Snyk IaC で Azure Resource Manager テンプレートを解析してみた

2022.08.08

いわさです。

先日、以下の記事で Snyk IaC で IaC テンプレートの静的解析が出来ることを知りました。

そして、Snyk IaC のページを見てみると、どうやら Azure にも対応しているようです。

そこで本日は Azure 環境向けの ARM テンプレートに対して Snyk IaC を使ってセキュリティチェックを実施してみました。

テンプレートの用意

ARM テンプレートについては、VNET と仮想マシンをデプロイするだけのシンプルなものです。

ただし Linux 仮想マシンでパスワード認証を有効にしていたり、パブリックアクセス設定もオープンな状態にしてあります。
Azure の場合は、ポータルで作成したものをそのままテンプレートでダウンロードすることが出来るので、ここではテンプレートの掲載は割愛します。

Snyk CLI でのみサポートされている。

さて一点重要な点なのですが、本日時点で ARM テンプレートは Snyk CLI 経由のスキャンのみがサポートされています。

Scan ARM configuration files - Snyk User Docs

こちらどういうことかというと、例えば CloudFormation などの場合は WebUI から連携した GitHub リポジトリを指定するだけで以下のようにすぐにスキャンを行うことが出来ます。

しかし、ARM テンプレートなリポジトリの場合はテンプレートファイルがサポートされている言語として扱われません。

Job started: 08 August 2022, 10:39:57
Processed Tak1wa/hogehogehoge from GitHub
- No supported target files detected. Please see our documentation for supported languages and target files.
0 projects created
Job completed: 08 August 2022, 10:39:59

Snyk CLI で実行してみる

よって本日は Snyk CLI からテンプレートのスキャンを行って、スキャン結果を Web へ取り込む形をとってみましょう。

% snyk iac test ./ExportedTemplate-20200808/template.json --report

Snyk Infrastructure as Code

✔ Test completed.

Issues

Low Severity Issues: 1

  [Low] Virtual Network DDoS protection plan disabled
  Info:    Virtual Network DDoS protection plan disabled. Services deployed in the network will not benefit from advanced DDoS protection features such as attack alerting and analytics
  Rule:    https://snyk.io/security-rules/SNYK-CC-AZURE-516
  Path:    resources[2] > properties > enableDdosProtection
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.enableDdosProtection` to `true`

Medium Severity Issues: 11

  [Medium] Linux VM scale set encryption at host disabled
  Info:    Linux VM scale set encryption at host disabled. Storage devices attached to the VM will not be encrypted at rest
  Rule:    https://snyk.io/security-rules/SNYK-CC-AZURE-475
  Path:    resources[3] > properties > securityProfile > encryptionAtHost
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.securityProfile.encryptionAtHost` attribute to `true`

  [Medium] Ensure that RDP access is restricted from the internet
  Info:    Ensure that RDP access is restricted from the internet. Using RDP over internet leaves your Azure Virtual Machines vulnerable to brute force attacks
  Rule:    https://snyk.io/security-rules/SNYK-CC-AZURE-676
  Path:    resources[0] > properties > securityRules[3] > properties > destinationPortRange
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Remove `3389`, `*`, or any port range that covers `3389` from `properties.securityRules[].properties.destinationPortRange(s)` when 'properties.securityRules[].properties.access' is set to `allow`

  [Medium] Ensure that SSH access is restricted from the internet
  Info:    Ensure that SSH access is restricted from the internet. Using SSH over internet leaves your Azure Virtual Machines vulnerable to brute force attacks
  Rule:    https://snyk.io/security-rules/SNYK-CC-AZURE-677
  Path:    resources[0] > properties > securityRules[0] > properties > destinationPortRange
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Remove `22`, `*`, or any port range that covers `22` from `properties.securityRules[].properties.destinationPortRange(s)` when 'properties.securityRules[].properties.access' is set to `allow`

  [Medium] Azure Network Security Group allows public access
  Info:    Azure Network Security Group allows public access. Public access to all resources behind the network security group
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-33
  Path:    resources[0] > properties > securityRules[3] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`

  [Medium] Azure Network Security Group allows public access
  Info:    Azure Network Security Group allows public access. Public access to all resources behind the network security group
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-33
  Path:    resources[0] > properties > securityRules[2] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`

  [Medium] Azure Network Security Group allows public access
  Info:    Azure Network Security Group allows public access. Public access to all resources behind the network security group
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-33
  Path:    resources[0] > properties > securityRules[1] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`

  [Medium] Azure Network Security Group allows public access
  Info:    Azure Network Security Group allows public access. Public access to all resources behind the network security group
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-33
  Path:    resources[0] > properties > securityRules[0] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`

  [Medium] Azure Network Security Rule allows public access
  Info:    That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-35
  Path:    resources[0] > properties > securityRules[3] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`

  [Medium] Azure Network Security Rule allows public access
  Info:    That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-35
  Path:    resources[0] > properties > securityRules[2] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`

  [Medium] Azure Network Security Rule allows public access
  Info:    That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-35
  Path:    resources[0] > properties > securityRules[1] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`

  [Medium] Azure Network Security Rule allows public access
  Info:    That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-35
  Path:    resources[0] > properties > securityRules[0] > properties > sourceAddressPrefix
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`

High Severity Issues: 1

  [High] Linux virtual machine has password authentication enabled
  Info:    Linux virtual machine has password authentication enabled. Password authentication is less resistant to brute force and educated guess attacks then SSH public key authentication
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-79
  Path:    resources[3] > properties > osProfile > linuxConfiguration > disablePasswordAuthentication
  File:    ./ExportedTemplate-20200808/template.json
  Resolve: Set `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` attribute to `true` or remove the attribute

-------------------------------------------------------

Test Summary

  Organization: hoge
  Project name: hoge0808snyk

✔ Files without issues: 0
✗ Files with issues: 1
  Ignored issues: 0
  Total issues: 13 [ 0 critical, 1 high, 11 medium, 1 low ]

-------------------------------------------------------

Report Complete

  Your test results are available at: https://snyk.io/org/hoge/projects
  under the name: hoge0808snyk

先程挙げていた、Linux パスワード認証やパブリックアクセスの他に、VNET DDoS 保護など他にもいくつか警告を確認することが出来ます。

Web UI 上から取り込みは出来ませんでしたが、Snyk CLI からのレポート取り込みについては対応されています。

Bicep

さて ARM テンプレートを使っている方はやはり Bicep 形式でも使えるのかという点が気になるかもしれません。
こちらは以下のように紹介されていて、一度 Json 形式へビルドする必要があり直接はスキャン出来ません。

You can also scan Bicep format files by converting the configuration files to JSON using the Bicep CLI.

% az bicep build -f Bicep/template.bicep                             
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(9,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(86,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(102,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(127,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(155,22) : Warning adminusername-should-not-be-literal: Property 'adminUserName' should not use a literal value. Use a param instead. Found literal string value "iwasa" [https://aka.ms/bicep/linter/adminusername-should-not-be-literal]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(270,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]

% snyk iac test Bicep/template.json --report

Snyk Infrastructure as Code

✔ Test completed.

Issues

Low Severity Issues: 1

  [Low] Virtual Network DDoS protection plan disabled
  Info:    Virtual Network DDoS protection plan disabled. Services deployed in the network will not benefit from advanced DDoS protection features such as attack alerting and analytics
  Rule:    https://snyk.io/security-rules/SNYK-CC-AZURE-516
  Path:    resources[2] > properties > enableDdosProtection
  File:    Bicep/template.json
  Resolve: Set `properties.enableDdosProtection` to `true`

Medium Severity Issues: 11

:

High Severity Issues: 1

  [High] Linux virtual machine has password authentication enabled
  Info:    Linux virtual machine has password authentication enabled. Password authentication is less resistant to brute force and educated guess attacks then SSH public key authentication
  Rule:    https://snyk.io/security-rules/SNYK-CC-TF-79
  Path:    resources[3] > properties > osProfile > linuxConfiguration > disablePasswordAuthentication
  File:    Bicep/template.json
  Resolve: Set `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` attribute to `true` or remove the attribute

-------------------------------------------------------

Test Summary

  Organization: hoge
  Project name: hoge0808snyk

✔ Files without issues: 0
✗ Files with issues: 1
  Ignored issues: 0
  Total issues: 13 [ 0 critical, 1 high, 11 medium, 1 low ]

-------------------------------------------------------

Report Complete

  Your test results are available at: https://snyk.io/org/hoge/projects
  under the name: hoge0808snyk

さいごに

本日は Snyk IaC で Azure Resource Manager テンプレートを解析してみました。

Snyk CLI からのみの利用になるなど、少し制限はありますが AWS CloudFormation などと同様に無料プランから利用が出来ました。
Snyk はリポジトリとしても Azure DevOps がサポートされているので是非使ってみてください。