Framework/Configurations/SVT/Services/Automation.json
{
"FeatureName": "Automation", "Reference": "aka.ms/azsdktcp/automation", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_Automation_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "Automation110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Automation account. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Assign 'Automation Operator' RBAC role to members who need to start/stop/suspend/resume jobs. Refer: https://docs.microsoft.com/en-us/azure/automation/automation-role-based-access-control, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_Automation_DP_Review_Webhook_Usage", "Description": "Webhooks should not be used for runbooks that perform highly sensitive functions", "Id": "Automation120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckWebhooks", "Rationale": "If webhook URL is inadequately protected or gets compromised, the runbook can be triggered by unauthorized users.", "Recommendation": "Remove webhook(s) if not required. Run command Remove-AzureRmAutomationWebhook -AutomationAccountName '{AutomationAccountName}' -Name '{WebhookName}' -ResourceGroupName '{ResourceGroupName}", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_Automation_DP_Minimal_Webhook_Validity", "Description": "Webhook URL must have a shorter validity period (<= $($this.ControlSettings.Automation.WebhookValidityInDays) days) to prevent malicious access", "Id": "Automation130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckWebhookExpiry", "Rationale": "If webhook URL gets compromised, runbook can be triggered by unauthorized users. Minimizing the validity period of the trigger URL ensures that the window of time available to an attacker in the event of compromise is minimized.", "Recommendation": "Change the webhook expiry date by navigating to Azure Portal --> Your Automation account --> Your runbook --> Webhooks --> Your webhook --> Edit 'Expiration' field --> Save", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_Automation_DP_Use_Encrypted_Variables", "Description": "Encryption of Automation account variable assets must be enabled when storing sensitive data", "Id": "Automation140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVariables", "Rationale": "Encrypted variables are stored securely by the Azure platform. Moreover, their values cannot be retrieved from the Get-AzureRmAutomationVariable cmdlet that ships as part of the Azure PowerShell module.", "Recommendation": "Encrypt variable if it stores sensitive data. Run command Set-AzureRmAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted `$true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_Automation_DP_Use_Secure_Assets", "Description": "Never hard-code secure information in your runbook, instead use Automation account assets (Credentials, encrypted variables etc.)", "Id": "Automation150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Automation account assets are encrypted and stored in the Azure Automation using a unique key that is generated for each automation account.", "Recommendation": "For detailed information about assets refer: https://docs.microsoft.com/en-us/azure/automation/automation-certificates, https://docs.microsoft.com/en-us/azure/automation/automation-connections, https://docs.microsoft.com/en-us/azure/automation/automation-credentials, https://docs.microsoft.com/en-us/azure/automation/automation-variables", "Tags": [ "SDL", "TCP", "DP", "Manual" ], "Enabled": true }, { "ControlID": "Azure_Automation_DP_Rotate_Account_Keys", "Description": "Automation account keys should be rotated periodically as per the company standards", "Id": "Automation160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "Recommendation": "Run command New-AzureRmAutomationKey -AutomationAccountName '{AutomationAccountName}' -KeyType '{Primary/Secondary}' -ResourceGroupName '{ResourceGroupName}' to rotate keys", "Tags": [ "SDL", "TCP", "DP", "Manual" ], "Enabled": true }, { "ControlID": "Azure_Automation_DP_Rotate_RunAsAccount_Credentials", "Description": "Credentials for Run As Account should be deleted and recreated at regular intervals to make sure that Service Principal connection credentials are not compromised", "Id": "Automation170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "Recommendation": "Remove existing certificate and connection using command Remove-AzureRmAutomationCertificate and Remove-AzureRmAutomationConnection. Create new certificate and connection using commands New-AzureRmAutomationCertificate and New-AzureRmAutomationConnection. Refer : https://docs.microsoft.com/en-us/azure/automation/automation-create-runas-account", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Automation_DP_Automation_Asset_Protection", "Description": "Automation accounts for which Hybrid Runbook Worker feature is enabled must only include assets required for the hybrid runbook functioning.", "Id": "Automation180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Hybrid worker machines running the MMA (Microsoft Monitoring Agent) have unrestricted access to all assets in the Automation. Limiting these assets to only those required for the hybrid worker functioning eliminates the likelihood of compromise of a broader set of assets.", "Recommendation": "Create dedicated Auotmation account for Hybrid Worker Groups", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Automation_AuthN_Dedicated_SP_For_Runbook", "Description": "Runbook authentication must be done using dedicated service principal instead of AD User account ", "Id": "Automation190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Using a 'user' account should be avoided because, in general, a user account will likely have broader set of privileges to enterprise assets. Using a dedicated SPN ensures that the SPN does not have permissions beyond the ones specifically granted for the automation job to function.", "Recommendation": "Refer : https://docs.microsoft.com/en-us/azure/automation/automation-create-runas-account", "Tags": [ "SDL", "Manual", "TCP", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_Automation_Audit_Configure_Log_Analytics", "Description": "Configure Log Analytics to get greater operational visibility of your Automation jobs", "Id": "Automation200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOMSSetup", "Rationale": "Using Log Analytics, one can ensure high availability of important/critical services by monitoring jobs and getting alerts for job failures.", "Recommendation": "Run command Set-AzureRmDiagnosticSetting -ResourceId '{AutomationAccountId}' -WorkspaceId '{OMSWorkspaceId}' -Enabled `$true. Refer : https://docs.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics", "Tags": [ "SDL", "Best Practice", "Audit", "Manual" ], "Enabled": true } ] } |