Traceability Loss - Azure
Need
Improved traceability and logging in Azure configurations
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of Azure Resource Manager (azurerm) for managing Azure resources
Description
Non compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_log_analytics_workspace" "example" {
name = "example-workspace"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "PerGB2018"
retention_in_days = 30
}
The above code block sets up an Azure Log Analytics Workspace with a basic configuration. It defines the location and name of the workspace, sets the SKU to "PerGB2018", and configures the retention period to 30 days.
However, this configuration does not include detailed logging, which is essential for tracking and understanding activities within the workspace. This omission can lead to loss of traceability, making it difficult to detect anomalous behaviors or security breaches.
The vulnerability lies in the lack of detailed logging settings. As a result, potentially malicious activities might not be recorded, making it impossible to track them down. This lack of traceability can hinder the detection of security breaches and make incident response more challenging.
To fix this vulnerability, it is recommended to enable detailed logging in the Azure Log Analytics Workspace configuration. This can be done by enabling the 'diagnostic_settings' block in the 'azurerm_log_analytics_workspace' resource. Detailed logging should include all relevant data categories and logs should be retained for a sufficient amount of time to allow for effective incident detection and response.
Steps
- Enable diagnostic settings for the relevant Azure resources
- Configure the diagnostic settings to include the necessary log categories
- Specify the desired retention period for the logs
- Ensure that the logs are sent to a log analytics workspace
- Regularly review and analyze the logs for any anomalous behaviors or security breaches
Compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_log_analytics_workspace" "example" {
name = "example-workspace"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "PerGB2018"
retention_in_days = 365
}
resource "azurerm_monitor_diagnostic_setting" "example" {
name = "example-setting"
target_resource_id = azurerm_resource_group.example.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "Action"
enabled = true
retention_policy {
enabled = true
days = 365
}
}
metric {
category = "AllMetrics"
enabled = true
retention_policy {
enabled = true
days = 365
}
}
}
The updated code includes the azurerm_monitor_diagnostic_setting resource which is used to enable diagnostic settings for the Azure resource group. The diagnostic settings include logs and metrics with a retention policy of 365 days.
The log block is configured to capture "Action" category logs. This category includes logs related to operations that modify the resource group. The metric block is configured to capture all metrics related to the resource group. Both the logs and metrics are enabled and have a retention policy of 365 days.
The logs and metrics are sent to the log analytics workspace specified by the log_analytics_workspace_id property. This ensures that all logs and metrics are centrally stored and can be analyzed for any anomalous behaviors or security breaches.
The retention_in_days property of the azurerm_log_analytics_workspace resource is also updated to 365 days to ensure that logs are retained for a sufficient period of time for analysis.