-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request - AzOps IAM security guidance for least privilege access #747
Comments
Thank you for the valuable feedback, @vegazbabz. Given what the reference architecture looks like and how the platform works regarding RBAC inheritance, managing an Enterprise-Scale platform with pipelines (regardless of AzOps or something else is used), comes with some limitations depending on the operating model and the separation of teams/concerns. Example: A all our Some high-level recommendations below:
Hope this helps. We will use this issue to track documentation updates to further address these topics. |
Thanks for the recommendations, those are appreciated. I am also happy hear that you will start working on elaborating further on security documentation. How do you view an alternative solution by deploying pipelines for specific use-cases? E.g. a pipeline for Identity usage, one for LZ, one for networking, etc. etc. Just to segregate the work, so you do not have "one pipeline to rule them all". |
@vegazbabz, thank you for the additional input - and apologies for the wall of text 😄 Your insider privilege escalation scenario is absolutely a potential risk, so is the potential risk of someone in the platform team rolls out a deployIfNotExists policy that runs certain commands on targeted virtual machines, or a policy that breaks other parts of the environments. This risk is even higher is things would be managed manually through the portal, as we have limited control gates after entitlement has been granted at high management group level. This is why from a DevOps process perspective, reviews, approvals, and gates are absolutely essential for infrastructure as code to ensure reliable, secure, and compliant platform environments. When/if there is a lack of trust or knowledge among approvers, it is critical that the issue is addressed and resolved. This could involve providing additional training and resources to ensure that all approvers have the necessary knowledge and expertise to make informed decisions. Alternatively, it may require building trust through open communication and transparency in the approval process. It is always recommended to do your own threat modeling to ensure you have adequate preventive, detective and corrective security controls for identified threat scenarios. Examples:
As mentioned in my previous comment, customers often do not operate one pipeline to rule them all, but have one AzOps for the core platform resources (Policies, Roles, Management Groups), and then additional repos and pipelines as per operating model such as networking, identity etc. Entertaining the idea of breaking out the Identity management groups outside of the main management group hierarchy could potentially address some of these concerns, but would come at the cost of additional management overhead and less holistic security posture. |
I appreciate the thorough answer, so no need to apologize.
https://feedback.azure.com/d365community/idea/d0f837fd-90ad-ed11-a81b-6045bd79fc6e Do you have any recommendations around the amount of steps and people that should maximum be involved in the reviews, approvals, and gates? I am thinking that you can keep adding complexity to this, but the more complexity the less efficiency, so you want to aim for a good balance. "However, since everything lives under the same management group structure, the platform pipelines inevitable will have permissions that can impact other platform components (including Identity)." We want to stick with ESLZ architecture, so no moving MG outside (we already looked at this design option, and it is bad). Once again, thanks for the thorough answers! |
Currently, there is a bit of a gap here in terms of the portal experience for runCommands. Azure Policies only work on PUT requests, and the portal runCommand uses an old API-version and POST. If you want to validate your policy, try using the PUT API or an ARM/Bicep template (https://learn.microsoft.com/en-us/rest/api/compute/virtual-machine-run-commands/create-or-update?tabs=HTTP) This means you currently have to use both policy as well as detective controls (alerts) to be fully covered. Another note around runCommands based on previous experiences, I'd strongly suggest avoiding blocking certain commands etc, as it is usually very easy to circumvent with aliases or alternate commands. Instead of Invoke-WebRequest, I could use curl, Invoke-RestMethod or the aliases.
This all comes down to criticality and risks involved with the different pipelines and changes. The higher potential blast radius, the stricter review process required. I.e. for a change at the root/intermediate root, you perhaps want to enforce two review approvals and potentially additional evidence. For changes with lower blast radius risks such as subscription or rg level, one approval or automated approval might be sufficient.
100%, that would be the intent with multiple pipelines. However - to my earlier point, the pipeline managing policyDefinitions, policyAssignments, roleDefinitions etc. at the intermediate root management group, will due to inheritance have permissions across the whole environment. |
Alright, thanks for clarify. Although, it is not very good news that the portal is running an old API version(?!). I tried it via PostMan and it worked: With this simple policyRule:
So actually, an attack would have to use the portal instead of PowerShell or other thirdparty CLIs, due to the old API version? 😆 that is a bit tragicomedic. |
I will notify our internal teams about this deficiency so we can fix the portal experience as well. |
@daltondhcp @vegazbabz Thank you both for the valuable discussion. I'm a bit late but regarding one of the high-level recommendations:
Isn't it so that one challenge here is that you can effectively place an arbitrary bicep file just about anywhere in the folder structure, thus triggering a code review from a completely different code owner? The WhatIf output - if available and without too much noise - could then be used to possibly trigger other code owners to be automatically added as additional reviewers or automatically reject it. |
Not necessarily if we set up different code owners or reviewer policies for different folders in the structure. Key thing is that one needs to be comfortable with the approval structure as well as approvers. |
The security concept around
AzOps
is questionable. It basically breaks with all of Microsoft's recommendations aroundleast privileges
. You have a single pipeline with permissions to manage more or less everything. This includes granting permissions on MG level, e.g. on Platform Identity -> bye bye Domain Controller(s).Where access to DC was highly restricted on-prem and also should be it according to your ALZ architecture if moved to the cloud, the AzOps completely circumvents this unless the approver is from the same DC admin team and can read code to understand the request to approve. The same for other resources and services.
It seems like
AzOps
only serves an operational purpose without security being thought through. The suspicion is only strengthened by AzOps never mentioning security as a factor.What is best practice and Microsoft recommendations around AzOps and security?
How can we ensure that Enterprise Access Model is still valid?
Source:
The text was updated successfully, but these errors were encountered: