daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/azure/aiservices/azure-openai-managed-identi...

57 lines
2.2 KiB
YAML
Raw Blame History

id: azure-openai-managed-identity-not-used
info:
name: Azure OpenAI Service Instance Managed Identity Not Used
author: princechaddha
severity: medium
description: |
Ensure that your Azure OpenAI service instances are using system-assigned and/or user-assigned managed identities to allow secure access to other cloud protected resources such as Azure key vaults. Managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.
impact: |
Not using managed identities can increase risks related to security and management, and hinder compliance with security best practices.
remediation: |
Configure your Azure OpenAI service instances to use either system-assigned or user-assigned managed identities to enhance security and simplify resource access management.
reference:
- https://docs.microsoft.com/en-us/azure/cognitive-services/authentication
tags: cloud,devops,azure,microsoft,openai,azure-cloud-config
flow: |
code(1);
for (let ServiceInstance of iterate(template.instanceList)) {
ServiceInstance = JSON.parse(ServiceInstance);
set("name", ServiceInstance.Name);
set("resourceGroup", ServiceInstance.ResourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az cognitiveservices account list --output json --query '[?(kind==`OpenAI`)].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: instanceList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az cognitiveservices account identity show --name "$name" --resource-group "$resourceGroup" --query '{"IdentityType":type}'
matchers-condition: and
matchers:
- type: word
words:
- '"IdentityType": null'
- '"IdentityType": "None"'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " does not use a managed identity"'
# digest: 4a0a00473045022100e904f02a1a6abdf70876f2539c72a942b46e72b9096e5ce956c177dd56aa5d8a02207aeababd91e00e05b714fba8cb35b5b6ae1f10916f35e6916d3f30cc081e72d9:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink