Snyk IaC で Azure Resource Manager テンプレートを解析してみた
いわさです。
先日、以下の記事で Snyk IaC で IaC テンプレートの静的解析が出来ることを知りました。
そして、Snyk IaC のページを見てみると、どうやら Azure にも対応しているようです。
そこで本日は Azure 環境向けの ARM テンプレートに対して Snyk IaC を使ってセキュリティチェックを実施してみました。
テンプレートの用意
ARM テンプレートについては、VNET と仮想マシンをデプロイするだけのシンプルなものです。
ただし Linux 仮想マシンでパスワード認証を有効にしていたり、パブリックアクセス設定もオープンな状態にしてあります。
Azure の場合は、ポータルで作成したものをそのままテンプレートでダウンロードすることが出来るので、ここではテンプレートの掲載は割愛します。
Snyk CLI でのみサポートされている。
さて一点重要な点なのですが、本日時点で ARM テンプレートは Snyk CLI 経由のスキャンのみがサポートされています。
Scan ARM configuration files - Snyk User Docs
こちらどういうことかというと、例えば CloudFormation などの場合は WebUI から連携した GitHub リポジトリを指定するだけで以下のようにすぐにスキャンを行うことが出来ます。
しかし、ARM テンプレートなリポジトリの場合はテンプレートファイルがサポートされている言語として扱われません。
Job started: 08 August 2022, 10:39:57 Processed Tak1wa/hogehogehoge from GitHub - No supported target files detected. Please see our documentation for supported languages and target files. 0 projects created Job completed: 08 August 2022, 10:39:59
Snyk CLI で実行してみる
よって本日は Snyk CLI からテンプレートのスキャンを行って、スキャン結果を Web へ取り込む形をとってみましょう。
% snyk iac test ./ExportedTemplate-20200808/template.json --report Snyk Infrastructure as Code ✔ Test completed. Issues Low Severity Issues: 1 [Low] Virtual Network DDoS protection plan disabled Info: Virtual Network DDoS protection plan disabled. Services deployed in the network will not benefit from advanced DDoS protection features such as attack alerting and analytics Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-516 Path: resources[2] > properties > enableDdosProtection File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.enableDdosProtection` to `true` Medium Severity Issues: 11 [Medium] Linux VM scale set encryption at host disabled Info: Linux VM scale set encryption at host disabled. Storage devices attached to the VM will not be encrypted at rest Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-475 Path: resources[3] > properties > securityProfile > encryptionAtHost File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.securityProfile.encryptionAtHost` attribute to `true` [Medium] Ensure that RDP access is restricted from the internet Info: Ensure that RDP access is restricted from the internet. Using RDP over internet leaves your Azure Virtual Machines vulnerable to brute force attacks Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-676 Path: resources[0] > properties > securityRules[3] > properties > destinationPortRange File: ./ExportedTemplate-20200808/template.json Resolve: Remove `3389`, `*`, or any port range that covers `3389` from `properties.securityRules[].properties.destinationPortRange(s)` when 'properties.securityRules[].properties.access' is set to `allow` [Medium] Ensure that SSH access is restricted from the internet Info: Ensure that SSH access is restricted from the internet. Using SSH over internet leaves your Azure Virtual Machines vulnerable to brute force attacks Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-677 Path: resources[0] > properties > securityRules[0] > properties > destinationPortRange File: ./ExportedTemplate-20200808/template.json Resolve: Remove `22`, `*`, or any port range that covers `22` from `properties.securityRules[].properties.destinationPortRange(s)` when 'properties.securityRules[].properties.access' is set to `allow` [Medium] Azure Network Security Group allows public access Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group Rule: https://snyk.io/security-rules/SNYK-CC-TF-33 Path: resources[0] > properties > securityRules[3] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24` [Medium] Azure Network Security Group allows public access Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group Rule: https://snyk.io/security-rules/SNYK-CC-TF-33 Path: resources[0] > properties > securityRules[2] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24` [Medium] Azure Network Security Group allows public access Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group Rule: https://snyk.io/security-rules/SNYK-CC-TF-33 Path: resources[0] > properties > securityRules[1] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24` [Medium] Azure Network Security Group allows public access Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group Rule: https://snyk.io/security-rules/SNYK-CC-TF-33 Path: resources[0] > properties > securityRules[0] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24` [Medium] Azure Network Security Rule allows public access Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource Rule: https://snyk.io/security-rules/SNYK-CC-TF-35 Path: resources[0] > properties > securityRules[3] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24` [Medium] Azure Network Security Rule allows public access Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource