EAST: Extensible Azure Security Tool

Extensible Azure Security Tool

Extensible Azure Security Tool (Later referred as E.A.S.T) is a tool for assessing Azure and to some extent Azure AD security controls. The primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.

Controls

EAST provides three categories of controls: Basic, Advanced, and Composite

The machine-readable control looks like this, regardless of the type (Basic/advanced/composite):

{

  "name": "fn-sql-2079",

  "resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",

  "controlId": "managedIdentity",

  "isHealthy": true,

  "id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",

  "Description": "\r\n Ensure The Service calls downstream resources with managed identity",

  "metadata": {

    "principalId": {

      "type": "SystemAssigned",

      "tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3",

      "principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8"

    },

    "roles": [{

      "role": [{

        "properties": {

          "roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",

          "principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8",

          "scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079",

          "createdOn": "2021-12-27T06:03:09.7052113Z",

          "updatedOn": "2021-12-27T06:03:09.7052113Z",

          "createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851",

          "updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851"

        },

        "id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674",

        "type": "Microsoft.Authorization/roleAssignments",

        "name": "ada69f21-790e-4386-9f47-c9b8a8c15674",

        "RoleName": "Contributor"

      }]

    }]

  },

  "category": "Access"

},

Basic

Basic controls include checks on the initial ARM object for simple “toggle on/off”- boolean settings of said service.

Example: Azure Container Registry adminUser

acr_adminUser

Portal	EAST
	if (item.properties?.adminUserEnabled == false ){returnObject.isHealthy = true }

Advanced

Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and its relation to other services.

Example: Role Assignments

Besides checking the role assignments of subscription, an additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN’s with client secrets)

Example: Azure Data Factory

ADF_pipeLineRuns

Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via a run history of the said activities.

Composite

Composite controls combine two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST

1. You cant guarantee an order of control results being returned in the pipeline
2. You need to return more than one control result from a single check

Example: composite_resolve_alerts

1. Get alerts from Microsoft Cloud Defender on subscription check
2. Form new controls per resourceProvider for alerts

Reporting

EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc

• While the focus is not on reporting, this repo includes example automation for report creation with pandoc to ease the reading of the results in a single document format.

Install & Use

Copyright (c) 2021 Joosua Santasalo