Reading Time: 4 minutes
Share:
Twitter
LinkedIn
Facebook
Google+
Reddit
Whatsapp
Follow by Email

In this article, I am going to show you how to Install Secure DevOps Kit for Azure (AzSK), do a scan against as subscription and then fix an issue using the recommendation.

What is AzSK?

Below is an overview of what AzSK is from their website. https://azsk.azurewebsites.net/README.html#overview

The “Secure DevOps Kit for Azure” (will be referred to as ‘AzSK’ henceforth) is a collection of scripts, tools, extensions, automations, etc. that caters to the end to end Azure subscription and resource security needs for dev ops teams using extensive automation and smoothly integrating security into native dev ops workflows helping accomplish secure dev ops with these 6 focus areas:

Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline.

Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure.

Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner.

Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.

Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates.

Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.

Installing AzSK

Before you can install AzSK you need to make sure you have PowerShell 5.0 or higher. To check this, in your PowerShell window type $PSVersionTable. You will then see what version of PowerShell you are running. If it is below version 5.0 you will need to update. You can find instructions at https://docs.microsoft.com/en-us/powershell/scripting/install/installing-windows-powershell?view=powershell-6

PowerShell Version check

To install Secure DevOps Kit for Azure in your PowerShell window type the following.

Installing AzSK module

If you have issues you may need to use the -AllowClobber and -Force switches.

Allow Auto Updates

It’s always good to keep AzSK up to date, so when you do scan your Azure estate, you will always have the latest security controls to evaluate against. To set AzSK to update use the following command.

Setting auto update policy

As you can see we need to start a fresh PowerShell console to ensure any updates are loaded.

To turn off auto updates use the command above but change On to Off.

Scanning a Subscription

So now you have got AzSK installed and updated it’s time to scan your subscription. To do this in your PowerShell window type the following.

You will see the real-time progress of the scan. Once it has finished a Windows Explorer window will pop up with the results.

Output after running subscription scan

In the explorer window you will see a CSV file with the results in it. Open the CSV file.

CSV of scan results

In here you will see what has been scanned, it’s status, a description and recommendations.

Best thing to do first is to filter out all the Passed items.

Now I have a smaller list. I can go through each recommendation and fix it. For example, I have a miss configuration on My Azure Security Centre.  It looks like I have not configured Security Contact details. In the CSV under the recommendations, Colum AzSK has given me a bit of PowerShell to run to fix this. You could do this via the Portal if you wish, but below I am going to use the recommended way.

Output after running recommendation.

Go through all of the Issues in your report and then run the first command again.

You should hopefully now be in a better place. In future articles I will go through other scenarios with AzSK.

I hope you found this article helpful, if you do have any questions or comments please reach out.

Share:
Twitter
LinkedIn
Facebook
Google+
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

I agree