Added the following new controls for app service:
      • Azure_AppService_DP_Use_Approved_TLS_Version
      • Azure_AppService_DP_Verify_Installed_Extensions
      • Azure_AppService_AuthZ_Configure_IP_Restrictions
      • Azure_AppService_DP_Review_CORS_Request_Credential
  • ARM Template Checker:

    • Following new controls have been added to ARM Checker:
      • Azure_APIManagement_NetSec_Configure_Virtual_Network_For_APIM
      • Azure_APIManagement_AuthN_Use_Managed_Service_Identity
      • Azure_APIManagement_DP_Use_HTTPS_URL_Scheme
      • Azure_HDInsight_Deploy_Supported_Cluster_Version
  • CA:

    • Install-AzSKContinuousAssurance (ICA) can now be run even without owner permissions at subscription scope. The user who ran ICA must get the actual owners to configure RBAC for the AzSK_SPN on the subscription.
    • Reduced size of metadata downloads for some VM controls should lead to lower incidence of CA runbook suspension in large subscriptions.
    • Fixed a bug in CA whereby for external users, CA scans were ignoring resource groups (as specified in the resource groups parameter of ICA) and scanning everything in the subscription.
  • Log Analytics (OMS)

    • N/A
  • Other

    • N/A
You can’t perform that action at this time.