search

synechron-code / probr-pack-storage

Apache License 2.0
0 stars 3 forks source link

[FEATURE] - Implement Access Control probe #12

Open lluuiissoo opened 3 years ago

lluuiissoo commented 3 years ago

Please write a rough BDD specification [Replace sample below with actual BDD specification. See Gherkin syntax for reference: https://cucumber.io/docs/gherkin/reference]

Feature: Object Storage Can Only Be Accessed By Authorized Users

  As a Cloud Security Architect
  I want to ensure that suitable security controls are applied to Object Storage
  So that my organisation's data can only be accessed by authorized users

    Background:
      Given an Azure subscription is available
      And azure resource group specified in config exists

    Scenario: Prevent Object Storage from Being Created With Anonymous Access
      Then an attempt to create a storage account "without" anonymous access "succeeds"
      But an attempt to create a storage account "with" anonymous access "fails"

Who is the SME validating this scenario? @iantivey

Please describe a proposed implementation for the above scenario Scenario Step Implementation Plan
Then an attempt to create a storage account "without" anonymous access "succeeds" Attempt to create storage account without public access; Validate that it succeeds;
But an attempt to create a storage account "with" anonymous access "fails" Attempt to create storage account with public access; Validate that it fails;
iantivey commented 3 years ago

Looks good.

We could extend it like this:-

Scenario:
And an attempt to create a storage account "without" anonymous access "succeeds"
When the probr user is given appropriate RBAC role on the storage account
Then accessing the storage account anonymously fails
But accessing the storage account with the logged in probr user succeeds
Scenario Step Implementation Plan
the probr user is given appropriate RBAC role on the storage account Check if probr user has tbd RBAC role on the storage account (i.e. inherited from resource group). If not then add it to the storage account. This is more complicated that it sounds, so we should discuss how to do this.
accessing the storage account anonymously fails Try to LIST objects in the storage account without being logged into Azure
accessing the storage account with the logged in probr user succeeds Try to LIST objects in the storage account with the logged in probr user
iantivey commented 3 years ago

In terms of the RBAC step above, it's likely there are custom roles set up for storage accounts. So the probr user will need to

  1. enumerate all of the RBAC role assignments on the storage account. In terms of coding, if you use an atScope() filter it gives you all inherited roles on that objects
  2. For each role assignment, get the role definition and look for a specific RBAC action (need to research which one).