59 lines
2.0 KiB
YAML
59 lines
2.0 KiB
YAML
id: azure-keyvault-resource-lock-check
|
|
info:
|
|
name: Azure KeyVault Resource Lock Not Enabled
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Ensure that all your mission critical Azure cloud resources have resource locks enabled so that certain users are not able to delete or modify these resources in order to help prevent accidental and malicious changes or deletion.
|
|
impact: |
|
|
Not having resource locks on mission-critical resources can lead to accidental or malicious modifications and deletions, potentially compromising the security and stability of the application.
|
|
remediation: |
|
|
Apply resource locks to all critical Azure resources, particularly Key Vaults. Use either the "ReadOnly" or "CanNotDelete" lock levels to prevent unwanted changes or deletions.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
|
|
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let keyVaultData of iterate(template.keyvaultdata)) {
|
|
keyVaultData = JSON.parse(keyVaultData)
|
|
set("resource", keyVaultData.id)
|
|
code(2)
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az keyvault list --query '[*].id' --output json
|
|
|
|
extractors:
|
|
- type: json
|
|
name: keyvaultdata
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az lock list --resource $resource --query '[*].{"name":name,"level":level}'
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '"CanNotDelete"'
|
|
- '"ReadOnly"'
|
|
|
|
- type: word
|
|
words:
|
|
- '[]'
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'resource + " does not have the required resource lock level"'
|
|
# digest: 4a0a00473045022100a66c56bb8c4689e8da5ddaddfbd766c5c471fe55cd397a53151d36b3814e97f2022048e3e15b7c350dbfa6e35b215243277909d6707b3dac45d3397a6ed176f9300e:922c64590222798bb761d5b6d8e72950 |