From 8e180df1cfad81fbb339834f79bf665f4165c2bd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 29 Jun 2023 15:58:37 +0200 Subject: [PATCH] Create rule S6378: Add language AzureResourceManager (JSON) (#2237) [Specification ticket](https://sonarsource.atlassian.net/browse/APPSEC-777) [Implementation ticket](https://sonarsource.atlassian.net/browse/SONARIAC-889) [RSPEC Preview](https://sonarsource.github.io/rspec/#/rspec/S6378/azureresourcemanager) Bicep PR for S6378: #2255 ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: egon-okerman-sonarsource Co-authored-by: Egon Okerman --- rules/S6378/ask-yourself.adoc | 8 +++ .../S6378/azureresourcemanager/metadata.json | 1 + rules/S6378/azureresourcemanager/rule.adoc | 58 +++++++++++++++++++ rules/S6378/description.adoc | 7 +++ rules/S6378/highlighting.adoc | 7 +++ rules/S6378/message.adoc | 3 + rules/S6378/recommended.adoc | 9 +++ rules/S6378/see.adoc | 7 +++ rules/S6378/terraform/rule.adoc | 49 +++------------- 9 files changed, 107 insertions(+), 42 deletions(-) create mode 100644 rules/S6378/ask-yourself.adoc create mode 100644 rules/S6378/azureresourcemanager/metadata.json create mode 100644 rules/S6378/azureresourcemanager/rule.adoc create mode 100644 rules/S6378/description.adoc create mode 100644 rules/S6378/highlighting.adoc create mode 100644 rules/S6378/message.adoc create mode 100644 rules/S6378/recommended.adoc create mode 100644 rules/S6378/see.adoc diff --git a/rules/S6378/ask-yourself.adoc b/rules/S6378/ask-yourself.adoc new file mode 100644 index 00000000000..d1d4b7ab727 --- /dev/null +++ b/rules/S6378/ask-yourself.adoc @@ -0,0 +1,8 @@ +== Ask Yourself Whether + +The resource: + +* Needs to authenticate to Azure resources that support Azure Active Directory (AAD). +* Uses a different Access Control system that doesn't guarantee the same security controls as AAD, or no Access Control system at all. + +There is a risk if you answered yes to all of those questions. diff --git a/rules/S6378/azureresourcemanager/metadata.json b/rules/S6378/azureresourcemanager/metadata.json new file mode 100644 index 00000000000..0967ef424bc --- /dev/null +++ b/rules/S6378/azureresourcemanager/metadata.json @@ -0,0 +1 @@ +{} diff --git a/rules/S6378/azureresourcemanager/rule.adoc b/rules/S6378/azureresourcemanager/rule.adoc new file mode 100644 index 00000000000..46f70e40951 --- /dev/null +++ b/rules/S6378/azureresourcemanager/rule.adoc @@ -0,0 +1,58 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,json,diff-id=1,diff-type=noncompliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ApiManagement/service", + "apiVersion": "2022-09-01-preview", + "name": "apiManagementService", + } + ] +} +---- + + +== Compliant Solution + +[source,json,diff-id=1,diff-type=compliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ApiManagement/service", + "apiVersion": "2022-09-01-preview", + "name": "apiManagementService", + "identity": { + "type": "SystemAssigned" + } + } + ] +} +---- + + +include::../see.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +include::../highlighting.adoc[] + +endif::env-github,rspecator-view[] diff --git a/rules/S6378/description.adoc b/rules/S6378/description.adoc new file mode 100644 index 00000000000..dc2700abc45 --- /dev/null +++ b/rules/S6378/description.adoc @@ -0,0 +1,7 @@ +Disabling Managed Identities can reduce an organization's ability to protect itself against configuration faults and credentials leaks. + +Authenticating via managed identities to an Azure resource solely relies on an API call with a non-secret token. The process is inner to Azure: secrets used by Azure are not even accessible to end-users. + +In typical scenarios without managed identities, the use of credentials can lead to mistakenly leaving them in code bases. In addition, configuration faults may also happen when storing these values or assigning them permissions. + +By transparently taking care of the Azure Active Directory authentication, Managed Identities allow getting rid of day-to-day credentials management. diff --git a/rules/S6378/highlighting.adoc b/rules/S6378/highlighting.adoc new file mode 100644 index 00000000000..74b6a6aa1ca --- /dev/null +++ b/rules/S6378/highlighting.adoc @@ -0,0 +1,7 @@ +=== Highlighting + +Highlight: + +* The property that is wrong if it exists. + +* The entire resource block if a property is missing. diff --git a/rules/S6378/message.adoc b/rules/S6378/message.adoc new file mode 100644 index 00000000000..b8149bd178d --- /dev/null +++ b/rules/S6378/message.adoc @@ -0,0 +1,3 @@ +=== Message + +- Omitting the "identity" block disables Azure Managed Identities. Make sure it is safe here. diff --git a/rules/S6378/recommended.adoc b/rules/S6378/recommended.adoc new file mode 100644 index 00000000000..73129d15ef2 --- /dev/null +++ b/rules/S6378/recommended.adoc @@ -0,0 +1,9 @@ +== Recommended Secure Coding Practices + +Enable the Managed Identities capabilities of this Azure resource. If supported, use a System-Assigned managed identity, as: + +* It cannot be shared across resources. +* Its life cycle is deeply tied to the life cycle of its Azure resource. +* It provides a unique independent identity. + +Alternatively, User-Assigned Managed Identities can also be used but don't guarantee the properties listed above. diff --git a/rules/S6378/see.adoc b/rules/S6378/see.adoc new file mode 100644 index 00000000000..0897fb72e5e --- /dev/null +++ b/rules/S6378/see.adoc @@ -0,0 +1,7 @@ +== See + +* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A05] - Security Misconfiguration +* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A06] - Security Misconfiguration +* https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview[Azure AD Documentation - Managed Identities Overview] +* https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations[Azure AD Documentation - Managed Identities Best Practices] +* https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities[Azure AD Documentation - Services that support managed identities] diff --git a/rules/S6378/terraform/rule.adoc b/rules/S6378/terraform/rule.adoc index 7829af68077..2a0dfcb8ed4 100644 --- a/rules/S6378/terraform/rule.adoc +++ b/rules/S6378/terraform/rule.adoc @@ -1,32 +1,8 @@ -Disabling Managed Identities can reduce an organization's ability to protect itself against configuration faults and credentials leaks. +include::../description.adoc[] -Authenticating via managed identities to an Azure resource solely relies on an API call with a non-secret token. The process is inner to Azure: secrets used by Azure are not even accessible to end-users. - -In typical scenarios without managed identities, the use of credentials can lead to mistakenly leaving them in code bases. In addition, configuration faults may also happen when storing these values or assigning them permissions. - -By transparently taking care of the Azure Active Directory authentication, Managed Identities allow getting rid of day-to-day credentials management. - - -== Ask Yourself Whether - -The resource: - -* Needs to authenticate to Azure resources that support Azure Active Directory (AAD). -* Uses a different Access Control system that doesn't guarantee the same security controls as AAD, or no Access Control system at all. - -There is a risk if you answered yes to all of those questions. - - -== Recommended Secure Coding Practices - -Enable the Managed Identities capabilities of this Azure resource. If supported, use a System-Assigned managed identity, as: - -* It cannot be shared across resources. -* Its life cycle is deeply tied to the life cycle of its Azure resource. -* It provides a unique independent identity. - -Alternatively, User-Assigned Managed Identities can also be used but don't guarantee the properties listed above. +include::../ask-yourself.adoc[] +include::../recommended.adoc[] == Sensitive Code Example @@ -74,13 +50,7 @@ resource "azurerm_data_factory_linked_service_kusto" "example" { } ---- -== See - -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A05] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A06] - Security Misconfiguration -* https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview[Azure AD Documentation - Managed Identities Overview] -* https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations[Azure AD Documentation - Managed Identities Best Practices] -* https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities[Azure AD Documentation - Services that support managed identities] +include::../see.adoc[] ifdef::env-github,rspecator-view[] @@ -88,18 +58,13 @@ ifdef::env-github,rspecator-view[] == Implementation Specification (visible only on this page) -=== Message - -- Omitting the "identity" block disables Azure Managed Identities. Make sure it is safe here. +include::../message.adoc[] -Only for Azure Data Factory +Only for Azure Data Factory: - Make sure that disabling Azure Managed Identities is safe here. -=== Highlighting - -Highlight the resource bloc. - +include::../highlighting.adoc[] endif::env-github,rspecator-view[]