logo

Database

Need

Improved traceability and logging in Azure configurations

Context

• Usage of Terraform for Infrastructure as Code (IaC)

• Usage of Azure Resource Manager (azurerm) for managing Azure resources

Description

1. Non compliant code

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
...

The above code block sets up an Azure Log Analytics Workspace with a basic configuration. It defines the location and name of the workspace, sets the SKU to "PerGB2018", and configures the retention period to 30 days. However, this configuration does not include detailed logging, which is essential for tracking and understanding activities within the workspace. This omission can lead to loss of traceability, making it difficult to detect anomalous behaviors or security breaches. The vulnerability lies in the lack of detailed logging settings. As a result, potentially malicious activities might not be recorded, making it impossible to track them down. This lack of traceability can hinder the detection of security breaches and make incident response more challenging. To fix this vulnerability, it is recommended to enable detailed logging in the Azure Log Analytics Workspace configuration. This can be done by enabling the 'diagnostic_settings' block in the 'azurerm_log_analytics_workspace' resource. Detailed logging should include all relevant data categories and logs should be retained for a sufficient amount of time to allow for effective incident detection and response.

2. Steps

• Enable diagnostic settings for the relevant Azure resources

• Configure the diagnostic settings to include the necessary log categories

• Specify the desired retention period for the logs

• Ensure that the logs are sent to a log analytics workspace

• Regularly review and analyze the logs for any anomalous behaviors or security breaches

3. Secure code example

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
...

The updated code includes the `azurerm_monitor_diagnostic_setting` resource which is used to enable diagnostic settings for the Azure resource group. The diagnostic settings include logs and metrics with a retention policy of 365 days. The `log` block is configured to capture "Action" category logs. This category includes logs related to operations that modify the resource group. The `metric` block is configured to capture all metrics related to the resource group. Both the logs and metrics are enabled and have a retention policy of 365 days. The logs and metrics are sent to the log analytics workspace specified by the `log_analytics_workspace_id` property. This ensures that all logs and metrics are centrally stored and can be analyzed for any anomalous behaviors or security breaches. The `retention_in_days` property of the `azurerm_log_analytics_workspace` resource is also updated to 365 days to ensure that logs are retained for a sufficient period of time for analysis.