search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.69k stars 959 forks source link

ARM Scan #1303

Closed Acenl12 closed 1 year ago

Acenl12 commented 1 year ago

I have scanned the entire Enterprise Scale repo with checkov an ARM template scanner, and found some issues. Please take a look at fix as required. Check: CKV_AZURE_20: "Ensure that security contact 'Phone number' is set" FAILED for resource: Microsoft.Security/securityContacts.default File: /docs/reference/treyresearch/armTemplates/auxiliary/subscriptioSecurityConfig.json:434-452 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_3

            434 |         {
            435 |             "condition": "[not(empty(parameters('emailSecurityContact')))]",
            436 |             "type": "Microsoft.Security/securityContacts",
            437 |             "name": "default",
            438 |             "apiVersion": "2020-01-01-preview",
            439 |             "properties": {
            440 |                 "emails": "[parameters('emailSecurityContact')]",
            441 |                 "notificationsByRole": {
            442 |                     "state": "On",
            443 |                     "roles": [
            444 |                         "Owner"
            445 |                     ]
            446 |                 },
            447 |                 "alertNotifications": {
            448 |                     "state": "On",
            449 |                     "minimalSeverity": "High"
            450 |                 }
            451 |             }
            452 |         },

Check: CKV_AZURE_21: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /docs/reference/treyresearch/armTemplates/auxiliary/subscriptioSecurityConfig.json:434-452 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_4

            434 |         {
            435 |             "condition": "[not(empty(parameters('emailSecurityContact')))]",
            436 |             "type": "Microsoft.Security/securityContacts",
            437 |             "name": "default",
            438 |             "apiVersion": "2020-01-01-preview",
            439 |             "properties": {
            440 |                 "emails": "[parameters('emailSecurityContact')]",
            441 |                 "notificationsByRole": {
            442 |                     "state": "On",
            443 |                     "roles": [
            444 |                         "Owner"
            445 |                     ]
            446 |                 },
            447 |                 "alertNotifications": {
            448 |                     "state": "On",
            449 |                     "minimalSeverity": "High"
            450 |                 }
            451 |             }
            452 |         },

Check: CKV_AZURE_22: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /docs/reference/treyresearch/armTemplates/auxiliary/subscriptioSecurityConfig.json:434-452 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_5

            434 |         {
            435 |             "condition": "[not(empty(parameters('emailSecurityContact')))]",
            436 |             "type": "Microsoft.Security/securityContacts",
            437 |             "name": "default",
            438 |             "apiVersion": "2020-01-01-preview",
            439 |             "properties": {
            440 |                 "emails": "[parameters('emailSecurityContact')]",
            441 |                 "notificationsByRole": {
            442 |                     "state": "On",
            443 |                     "roles": [
            444 |                         "Owner"
            445 |                     ]
            446 |                 },
            447 |                 "alertNotifications": {
            448 |                     "state": "On",
            449 |                     "minimalSeverity": "High"
            450 |                 }
            451 |             }
            452 |         },

Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets" FAILED for resource: Microsoft.KeyVault/vaults/secrets.[concat(variables('keyVaultName'), '/', variables('patSecretName'))] File: /eslzArm/resourceGroupTemplates/azOpsArm.json:71-82 Guide: https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets

            71 |         {
            72 |             "type": "Microsoft.KeyVault/vaults/secrets",
            73 |             "apiVersion": "2019-09-01",
            74 |             "name": "[concat(variables('keyVaultName'), '/', variables('patSecretName'))]",
            75 |             "location": "[resourceGroup().location]",
            76 |             "dependsOn": [
            77 |                 "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
            78 |             ],
            79 |             "properties": {
            80 |                 "value": "[parameters('paToken')]"
            81 |             }
            82 |         },

Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets" FAILED for resource: Microsoft.KeyVault/vaults/secrets.[concat(variables('keyVaultName'), '/', variables('spnSecretName'))] File: /eslzArm/resourceGroupTemplates/azOpsArm.json:83-94 Guide: https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets

            83 |         {
            84 |             "type": "Microsoft.KeyVault/vaults/secrets",
            85 |             "apiVersion": "2019-09-01",
            86 |             "name": "[concat(variables('keyVaultName'), '/', variables('spnSecretName'))]",
            87 |             "location": "[resourceGroup().location]",
            88 |             "dependsOn": [
            89 |                 "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
            90 |             ],
            91 |             "properties": {
            92 |                 "value": "[parameters('principalSecret')]"
            93 |             }
            94 |         },

Check: CKV_AZURE_8: "Ensure Kubernetes Dashboard is disabled" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AZURE_4: "Ensure AKS logging to Azure Monitoring is Configured" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AZURE_7: "Ensure AKS cluster has Network Policy configured" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AZURE_6: "Ensure AKS has an API Server Authorized IP Ranges enabled" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AZURE_42: "Ensure the key vault is recoverable" FAILED for resource: Microsoft.KeyVault/vaults.[concat('keyvault-', uniqueString(resourceGroup().id))] File: /workloads/keyvault/azkeyvault.json:140-199 Guide: https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AZURE_20: "Ensure that security contact 'Phone number' is set" FAILED for resource: Microsoft.Security/securityContacts.default File: /eslzArm/subscriptionTemplates/ascConfiguration.json:432-450 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_3

            432 |         {
            433 |             "condition": "[not(empty(parameters('emailSecurityContact')))]",
            434 |             "type": "Microsoft.Security/securityContacts",
            435 |             "name": "default",
            436 |             "apiVersion": "2020-01-01-preview",
            437 |             "properties": {
            438 |                 "emails": "[parameters('emailSecurityContact')]",
            439 |                 "notificationsByRole": {
            440 |                     "state": "On",
            441 |                     "roles": [
            442 |                         "Owner"
            443 |                     ]
            444 |                 },
            445 |                 "alertNotifications": {
            446 |                     "state": "On",
            447 |                     "minimalSeverity": "High"
            448 |                 }
            449 |             }
            450 |         },

Check: CKV_AZURE_21: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /eslzArm/subscriptionTemplates/ascConfiguration.json:432-450 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_4

            432 |         {
            433 |             "condition": "[not(empty(parameters('emailSecurityContact')))]",
            434 |             "type": "Microsoft.Security/securityContacts",
            435 |             "name": "default",
            436 |             "apiVersion": "2020-01-01-preview",
            437 |             "properties": {
            438 |                 "emails": "[parameters('emailSecurityContact')]",
            439 |                 "notificationsByRole": {
            440 |                     "state": "On",
            441 |                     "roles": [
            442 |                         "Owner"
            443 |                     ]
            444 |                 },
            445 |                 "alertNotifications": {
            446 |                     "state": "On",
            447 |                     "minimalSeverity": "High"
            448 |                 }
            449 |             }
            450 |         },

Check: CKV_AZURE_22: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /eslzArm/subscriptionTemplates/ascConfiguration.json:432-450 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_5

            432 |         {
            433 |             "condition": "[not(empty(parameters('emailSecurityContact')))]",
            434 |             "type": "Microsoft.Security/securityContacts",
            435 |             "name": "default",
            436 |             "apiVersion": "2020-01-01-preview",
            437 |             "properties": {
            438 |                 "emails": "[parameters('emailSecurityContact')]",
            439 |                 "notificationsByRole": {
            440 |                     "state": "On",
            441 |                     "roles": [
            442 |                         "Owner"
            443 |                     ]
            444 |                 },
            445 |                 "alertNotifications": {
            446 |                     "state": "On",
            447 |                     "minimalSeverity": "High"
            448 |                 }
            449 |             }
            450 |         },
Acenl12 commented 1 year ago

@jtracey93

jtracey93 commented 1 year ago

Thanks @acenl12,

From reviewing these scan results, by the way we do our own also in PR reviews via GH actions, these are not taking into account the things we set via policy. This is an issue with static code anaylsis, it is not aware of how it will actually be once deployed. So a lot of these are false positives.

The AzOps related templates were removed this week in #1310 and i am removing the stuff in the workloads folder now

Thanks for raising but all good here, do not fear :)