Authentication mechanism absence or evasion - Azure
Need
Implementation of robust and secure authentication mechanisms in Azure
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of Azure Resource Manager (azurerm) for managing Azure resources
Description
Non compliant code
provider "azurerm" {
version = "=2.40.0"
}
resource "azurerm_virtual_machine" "vm" {
name = "myvm"
location = "West Europe"
resource_group_name = "my-resource-group"
network_interface_id = "my-network-interface-id"
vm_size = "Standard_D2s_v3"
delete_os_disk_on_termination = true
delete_data_disks_on_termination = true
os_profile {
computer_name = "hostname"
admin_username = "admin"
admin_password = "password"
}
os_profile_windows_config {}
}
The above Terraform code is used to spin up a virtual machine in Azure. It specifies the provider as Azure and sets the version. It then creates a resource of type azurerm_virtual_machine which represents a virtual machine in Azure.
The vulnerability lies in the os_profile block of the code. The admin_username and admin_password are hardcoded into the Terraform script. This is a significant security risk as anyone with access to this script would have the username and password for the administrative account on the virtual machine.
Additionally, the password is weak and easily guessable which makes it even more insecure. This could allow an attacker to gain unauthorized access to the virtual machine.
Furthermore, the absence of an authentication mechanism for the provider block is another vulnerability. There's no mention of any service principal or client secret being used to authenticate to Azure. This means that the Terraform script is likely using the Azure CLI's logged in session, which is not a secure practice.
This code is vulnerable to Authentication mechanism absence or evasion.
Steps
- Use a more secure authentication mechanism instead of using a plain text password.
- Consider using Azure Active Directory (AAD) for authentication and authorization.
- Implement multi-factor authentication (MFA) to add an extra layer of security.
- Avoid hardcoding sensitive information like passwords in the code.
- Use secrets management tools to securely store and retrieve authentication credentials.
- Regularly review and update authentication mechanisms to address any new vulnerabilities or weaknesses.
Compliant code
provider "azurerm" {
version = "=2.40.0"
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "mykeyvault"
location = "West Europe"
resource_group_name = "my-resource-group"
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
}
resource "azurerm_key_vault_secret" "example" {
name = "adminpassword"
value = "SecurePassword123!"
key_vault_id = azurerm_key_vault.example.id
}
resource "azurerm_virtual_machine" "vm" {
name = "myvm"
location = "West Europe"
resource_group_name = "my-resource-group"
network_interface_id = "my-network-interface-id"
vm_size = "Standard_D2s_v3"
delete_os_disk_on_termination = true
delete_data_disks_on_termination = true
os_profile {
computer_name = "hostname"
admin_username = "admin"
admin_password = azurerm_key_vault_secret.example.value
}
os_profile_windows_config {}
}
The updated code now uses Azure Key Vault to securely store the admin password. The azurerm_key_vault_secret resource is used to create a secret in the Key Vault, which holds the admin password. This password is then retrieved and used in the azurerm_virtual_machine resource.
This approach avoids hardcoding sensitive information like passwords in the code, which is a security best practice. It also leverages Azure's built-in services for secrets management, which provide additional features like access control, auditing, and automatic rotation of secrets.
Please note that this is just one part of a secure authentication mechanism. You should also consider using Azure Active Directory (AAD) for authentication and authorization, implementing multi-factor authentication (MFA), and regularly reviewing and updating your authentication mechanisms to address any new vulnerabilities or weaknesses.