Defender for Cloud Security Recommendations

[West-P]

There are a number of security findings from Azure Defender for Cloud. Let me know if an issue needs to be created for each of these but here is the list from a TRE deployment with an airlock in place with a workspace using Databricks, VMs, AzureML and SQL services enabled:

• TLS should be updated to the latest version for function apps - func-airlock-processor-[treid]
• TLS should be updated to the latest version for web apps - api-[treid], guacamole-[treid]-ws-f9a2-svc-095e, guacamole-[treid]-ws-a4a3-svc-8ae7
• Storage accounts should prevent shared key access - All storage accounts
• Storage accounts should restrict network access using virtual network rules - TRE Core Storage Accounts
• Storage account should use a private link connection - TRE Core Storage Accounts
• Azure DDoS Protection Standard should be enabled - vnet-[treid]
• Firewall should be enabled on Key Vault - kv-[treid]
• Azure Event Grid topics should use private link - evgt-airlock-scan-result-v2-[treid]
• Azure Cosmos DB should disable public network access - cosmos-[treid], cosmos-mongo-[treid]
• Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method - cosmos-[treid]
• Virtual machines and virtual machine scale sets should have encryption at host enabled - vmss-rp-porter-[treid], nexus-[treid], All workspace VMs
• Machines should have a vulnerability assessment solution - nexus-[treid], All workspace VMs
• Machines should be configured to periodically check for missing system updates - nexus-[treid]
• Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. - nexus-[treid]
• Guest Configuration extension should be installed on machines - nexus-[treid], All workspace VMs
• Azure Backup should be enabled for virtual machines - nexus-[treid], All workspace VMs
• Resource logs in Azure Machine Learning Workspaces should be enabled
• Resource logs in Azure Databricks Workspaces should be enabled
• Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. - All workspace VMs
• Container registries should use private link - Management Container Registry
• Container registries should not allow unrestricted network access - Management Container Registry

I understand that potentially some of these findings may have already been highlighted and some may not be possible without breaking functionality. But it would be useful to know the justifications for this to audit the security findings on a customer's system and if our client/s have any questions on the vulnerabilities found.

We can potentially resolve most of these ourselves but it would be good for the repo to be updated, especially things like TLS version updates and making sure VMs created have the recommended extensions with Update Management and Backup in place.

[marrobi]

@West-P are you running the v0.19.1 release? Some of these have been fixed up in main, and we plan to get a new release out in the coming weeks. Then its worth re-evaluating. There are reasons why some of these are why they are.

Some of the above I would advise you implement via subscription wide policy, rather than actually in code in this project.

cc @tamirkamara

[West-P]

@West-P are you running the v0.19.1 release? Some of these have been fixed up in main, and we plan to get a new release out in the coming weeks. Then its worth re-evaluating. There are reasons why some of these are why they are.

Some of the above I would advise you implement via subscription wide policy, rather than actually in code in this project.

cc @tamirkamara

Yes this is from v0.19.1
Some of these I agree would be set at a subscription level. However, I can update my environment post the upcoming release (as it's a demo env) and then report back recommendations after updating.

[jonnyry]

I've been working through a similar Defender list for our deployment, can comment on a few:

• TLS should be updated to the latest version for function apps - func-airlock-processor-[treid]
• TLS should be updated to the latest version for web apps - api-[treid], guacamole-[treid]-ws-f9a2-svc-095e, guacamole-[treid]-ws-a4a3-svc-8ae7

Requires TLS 1.3 to be set. I've fixed locally in our instance. @marrobi are we happy to set TLS 1.3 as the minimum in this repo? It requires an azurerm provider bump.

• Azure DDoS Protection Standard should be enabled - vnet-[treid]

This is a $2.5K / month service. Should be optional if it is remediated in this repo.

• Firewall should be enabled on Key Vault - kv-[treid]

PR for this one here: #4260 Waiting for a merge - @marrobi ;-)

• Azure Cosmos DB should disable public network access - cosmos-[treid], cosmos-mongo-[treid]

We've fixed locally, happy to PR back here?

• Virtual machines and virtual machine scale sets should have encryption at host enabled - vmss-rp-porter-[treid], nexus-[treid], All workspace VMs
• Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. - nexus-[treid]
• Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. - All workspace VMs

This was merged in the last week - #4263

Assuming you have that update and your machines are showing as EncryptionAtHost enabled, you may still be seeing the error because Guest Configuration is not able to audit the machine.

• Storage accounts should prevent shared key access - All storage accounts

I think most of the shared key access has been removed where possible. There are some accounts that still need a shared key in order to mount the file share on VMs.

[jonnyry]

A couple more for the list:

• Key Vault secrets should have an expiration date
• Authentication to Linux machines should require SSH keys

[marrobi]

Thanks guys. Lets get the PRs merged, and see where we are, tick things off the list there is also this issue #2171 ...