WVD ARM Template Customization Requires Public Storage Bucket

[samrendellcopper]

As per - https://github.com/Azure/RDS-Templates/tree/master/wvd-sh/arm-template-customization

This solution will deploy the Virtual Desktop Optimization Tool to an AVD session host using the Azure Portal with the Custom Configuration option. The json and ps1 files must be saved to a publicly accessible storage location, like a public GitHub repository or a public Azure Blob Storage container.

The deployment of critical organisational configuration settings, scripts, and other sensitive data to public storage goes against industry best practices and basic security hygiene. This practice exposes an organisation's infrastructure to potential unwanted access, and exploitation by malicious actors. By making these files publicly available, attackers can easily identify and target vulnerabilities, potentially leading to compromised systems, data theft, and repetitional damage.

Moreover, the use of public storage for sensitive information violates the principle of least privilege, which dictates that access to resources should be granted only when necessary and with the minimum permissions required. Storing configuration files and scripts in public repositories grants unrestricted access to anyone, regardless of their authorisation level or intentions.

Who specifically thought this was acceptable for an enterprise deployment?

[durrante]

Hey, this isn't quite accurate, there's ways around this.

For me, I create a storage account with a private container, then use a managed identity to grant storage blob data reader permissions then use that managed identity as the AIB run account, it'll then have access to the data without public access.

It works well for me. Just remember that the managed identity only allows access to the script itself, anything that the script relates to data wise, must be given via a SAS key.

Hope this makes sense, sorry so short, using mobile device.