Used to discover secrets in insecure Azure Deployments
Azure deployment templates are static files stored in your tenant used to describe instantiated resources. When infrastructure as code tools such as bicep or terraform are used without either the @secure or "sensitive" decorators. This could result in secrets being exposed in clear text from deployment settings in Azure portal. To automate the process of discovering such secrets the DeploymentGrazor tool was created. This tool automates the AZT605.3 threat outlined on the Azure Threat Matrix
Versions Notes: Version 1.0 - 04-06-22
Guide for installing Azure "AZ" PowerShell Module: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps
If local admin (PowerShell command): Install-Module -Name Az -AllowClobber Install-Module AzureAD -AllowClobber Else: Install-Module -Name Az -AllowClobber -Scope CurrentUser Install-Module AzureAD -AllowClobber -Scope CurrentUser
- Download/sync locally the script file templateScan.ps1 and DeploymentGrazor.ps1
- Open PowerShell in the Deployment Grazor folder with the permission to run scripts: "powershell -ExecutionPolicy Bypass -NoProfile"
- Import-Module ./DeploymentGrazor.ps1
- Run Start-DeploymentScan
- Results of scan will be written in a txt file in the directory used to execute the script