search

Azure-Samples / azuresandbox

Stand up an Azure sandbox environment for accelerating your projects in an hour.
MIT License
64 stars 30 forks source link

Storage accounts should prevent shared key access #41

Closed doherty100 closed 1 month ago

doherty100 commented 2 months ago

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ X ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Provision #AzureSandbox Enable Defender for Cloud CSPM

Any log messages given by the failure

Storage accounts should prevent shared key access

Expected/desired behavior

Remediate reccomendation.

OS and Version?

N/A

Versions

AzureSandbox v2.9.2

Mention any other details that might be useful

Use managed identities for custom script extensions instead of shared keys

doherty100 commented 1 month ago

Implementing this improvement would require User Access Administrator privileges during the bootstrapping process in order to assign Azure RBAC roles to permit access to scripts in blob storage containers. The current design of AzureSandbox only requires a Contributor Azure RBAC role assignment in order to minimize the privileges required to bootstrap the environment, therefore this improvement cannot be implemented using the current design.