Rule: https://snyk.io/security-rules/SNYK-CC-TF-35 Path: resources[0] > properties > securityRules[2] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24` [Medium] Azure Network Security Rule allows public access Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource Rule: https://snyk.io/security-rules/SNYK-CC-TF-35 Path: resources[0] > properties > securityRules[1] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24` [Medium] Azure Network Security Rule allows public access Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource Rule: https://snyk.io/security-rules/SNYK-CC-TF-35 Path: resources[0] > properties > securityRules[0] > properties > sourceAddressPrefix File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24` High Severity Issues: 1 [High] Linux virtual machine has password authentication enabled Info: Linux virtual machine has password authentication enabled. Password authentication is less resistant to brute force and educated guess attacks then SSH public key authentication Rule: https://snyk.io/security-rules/SNYK-CC-TF-79 Path: resources[3] > properties > osProfile > linuxConfiguration > disablePasswordAuthentication File: ./ExportedTemplate-20200808/template.json Resolve: Set `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` attribute to `true` or remove the attribute ------------------------------------------------------- Test Summary Organization: hoge Project name: hoge0808snyk ✔ Files without issues: 0 ✗ Files with issues: 1 Ignored issues: 0 Total issues: 13 [ 0 critical, 1 high, 11 medium, 1 low ] ------------------------------------------------------- Report Complete Your test results are available at: https://snyk.io/org/hoge/projects under the name: hoge0808snyk
先程挙げていた、Linux パスワード認証やパブリックアクセスの他に、VNET DDoS 保護など他にもいくつか警告を確認することが出来ます。
Web UI 上から取り込みは出来ませんでしたが、Snyk CLI からのレポート取り込みについては対応されています。
Bicep
さて ARM テンプレートを使っている方はやはり Bicep 形式でも使えるのかという点が気になるかもしれません。
こちらは以下のように紹介されていて、一度 Json 形式へビルドする必要があり直接はスキャン出来ません。
You can also scan Bicep format files by converting the configuration files to JSON using the Bicep CLI.
% az bicep build -f Bicep/template.bicep /Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(9,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location] /Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(86,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location] /Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(102,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location] /Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(127,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location] /Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(155,22) : Warning adminusername-should-not-be-literal: Property 'adminUserName' should not use a literal value. Use a param instead. Found literal string value "iwasa" [https://aka.ms/bicep/linter/adminusername-should-not-be-literal] /Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(270,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location] % snyk iac test Bicep/template.json --report Snyk Infrastructure as Code ✔ Test completed. Issues Low Severity Issues: 1 [Low] Virtual Network DDoS protection plan disabled Info: Virtual Network DDoS protection plan disabled. Services deployed in the network will not benefit from advanced DDoS protection features such as attack alerting and analytics Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-516 Path: resources[2] > properties > enableDdosProtection File: Bicep/template.json Resolve: Set `properties.enableDdosProtection` to `true` Medium Severity Issues: 11 : High Severity Issues: 1 [High] Linux virtual machine has password authentication enabled Info: Linux virtual machine has password authentication enabled. Password authentication is less resistant to brute force and educated guess attacks then SSH public key authentication Rule: https://snyk.io/security-rules/SNYK-CC-TF-79 Path: resources[3] > properties > osProfile > linuxConfiguration > disablePasswordAuthentication File: Bicep/template.json Resolve: Set `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` attribute to `true` or remove the attribute ------------------------------------------------------- Test Summary Organization: hoge Project name: hoge0808snyk ✔ Files without issues: 0 ✗ Files with issues: 1 Ignored issues: 0 Total issues: 13 [ 0 critical, 1 high, 11 medium, 1 low ] ------------------------------------------------------- Report Complete Your test results are available at: https://snyk.io/org/hoge/projects under the name: hoge0808snyk
さいごに
本日は Snyk IaC で Azure Resource Manager テンプレートを解析してみました。
Snyk CLI からのみの利用になるなど、少し制限はありますが AWS CloudFormation などと同様に無料プランから利用が出来ました。
Snyk はリポジトリとしても Azure DevOps がサポートされているので是非使ってみてください。
